Policy Number: X-15.00(A)
(Approved by the President )
The University of Maryland, College Park (“University”) values and embraces the ideals of freedom of inquiry, freedom of thought, and freedom of expression, all of which must be sustained in a community of scholars. The University encourages, supports, and protects freedom of expression, an open environment to pursue scholarly inquiry, and the open exchange of ideas and information. These values lie at the heart of our academic community.
The University must balance free expression with the institutional obligations of each member of the campus community to collect and use Personally Identifiable Information (“PII”) responsibly, ethically, transparently, and in a manner that both accords with the law and respects the rights of individuals. The University depends on a shared spirit of mutual respect and cooperation in order to create and maintain a culture of respect, equity, transparency, and responsibility.
Similarly, the University must balance the pursuit of its academic, research, and service missions and its legal, administrative, research, and academic responsibilities with its obligation to collect and use PII responsibly, ethically, transparently, and in a manner that both accords with the law and respects the rights of individuals.
In order to uphold these values, this Policy has been established as a framework for compliance, responsibility, and accountability as it relates to an individual’s Privacy Rights, with regard to the collection, use, and protection of PII.
A. “Personally Identifiable Information” means information that is created, received, processed, stored, or transmitted by or on behalf of the University that, alone or in combination with other information, enables the identification of an individual. PII includes but is not limited to a person’s:
- Full name, including legal name and/or preferred name;
- Social Security Number;
- Driver’s License or other State Identification Number;
- Passport Number;
- Biometric information including physiological, biological, or behavioral characteristics, including an individual’s DNA, that can be used alone or in combination with other identifying data to establish an individual’s identity;
- Geolocation Data;
- Internet or network activity, including browsing history, search history, and information regarding an identifiable individual’s interaction with an internet website, application, or advertisement;
- Financial account number, credit card number, or debit card number that, in combination with any required security code, access code, or password, would permit access to an individual’s account; and
- Identifiable health information, including disability status, related to the past, present, or future physical or mental health or condition of an individual.
B. “Privacy Rights” includes, but is not limited to, an individual's right to control the use and collection of their Personally Identifiable Information.
C. “Unit Head” means the administrator(s) responsible for a Unit.
A. This Policy applies to all Personally Identifiable Information (PII), regardless of the relationship an individual may have with the University, including but not limited to current, past, and prospective students, parents, employees, and human research data subjects.
B. This Policy applies regardless of the origin of the PII, including but not limited to existing UMD data sets, new UMD-collected data, and data sets received from or created by third parties.
C. This Policy applies to all members of the University community, visitors to the University, and users of University information systems with access to PII, including but not limited to students, faculty, staff, Unit Heads, and third-parties. All members of the university community who have access to PII must adhere to this policy and related standards and guidelines.
D. This Policy also applies to all locations and operations of the University including but not limited to applications, projects, systems, or services that seek to access, collect, or otherwise use PII.
The following principles will guide the University and its units when making decisions on the collection or use of PII that may impact an individual’s Privacy Rights. These principles provide a framework based upon respect, equity, transparency, responsibility, and limitations. It is the University’s intent to use proportionate and effective measures to ensure that the University and the campus community will protect and respect an individual’s Privacy Rights within the framework and limitations of applicable law and applicable policies.
- RESPECT: The collection, use, and storage of PII will be balanced with the interests of impacted individuals. Privacy risks, including an individual’s rights, dignity, and expectation of privacy, must be considered prior to such collection, use, or storage.
- EQUITY: The educational and work environment should be one rich in diversity, inclusive, and supportive of all members of the campus community. Collection and use of PII will be consistent with the furtherance of these values.
- TRANSPARENCY: Information regarding the collection, use, and storage of PII will be made available to individuals upon request. Individuals will have the ability to discover the purpose for which their data is used.
- RESPONSIBILITY: The collection, use, and storage of PII involves risk, including but not limited to risks related to the appropriate collection of data, use of data, security of data, sharing of data, and data ownership. University activities must be proactively reviewed to ensure that such risks are understood and mitigated.
