In keeping with state and federal legislation, the University safeguards the privacy of patients, students, employees, University business, and other matters by protecting electronic records classified as confidential information. Unauthorized accessing and/or disclosure of confidential information by University employees is prohibited and may result in legal penalties. This policy applies to records maintained in any type of electronic record: computer, voice, or video. It also applies to records created via the Georgetown University website.

Definitions

Electronic Records: Electronic transmissions or messages created, sent, forwarded, replied to, transmitted, distributed, broadcast, stored, held, copied, downloaded, displayed, viewed, read, or printed by one or several electronic systems or services. This definition of electronic records applies equally to the contents of such records, attachments to such records, and transactional information associated with such records.

University Administrative Record: A University Record (see definition below) that is directly related to the conduct of the University’s administrative business.

University Record: By law, University records are any papers, books, photographs, tapes, films, recordings, or other documentary materials, or any copies thereof, regardless of physical form or characteristics, made, produced, executed, or received by any department or office of the University or by any academic or administrative staff member in connection with the transaction of University business, and retained by that agency or its successor as evidence of its activities or functions because of the information contained therein.

University Electronic Record: A University Record in the form of an electronic record, whether or not any of the electronic communications resources utilized to create, send, forward, reply to, transmit, store, hold, copy, download, display, view, read, or print the electronic communications record are owned by the University. This implies that the location of the record, or the location of its creation or use, does not change its nature as a University electronic record for purposes of this or other University policy.

Until determined otherwise or unless it is clear from the context, any electronic record residing on university-owned or controlled telecommunications, video, audio, and computing facilities will be deemed to be a University electronic record for purposes of this Policy.

Principles

Notification Users should be notified that information is being collected and they should be informed of their rights. (e.g., all Web pages that collect personally identifiable information should include a privacy notice that specifies how the information will be used.)

Minimization The institution should gather as little information as possible for legitimate purposes and delete information when it is no longer needed or no longer required by law to be retained. (e.g., library records need not be kept for more than a certain limited period of time.)

Secondary Use Information should be used only for the purposes for which it was collected unless the individual gives additional consent. (e.g., a department should not share information with an administrative office for a separate purpose without the individual’s knowledge and consent.)

Nondisclosure and Consent Information should not be released to third parties external to the University without consent. (e.g., vendors, business, etc.)

Need to Know Only those with legitimate, official needs should have access to information. (e.g., a person’s position of authority in the University does not necessarily mean that they should be able to access information.)

Data Accuracy, Inspection, and Review Information must be accurate, and individuals should have the right to examine information about themselves and request changes. (e.g., employees should be able to review their records and make changes or follow a standard process for any information that is disputed.)

Information Security, Integrity, and Accountability Information should be secure and not vulnerable to unauthorized modification, and the handling of the data must be subject to accountability. (e.g., it should always be known who has access to information and changes to information should be documented.)

Education The University has the responsibility to educate its constituents concerning privacy rights and the proper handling of information. (e.g., all constituents should know whom to consult about these matters and all employees should understand their responsibilities for abiding by policies for information handling.)

Record Classification

The Data Stewards in consultation with the Office of University Counsel determine the confidentiality of the data. Data Stewards are representatives of the University who are assigned responsibility to serve as a steward of University data in a particular area. They are responsible for developing procedures for creating, maintaining, and using University data, based on University policy and applicable state and federal laws.

The classification Confidential Information covers sensitive information about individuals, including information identified in the Human Resources Manual, and sensitive information about the University. Information receiving this classification requires a high level of protection against unauthorized disclosure, modification, destruction, and use. Specific categories of confidential information include information about:

  • Current and former students (protected under the Family Educational Rights and Privacy Act (FERPA) of 1974), including student academic, disciplinary, and financial records and student works such as homework, term papers, and exams; and prospective students, including information submitted by student applicants to the University.
  • Medical Center patients (protected under the Health Insurance Portability and Accountability Act (HIPAA of 1996), Law Center clients, library patrons, and donors and potential donors.
  • Current, former, and prospective employees, including employment, pay, health, and insurance data, and other personnel information.
  • Research, including information related to a forthcoming or pending patent application (patents must be filed within a year of publication), and information related to human subjects.
  • Certain University business operations, finances, legal matters, or other operations of a particularly sensitive nature.
  • Information security data, including passwords.

Determining authorizations. Only those with legitimate, official need have the access to these classified electronic records. Data Stewards determine who is authorized to have access to their information. They should make sure that those with access have a need to know the information and know the security requirements for that information. For Confidential Information, they should also make sure that those given access have a need to know and have signed a confidentiality agreement that covers the information.