92.001: Privacy Protection Policy

Status:

Approved

Effective:

July 25, 2024

Initiated by:

Joshua Gonzalez | Chief Privacy Officer 

Endorsed by:

John Day | Interim Chief Financial Officer and Vice President of Finance and Administration 

Approved by:

Lori Stewart Gonzalez | President 

Signatures and dates on archival copy

  1. Overview

    Ohio university ("we"/ "us" / "our") requires compliance with the privacy standards set forth in all applicable laws and regulations. 

  2. Philosophy 

    Ohio university is committed to protecting the personal data of faculty, staff, applicants, students, alumni, donors, research participants, patients, community members, and other individuals whose data we manage. By recognizing the right to privacy in all aspects of our operations, we cultivate a culture of transparency and accountability, which are essential values for sustaining the trust of our academic community.

  3. Definitions

    1. Anonymization - the process in which elements of individually identifiable data are removed in such a way that the data no longer can be traced back to a given data subject. 
    2. Confidentiality - preserving authorized restrictions to access or disclosure of information for protecting privacy and proprietary information. 
    3. Transparency - except when prohibited by law and to the best of our knowledge, we are committed to being open and clear about our collection, use, disclosure, and maintenance of consents, and other similar information as appropriate. 
    4. Purpose specification and use limitation - personal data must only be collected, used, stored, and disclosed for specific lawful purposes such as:
      1. To carry out legitimate business and operational purposes of the university 
      2. To comply with legal obligations 
      3. To protect the public interest
      4. For research purposes 

      5. For archival purposes

        Verifiable individual consent, where required by law, shall be obtained prior to collection of such data.

        When processing personal data for a specific purpose, state, federal, and institutionally required safeguards shall be applied to protect the privacy of data subjects. 

    5. Data minimization and anonymization - data minimization must be prioritized by collecting only the necessary amount of personal data to accomplish a specified purpose(s), such as those listed in paragraph E.3 of this policy. 

      To promote efficiency and minimize unnecessary data collection or data subject fatigue, we may repurpose personal data in a manner that aligns with the principles outlined in this policy. Whenever possible, personal data must be anonymized, pseudonymized, masked, or otherwise modified to effectively reduce the risk to data subjects. 

    6. Data quality - to the extent required by law, reasonable steps shall be taken to optimize the accuracy of data addressed in this policy, including providing data subjects (ex. students) with the opportunity to review and correct their information. 
    7. Disclosure limitation - personal data must only be accessed and disclosed in a manner that represents the minimum necessary to complete the specified purpose. 
    8. Security - personal data must be collected, used, stored, and transmitted in a secure manner and consistent with applicable privacy and data security laws and regulations. This means that steps must be taken to protect personal data from unauthorized access, unlawful use, and accidental loss. For more information on data protection, please see the office of information technology (OIT) protect university data website, which is listed in the references section of this policy. 
    9. Retention limitation - personal data must only be retained for as long as it is necessary for the purpose for which it was collected and to comply with university retention policies, guidance, or legal requirements. Personal data may be kept for longer periods for archiving, research, statistical purposes, or as permitted by law. 
    10. Accountability - we are responsible for how personal data is collected, used, stored, and disclosed. We must commit to having appropriate safeguards and records (ex. training and OIT vetted vendors) in place to demonstrate our compliance with the other principles of privacy protection. 

  4. Questions

    For questions about this policy or privacy in general, please contact the chief privacy officer within the office of audit, risk, and compliance at privacy@ohio.edu.

  5.  Reporting violations of this policy 

    Reports of privacy concerns or problems are taken seriously at Ohio university. While initial reporting through standard channels, including department leadership, is strongly encouraged, violations of this policy may be reported in good faith using Ohio university's hotline, ethicspoint, which is operated by a third party. Reports may be submitted anonymously. 

    Violations of this policy will be addressed through the appropriate university disciplinary process based on an individual's classification. Disciplinary action may vary, up to and including termination of employment. 

Reviewers:

Proposed revisions of this policy should be reviewed by:

  • Vice President for Enrollment Management
  • Chief Information Officer
  • Chief Human Resources Officer
  • Chief Medical Officer
  • University Registrar
  • Director of Research Compliance 
  • Administrative Senate 
  • Director of University Compliance
  • Chief Audit Executive
  • Faculty Senate 
  • Dean of Students
  • Deans Council

 

Forms, References, and History

  1. Forms

     
    The following forms are specific to this policy:  

    1. Instructions and link to completing the EthicsPoint form is available online at https://www.ohio.edu/audit-risk-compliance/compliance/report-concern 

  2. References

     
    The following items are relevant to this policy:  

    1. Information on Ohio University’s information practices publicly available online at https://www.ohio.edu/privacy-statement
    1. OIT’s website with information on protecting university data is available at https://www.ohio.edu/oit/security/secure-university-data
    1. Ohio University’s Records Management and Archiving policy, linked through https://www.ohio.edu/policy/93-002
    1. A glossary of privacy terms is available online at https://iapp.org/resources/glossary/#information-privacy  
    1. A glossary of security and privacy terms are available online at https://csrc.nist.gov/glossary 

  3. History

     

    Draft versions of this policy that were circulated for review, their cover memos, their forms, and Reviewers' comments on them are available on the password-protected Review site.

    There are no prior versions of this policy.