- LIMITATION: PII that is collected, stored, and used will be limited to information that is relevant to accomplish clearly defined outcomes that support the University’s mission. (e.g., legitimate educational, research, public service, or administrative purposes). PII will be securely deleted when no longer needed, subject to the University’s Records Retention Schedule (https://purchase.umd.edu/administrative-services/records-retention/umd-records-retention-schedule).
B. Expectation of Privacy
- The University recognizes a reasonable expectation of privacy in the data of its employees, affiliates, and students, in the interest of promoting academic freedom and an open, collegial atmosphere. This expectation of privacy is subject to applicable state and federal laws in addition to University policies and regulations, including the Principles set forth in this Policy, the University’s Policy on Acceptable Use of Information Technology Resources, and all associated standards and guidelines.
- Some PII may be subject to disclosure under the Maryland Public Information Act.
- The University Reserves the right to access and use PII in its sole discretion to investigate actual or suspected instances of misconduct or risk to the University, students, faculty, staff, and third parties, subject to applicable law, University policy, and associated standards and guidelines.
C. Regulatory Obligations and Interpretations
- As referenced above, the University must comply with Federal, State, and/or local laws and regulations related to privacy. This Policy and its associated Standards and Guidelines establish a framework for the University’s compliance with privacy-related regulations. This framework governs the University’s implementation of regulation-specific policies and standards, to address the collection and use of PII in compliance with structures including, but not limited to the Health Information Portability & Accountability Act (HIPAA), Gramm- Leach-Bliley Act (GLBA), Family Educational Rights and Privacy Act (FERPA), General Data Protection Regulation (GDPR), and Maryland’s Protection of Personally Identifiable Information by Public Institutions of Higher Education law.
A. This Policy, the associated Privacy Standards and Guidelines, and the implementation of those instruments are overseen by the University’s Chief Data Privacy Officer (firstname.lastname@example.org).
C. Standards and Guidelines
- This Policy is supplemented by Privacy Standards and Guidelines that are developed in coordination with appropriate stakeholders and the University IT Council and maintained by the Chief Data Privacy Officer. These Standards and Guidelines address the operationalization of the privacy Principles identified in Section IV.A, including but not limited to access to specified data types, vendor engagement, incident response, and the exceptions process.
- The Vice President for Information Technology & Chief Information Officer (VPIT & CIO) or designee may issue, amend, or rescind such Privacy Standards and Guidelines as required to comply with legal obligations and University policy.
- Where a legitimate need has been demonstrated, such as a novel use of an existing data set for health and safety purposes, the VPIT & CIO or designee, in consultation with appropriate stakeholders, may grant exceptions to this Policy and its Standards and Guidelines.
- When considering requests for exceptions, the VPIT & CIO or designee, in consultation with appropriate University stakeholders, will evaluate the documented purpose for the exception and the privacy risks to the individuals affected.
- Subject to the University’s legal obligations or circumstances that necessitate immediate access, the University may provide advance notification to an individual prior to the use of the individual’s PII pursuant to an exception request. In certain instances, individuals may be unavailable to receive such advance notification, or such notification may not be reasonably practicable. In such cases use may occur without notification, consistent with applicable law.
VI. Policy Violations
A. Suspected violations of this Policy will undergo a standard University review in accordance with relevant University policies to determine responsibility.
B. University employees or students who are found responsible for violating this Policy and/or the associated Privacy Standards and Guidelines may be subject to disciplinary action in accordance with relevant University policies. Furthermore, certain violations may result in civil penalties and/or criminal prosecution.
C. Unit Heads who are found responsible for knowingly or intentionally violating this Policy and/or the associated Privacy Standards and Guidelines, where such violations lead to, or are responsible for, a reportable security incident or other penalties imposed by government regulators or agencies, may obligate the responsible unit to cover a portion or all of the University remediation costs and/or externally imposed penalties associated with the violation.