This policy applies to every user (including, but not limited to, all faculty, students, staff, contractors, visiting researchers, or guests and volunteers) who accesses, manages, or manipulates institutional information, research data, or information technology resources.
The privacy of individual information, whether financial, health, demographic, or otherwise identifiable is a value to which the University of Massachusetts Amherst adheres. The purpose of this policy is to affirm the University of Massachusetts Amherst commitment to protect the privacy of its community, and others who have entrusted their data to its care. The policy informs the University of Massachusetts Amherst community of its obligations around the privacy of personally identifiable information (PII), including their obligation to comply with all existing laws and institutional policies regarding the privacy of data. This policy is structured in alignment with the Privacy Controls as identified in the National Institute of Standards and Technology’s Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations.
- Personally Identifiable Information (PII): PII varies from regulation to regulation. For UMass Amherst, it is any information that can be reasonably used to determine the identity of an individual, along with information associated with that individual that they may wish to exercise control in the release of the information. Data Stewards may add additional specifications, including such items as health identifiers or financial identifiers.
- Unauthorized Disclosure: The release of information to individuals or systems in a manner that violates one or more individual’s rights under law, contract, or policy.
- Unit: This refers to a department, center, division, college, school, or other identifiable collection of people or services that would be identified as doing business either for, or in association with UMass.
Maintaining the privacy of information is the responsibility of every user of institutional information, research data, and information technology resources. All users who create, access, manage, or manipulate institutional information, research data, or information technology resources must comply with this policy’s administrative, technical, and physical safeguards.
Units which access, manage, or manipulate institutional information or research data must have policies, standards, guidelines, and procedures which adequately protect the privacy of individuals’ PII.
The Institutional Privacy Committee (IPC), in conjunction with the Office of Compliance, Data Stewards, and University Counsel, will develop and maintain a campus privacy program.