Privacy and confidentiality
Disclosing confidential or official use only (OUO) academic, financial, or health related PII without permission is prohibited by the University's Information Security Policy (No. 1-15) and Federal laws including the Family Educational Rights and Privacy Act (FERPA), the Gramm-Leach-Bliley Act (GLBA), and the Health Insurance Portability and Accountability Act (HIPAA). Unauthorized use of, or access to PII can violate an individual's expectation of privacy. Confidential PII must be safeguarded from unauthorized disclosure, alteration, and destruction in accordance with minimum UD protection requirements and best practices. Email, Google Apps @UDel.edu, and other cloud-based services are unsuitable for storing, processing or transmitting confidential PII unless additional protections (e.g., encryption) are used.
Safeguarding confidential high-risk PII—especially name, together with Social Security number (SSN), credit card number, or drivers license number—is especially important because these data pose a high-risk of identity theft or financial loss to individuals if improperly disclosed. Also, such disclosure may breach one or more privacy laws, requiring that affected individuals be notified.
Unless required by law, or needed to perform core departmental activities that cannot be immediately facilitated by other means, SSNs, credit card numbers, or other confidential high-risk PII must not be collected or used except where mandated by law or approved by the appropriate data owner. For example, SSNs are required for payroll and debt collection. Credit card numbers may not be processed, stored or transmitted on University networks or systems, and may not be used to collect funds unless approved by the Director of Billing and Collection.
Whenever possible, systems administered by UD Information Technologies must be used to retrieve, process, or store confidential high-risk PII. Confidential high-risk PII should not be stored on systems or storage administered by you or your unit, cloud-hosted applications, or on personally owned computers. UD IT-hosted storage service offerings that stand alone or that logically map storage to unit-administered systems are considered to be unit-administered systems.
Confidential high-risk PII should never be sent in email or other clear-text (unencrypted) messages. If you have confidential high-risk personally identifiable academic, financial, or health information on a system not administered by UD Information Technologies (i.e., in your unit, on a personally owned system, portable storage device, or cloud-hosted application), it must be encrypted. You must safeguard it from unauthorized disclosure, alteration, and destruction in accordance with the minimum UD protection requirements and best practices for confidential information. University departments must reevaluate their acquisition, use, and safeguarding of high-risk PII to conform to these guidelines at least annually.
Departments should conduct an annual review of all business processes that require the use of confidential PII. During that review, a department's employees should ask themselves questions like the following ones:
- Do we really need to collect this confidential or high-risk PII (e.g., SSNs)?
- How are we storing and safeguarding any electronic or paper records that contain high-risk PII?
- When we are done using the information, do we store it securely or discard it safely?
- What can we do to train our faculty and staff in the proper use and management of PII like SSNs, credit card numbers, and other confidential information?
- Who has access to confidential PII in our department, and do they still need the access?
In addition if you are asked to provide a SSN (either your own, another employee's, a student's, a family member's SSN), challenge the request.
For assistance or to request a consultation, contact the IT Support Center at x6000 or firstname.lastname@example.org.
Back to top
The University's Policy for Employees' Use of Electronic Communications (No.1-19) establishes the applicability of existing University policies and federal, state, and local law to electronic communications, including requirements for good electronic citizenship and expectations for privacy. Generally, the University will not make any efforts to monitor e-communications except when required by law or to investigate any policy infraction. If you haven't already, you need to become familiar with these current policies and indicate your understanding and compliance with them at Understanding of Employee Computing Responsibilities and Notice of Monitoring.
Back to top