In keeping with state and federal
legislation, the University safeguards the privacy of patients,
students, employees, University business, and other matters by
protecting electronic records classified as confidential information.
Unauthorized accessing and/or disclosure of confidential information by
University employees is prohibited and may result in legal penalties.
This policy applies to records maintained in any type of electronic
record: computer, voice, or video. It also applies to records created
via the Georgetown University website.
Electronic Records: Electronic transmissions or
messages created, sent, forwarded, replied to, transmitted,
distributed, broadcast, stored, held, copied, downloaded, displayed,
viewed, read, or printed by one or several electronic systems or
services. This definition of electronic records applies equally to the
contents of such records, attachments to such records, and
transactional information associated with such records.
University Administrative Record: A University Record (see definition below) that is directly related to the conduct of the University's administrative business.
University Record: By law, University records are
any papers, books, photographs, tapes, films, recordings, or other
documentary materials, or any copies thereof, regardless of physical
form or characteristics, made, produced, executed, or received by any
department or office of the University or by any academic or
administrative staff member in connection with the transaction of
University business, and retained by that agency or its successor as
evidence of its activities or functions because of the information
University Electronic Record: A University Record
in the form of an electronic record, whether or not any of the
electronic communications resources utilized to create, send, forward,
reply to, transmit, store, hold, copy, download, display, view, read,
or print the electronic communications record are owned by the
University. This implies that the location of the record, or the
location of its creation or use, does not change its nature as a
University electronic record for purposes of this or other University
Until determined otherwise or unless it is clear from the context,
any electronic record residing on university-owned or controlled
telecommunications, video, audio, and computing facilities will be
deemed to be a University electronic record for purposes of this Policy.
Notification Users should be notified that
information is being collected and they should be informed of their
rights. (e.g., all Web pages that collect personally identifiable
information should include a privacy notice that specifies how the
information will be used.)
Minimization The institution should gather as
little information as possible for legitimate purposes and delete
information when it is no longer needed or no longer required by law to
be retained. (e.g., library records need not be kept for more than a
certain limited period of time.)
Secondary Use Information should be used only for
the purposes for which it was collected unless the individual gives
additional consent. (e.g., a department should not share information
with an administrative office for a separate purpose without the
individual's knowledge and consent.)
Nondisclosure and Consent Information should not be released to third parties external to the University without consent. (e.g., vendors, business, etc.)
Need to Know Only those with legitimate, official
needs should have access to information. (e.g., a person's position of
authority in the University does not necessarily mean that they should
be able to access information.)
Data Accuracy, Inspection, and Review Information
must be accurate, and individuals should have the right to examine
information about themselves and request changes. (e.g., employees
should be able to review their records and make changes or follow a
standard process for any information that is disputed.)
Information Security, Integrity, and Accountability
Information should be secure and not vulnerable to unauthorized
modification, and the handling of the data must be subject to
accountability. (e.g., it should always be known who has access to
information and changes to information should be documented.)
Education The University has the responsibility to
educate its constituents concerning privacy rights and the proper
handling of information. (e.g., all constituents should know whom to
consult about these matters and all employees should understand their
responsibilities for abiding by policies for information handling.)
The Data Stewards in consultation with the Office of University
Counsel determine the confidentiality of the data. Data Stewards are
representatives of the University who are assigned responsibility to
serve as a steward of University data in a particular area. They are
responsible for developing procedures for creating, maintaining, and
using University data, based on University policy and applicable state
and federal laws.
The classification Confidential Information covers sensitive
information about individuals, including information identified in the
Human Resources Manual, and sensitive information about the University.
Information receiving this classification requires a high level of
protection against unauthorized disclosure, modification, destruction,
and use. Specific categories of confidential information include
- Current and former students (protected under the Family
Educational Rights and Privacy Act (FERPA) of 1974), including student
academic, disciplinary, and financial records and student works such as
homework, term papers, and exams; and prospective students, including
information submitted by student applicants to the University.
Center patients (protected under the Health Insurance Portability and
Accountability Act (HIPAA of 1996), Law Center clients, library
patrons, and donors and potential donors.
- Current, former,
and prospective employees, including employment, pay, health, and
insurance data, and other personnel information.
including information related to a forthcoming or pending patent
application (patents must be filed within a year of publication), and
information related to human subjects.
- Certain University business operations, finances, legal matters, or other operations of a particularly sensitive nature.
- Information security data, including passwords.
Determining authorizations. Only those with
legitimate, official need have the access to these classified
electronic records. Data Stewards determine who is authorized to have
access to their information. They should make sure that those with
access have a need to know the information and know the security
requirements for that information. For Confidential Information, they
should also make sure that those given access have a need to know and
have signed a confidentiality agreement that covers the information.