On This Page:
This is a DRAFT policy currently being vetted with the Amherst Campus.
August 13, 2018
The privacy of individual information, whether financial, health, demographic, or otherwise identifiable is a value to which the University of Massachusetts Amherst adheres. The purpose of this policy is to affirm the University of Massachusetts Amherst commitment to protect the privacy of its community, and others who have entrusted their data to its care. The policy informs the University of Massachusetts Amherst community of its obligations around the privacy of personally identifiable information (PII), including their obligation to comply with all existing laws and institutional policies regarding the privacy of data. This policy is structured in alignment with the Privacy Controls as identified in the National Institute of Standards and Technology’s Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations.
By approval of UMass Amherst’s Chancellor, this policy exists in conjunction with all other institutional policy.
Maintaining the privacy of information is the responsibility of every user of institutional information, research data, and information technology resources. All users who create, access, manage, or manipulate institutional information, research data, or information technology resources must comply with this policy’s administrative, technical, and physical safeguards.
Units which access, manage, or manipulate institutional information or research data must have policies, standards, guidelines, and procedures which adequately protect the privacy of individuals’ PII.
The Institutional Privacy Committee (IPC), in conjunction with the Office of Compliance, Data Stewards, and University Counsel, will develop and maintain a campus privacy program.
This policy applies to every user (including, but not limited to, all faculty, students, staff, contractors, visiting researchers, or guests and volunteers) who accesses, manages, or manipulates institutional information, research data, or information technology resources.
Authority and Purpose
- Units which collect information shall document both the authority upon which they are collecting the data, and the purpose(s) for which the data is being collected.
Accountability, Audit, and Risk Management
- The Institutional Privacy Committee (IPC), in conjunction with the Office of Compliance, Data Stewards, and University Counsel, will develop and maintain a campus privacy program, with a review of the program occurring no less frequently than once every two years.
- The IPC will develop and promulgate a privacy risk process, including Privacy Impact Assessment templates, for units to follow.
- University Procurement will develop privacy requirements for contracts that cover private data
- The unit, in conjunction with the IPC and Data Stewards, will monitor and audit privacy controls with appropriate frequency to determine effectiveness.
- The campus will strive to make available general privacy training for units to leverage. The unit will ensure that this general training and any specific training is administered for personnel who have responsibility for PII.
- The overall efforts of the privacy program will be reported to the Campus Leadership Committee by the IPC and Compliance Office on an annual basis, or as needed.
- Systems which contain PII must be designed to support privacy by striving to automate privacy controls.
- Each unit will keep record of any unauthorized disclosures of PII, and work with the Compliance office to ensure that all necessary notifications are fulfilled.
Data Quality and Integrity
- Each unit will put processes in place that ensure the PII they create or collect is accurate, relevant, timely and complete.
- To the extent possible, units are to ensure that the data maintains its accuracy, relevance, timeliness, and completeness.
Data Minimization and Retention
- Individuals and units should identify, and only collect/maintain the data they need to offer services they are providing.
- Units will maintain data according to a records retention schedule that complies with University Policy and law.
- Records no longer required will be disposed of/destroyed in a manner that preserves the privacy of any PII contained in the record.
- Any testing, training, and research will minimize PII to only that which is necessary.
Individual Participation and Redress
- Where feasible and appropriate, units will provide for individuals to authorize the collection, maintaining and sharing of PII. If the data is required for legal or contractual obligations, the requirement must be documented.
- Individuals should be allowed to have their data expunged, unless retention is required by law or contract.
- Units will strive to provide individuals a mechanism to view and correct their PII.
- Units will provide a process for receiving and responding to complaints, concerns, or questions regarding their privacy practices.
- The unit shall maintain and update an inventory that contains a listing of all programs and information systems identified as collecting, using, maintaining, or sharing personally identifiable information (PII).
- The campus shall develop a privacy incident response plan. Units will implement the plan within their area and tie in to the larger campus plan.
- The IPC will develop a privacy notice for the campus that:
- Provides effective notice to the public and to individuals regarding: (i) its activities that impact privacy, including its collection, use, sharing, safeguarding, maintenance, and disposal of personally identifiable information (PII); (ii) authority for collecting PII; (iii) the choices, if any, individuals may have regarding how the organization uses PII and the consequences of exercising or not exercising those choices; and (iv) the ability to access and have PII amended or corrected if necessary;
- Describes: (i) the PII the organization collects and the purpose(s) for which it collects that information; (ii) how the organization uses PII internally; (iii) whether the organization shares PII with external entities, the categories of those entities, and the purposes for such sharing; (iv) whether individuals have the ability to consent to specific uses or sharing of PII and how to exercise any such consent; (v) how individuals may obtain access to PII; and (vi) how the PII will be protected; and
- Revises its public notices to reflect changes in practice or policy that affect PII or changes in its activities that impact privacy, before or as soon as practicable after the change.
- If a unit’s practices deviate from the campus notice, a separate privacy notice should be developed that covers the above topics, subject to review by the Data Stewards and the IPC.
- The unit is to use PII internally only for the authorized purposes, and for those uses identified in its notices, or as otherwise allowed by law and institutional policy.
- The unit will limit PII provided externally, including to other UMass units, only for authorized use through:
- Limiting the information shared with third parties
- Entering into a contractual agreement, such as a memorandum of understanding, or a contract for service that identifies the authorized uses of data, and what data is allowed to be used, requirements for destruction or return of the PII, and notice requirements in the case of breach.
- Monitoring, auditing and training its staff on the issues related to sharing PII with third parties
- Evaluating proposed new sharing of PII and whether a new public notice would be required.
Personally Identifiable Information (PII): PII varies from regulation to regulation. For UMass Amherst, it is any information that can be reasonably used to determine the identity of an individual, along with information associated with that individual that they may wish to exercise control in the release of the information. Data Stewards may add additional specifications, including such items as health identifiers or financial identifiers.
Unauthorized Disclosure: The release of information to individuals or systems in a manner that violates one or more individual’s rights under law, contract, or policy.
Unit: This refers to a department, center, division, college, school, or other identifiable collection of people or services that would be identified as doing business either for, or in association with UMass.
- Confidentiality of Institutional Information Technology Resources Policy https://www.umass.edu/it/security/conf-policy
- Acceptable Use of Information Technology Resources Policy https://www.umass.edu/it/security/acceptable-use-policy
- Records Retention and Disposition Schedules https://www.umass.edu/records/record-retention-and-disposition-schedules
- UMass Amherst Information Security Policy
- Family Educational Rights and Privacy Act (FERPA) https://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html
- Health Insurance Portability and Accountability Act (HIPAA) https://www.hhs.gov/hipaa/index.html
- General Data Protection Regulation (GDPR) https://ec.europa.eu/info/law/law-topic/data-protection_en
- Data Breach Law of Massachusetts https://www.mass.gov/service-details/requirements-for-data-breach-notifications