Information Privacy Policy

Catalog Number
IT
002
Scope

This policy applies to every user (including, but not limited to, all faculty, students, staff, contractors, visiting researchers, or guests and volunteers) who accesses, manages, or manipulates institutional information, research data, or information technology resources. 

Purpose

The privacy of individual information, whether financial, health, demographic, or otherwise identifiable is a value to which the University of Massachusetts Amherst adheres.  The purpose of this policy is to affirm the University of Massachusetts Amherst commitment to protect the privacy of its community, and others who have entrusted their data to its care.  The policy informs the University of Massachusetts Amherst community of its obligations around the privacy of personally identifiable information (PII), including their obligation to comply with all existing laws and institutional policies regarding the privacy of data.  This policy is structured in alignment with the Privacy Controls as identified in the National Institute of Standards and Technology’s Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations. 

Definitions
  • Personally Identifiable Information (PII): PII varies from regulation to regulation.  For UMass Amherst, it is any information that can be reasonably used to determine the identity of an individual, along with information associated with that individual that they may wish to exercise control in the release of the information. Data Stewards may add additional specifications, including such items as health identifiers or financial identifiers. 
  • Unauthorized Disclosure: The release of information to individuals or systems in a manner that violates one or more individual’s rights under law, contract, or policy. 
  • Unit: This refers to a department, center, division, college, school, or other identifiable collection of people or services that would be identified as doing business either for, or in association with UMass. 
Policy

Maintaining the privacy of information is the responsibility of every user of institutional information, research data, and information technology resources.  All users who create, access, manage, or manipulate institutional information, research data, or information technology resources must comply with this policy’s administrative, technical, and physical safeguards. 

Units which access, manage, or manipulate institutional information or research data must have policies, standards, guidelines, and procedures which adequately protect the privacy of individuals’ PII. 

The Institutional Privacy Committee (IPC), in conjunction with the Office of Compliance, Data Stewards, and University Counsel, will develop and maintain a campus privacy program. 

Policy Manager
Matthew Dalton, Chief Information Security Officer
Contacts
Contact Name
Matthew Dalton
Contact Title
Chief Information Security Officer
Contact Email
Contact Telephone
Contact Name
Chris Misra
Contact Title
Vice Chancellor for IT
Contact Email
Contact Telephone
Approval Authority
Vice Chancellor and Chief Information Officer
Executive Unit
Information Technology