1.0 Overview
The University of Georgia is committed to the responsible use of sensitive information collected from and about its students, faculty, staff, business partners and others who provide such information to the university. This commitment is in accordance with both state and federal regulations concerning the use of sensitive information. Such sensitive information includes information that could be used to cause financial harm or reputational harm to any individual. This policy applies to personally identifiable sensitive information and how it is collected.
2.0 Objective / Purpose
The purpose of this policy is to protect the privacy of individuals who have sensitive information stored (either in electronic or paper form) on assets owned by The University of Georgia, while at the same time providing the University the ability to share this information with authorized entities as required by policy or law.
3.0 Scope
The UGA Privacy Policy applies to all faculty, staff, students, affiliates, prospective students, contractors and sub-contractors who interact with UGA systems and processes, electronic or otherwise. This policy is not intended to replace or supersede other existing University policies and procedures relating to the use of maintenance of sensitive information such as those related to FERPA compliance, GLBA compliance, or human subjects research.
4.0 Policy
4.1 Limits on Use and Access
The responsible use of sensitive information requires that the University respect individual privacy, protect against identity theft and other unauthorized uses, and comply fully with all laws and government regulations in the collection, use, storage, display, distribution and disposal of such information. Authorized uses of sensitive information within the University are limited to uses which a) are necessary to meet legal and regulatory requirements; b) facilitate access to services, transactions, facilities and information; or c) support efficient academic and administrative processes.
Access to sensitive information is limited to:
- the individual whose information is produced or displayed;
- a University official or agent of the University with authorized access based upon a legitimate academic or business interest and a need to know;
- an organization or person authorized by the individual to receive the information;
- a legally authorized government entity or representative;
- other circumstances in which the University is legally compelled to provide access to information, such as the Georgia Open Records Act;
- or other individuals or entities, as allowed by law, for purposes judged to be appropriate or necessary for the reasonable conduct of University business
4.2 Social Security Numbers
Social Security numbers are always considered confidential and are therefore subject to the access restrictions described above. The University will continue to collect and maintain Social Security numbers in all instances in which that number is required by law for reporting or other uses. This includes, but is not limited to, all enrolled students who are U.S. citizens or permanent residents. In addition, the University will continue to use Social Security numbers, as allowed by law, for operational purposes for which there is no reasonable substitute.
The University, its faculty, staff, and students must abide by all state legal regulations pertaining to Social Security Number protection.
It is against both state law and University policy to:
- Publicly post or display the Social Security number in any manner;
- Require an individual to transmit his or her Social Security number over the Internet unless the connection is secure or the number is encrypted; or
- Require an individual to use his or her Social Security number to access an Internet site unless a unique password or PIN is also required.
This Privacy Policy also prohibits the following:
- Printing the Social Security number on any card required to access services; or
- Establishing a new process that requires the printing of a Social Security number on any materials that are mailed unless required by other state or federal agency.
4.3 Online Collection of Sensitive Information
University departments that collect sensitive information on their Web pages must post a link to the UGA Privacy Policy and inform consumers about any persons or entities outside the University with whom they may share Sensitive Information collected online. If there is a process for the consumer to change such information, that process must be described and available to the consumer on the department Web pages. Any changes to this privacy policy will be posted on the Web site.
5.0 Enforcement and Implementation
5.1 Roles and Responsibilities
Each University department/unit is responsible for implementing, reviewing and monitoring internal policies, practices, etc. to assure compliance with this policy.
The Office of Chief Information Officer is responsible for enforcing this standard.
5.2 Consequences and Sanctions
Violation of this policy may incur the same types of disciplinary measures and consequences as violations of other University policies, including progressive discipline up to and including termination of employment, or, in the cases where students are involved, reporting of a Student Code of Conduct violation.