92.001: Privacy protection policy
Approved
July 25, 2024
Joshua Gonzalez | Chief Privacy Officer
John Day | Interim Chief Financial Officer and Vice President of Finance and Administration
Lori Stewart Gonzalez | President
Overview
Ohio university ("we"/ "us" / "our") requires compliance with the privacy standards set forth in all applicable laws and regulations.
Philosophy
Ohio university is committed to protecting the personal data of faculty, staff, applicants, students, alumni, donors, research participants, patients, community members, and other individuals whose data we manage. By recognizing the right to privacy in all aspects of our operations, we cultivate a culture of transparency and accountability, which are essential values for sustaining the trust of our academic community.
Definitions
- Anonymization - the process in which elements of individually identifiable data are removed in such a way that the data no longer can be traced back to a given data subject.
- Confidentiality - preserving authorized restrictions to access or disclosure of information for protecting privacy and proprietary information.
- Data subject(s) - is the individual or group of individuals to whom the personal data relates to.
- Personal Data - any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly, or indirectly, with a particular data subject.
- Privacy - is the ability of a data subject or group to have autonomy over their personal information and to keep it confidential. Privacy concepts include:
- Information privacy
- Bodily privacy
- Territorial privacy
- Communication privacy
This policy applies to information privacy, the collection, use, storage, and disclosure of personal data. The other concepts of privacy are listed for context only. Definitions of these privacy concepts can be found in the glossary of privacy terms, which is linked in the references section of this policy.
- Pseudonymization - is the method of masking personal data so it cannot be linked to specific individuals. Additional information, such as secure and separate key, allows the data to be reattributed to an individual.
Scope
- The following are accountable under this policy:
- Staff
- Faculty
- Researchers
- Vendors/Contractors
- Students
- Any individual or entity that processes, or has access to, personal data on behalf of Ohio university
- This policy covers all written, spoken, and electronic personal data held, used, or transmitted by or on behalf of Ohio university, in any media, including computer systems, handheld devices, phones, paper records, or oral transmission of personal data.
- The following are accountable under this policy:
Principles
Ohio university requires covered individuals and entities who handle personal data on the university's behalf to adhere to the following set of principles:
- Respect and dignity - We respect the interest of the individuals in their personal data; the freedom of individuals to express themselves and to conduct research; and the need to protect the privacy of individuals, the academic freedom of the university, and the public interest through a fair, unified, and comprehensive privacy program.
- Transparency - except when prohibited by law and to the best of our knowledge, we are committed to being open and clear about our collection, use, disclosure, and maintenance of personal information through privacy statements, notice of privacy practices, informed consents, and other similar information as appropriate.
- Purpose specification and use limitation - personal data must only be collected, used, stored, and disclosed for specific lawful purposes such as:
- To carry out legitimate business and operational purposes of the university
- To comply with legal obligations
- To protect the public interest
- For research purposes
For archival purposes
Verifiable individual consent, where required by law, shall be obtained prior to collection of such data.
When processing personal data for a specific purpose, state, federal, and institutionally required safeguards shall be applied to protect the privacy of data subjects.
Data minimization and anonymization - data minimization must be prioritized by collecting only the necessary amount of personal data to accomplish a specified purpose(s), such as those listed in paragraph (E)(3)of this policy.
To promote efficiency and minimize unnecessary data collection or data subject fatigue, we may repurpose personal data in a manner that aligns with the principles outlined in this policy. Whenever possible, personal data must be anonymized, pseudonymized, masked, or otherwise modified to effectively reduce the risk to data subjects.
- Data quality - To the extent required by law, reasonable steps shall be taken to optimize the accuracy of data addressed in this policy, including providing data subjects (ex. students) with the opportunity to review and correct their information.
- Disclosure limitation - personal data must only be accessed and disclosed in a manner that represents the minimum necessary to complete the specified purpose.
- Security - Personal data must be collected, used, stored, and transmitted in a secure manner and consistent with applicable privacy and data security laws and regulations. This means that steps must be taken to protect personal data from unauthorized access, unlawful use, and accidental loss. For more information on data protection, please see the office of information technology (OIT) protect university data website, which is listed in the references section of this policy.
- Retention limitation - Personal data must only be retained for as long as it is necessary for the purpose for which it was collected and to comply with university retention policies, guidance, or legal requirements. Personal data may be kept for longer periods for archiving, research, statistical purposes, or as permitted by law.
- Accountability - We are responsible for how personal data is collected, used, stored, and disclosed. We must commit to having appropriate safeguards and records (ex. training and OIT vetted vendors) in place to demonstrate our compliance with the other principles of privacy protection.
Questions
For questions about this policy or privacy in general, please contact the chief privacy officer within the office of audit, risk, and compliance at privacy@ohio.edu.
Reporting violations of this policy
Reports of privacy concerns or problems are taken seriously at Ohio university. While initial reporting through standard channels, including department leadership, is strongly encouraged, violations of this policy may be reported in good faith using Ohio university's hotline, ethicspoint, which is operated by a third party. Reports may be submitted anonymously.
Violations of this policy will be addressed through the appropriate university disciplinary process based on an individual's classification. Disciplinary action may vary, up to and including termination of employment.
Reviewers:
Proposed revisions of this policy should be reviewed by:
- Vice President for Enrollment Management
- Chief Information Officer
- Chief Human Resources Officer
- Chief Medical Officer
- University Registrar
- Director of Research Compliance
- Administrative Senate
- Director of University Compliance
- Chief Audit Executive
- Faculty Senate
- Dean of Students
- Deans Council