Back to IT Policy Task Force home
POLICY AREA/CATEGORY: Privacy
Does UO have an existing policy in this area?
Yes and no. FERPA privacy policy is indicated as the privacy policy for campus.
There are numerous other privacy policies issued by UO schools and departments; these include:
UO E-Commerce Privacy Statement Template
University Policy 1.000 Response to Law Enforcement Subpoenas of Student Records
Issues of privacy and confidentiality are incorporated into records policies adopted by OUS:
OUS Student Records Policy
OUS Faculty Records Policy
Is this area addressed in Oct 2005 draft (from Randy)?
yes and no — for example, look at section 6 (Privacy). This section deals with privacy on networks of email and personal folders. It does not deal with confidentiality of records in digital form. This issue is probably addressed in other policies (e.g. Banner, DuckWeb, etc.).
Are we aware of other campus or OUS groups working on this policy?
Not as a whole.
Question: what is the extent of our coverage under HIPAA?
NEW QUESTION
Are we aware of “best practice” examples from other campuses?
NOTES
(JES) Some additional privacy-related resources to consider include:
State of Oregon E-Government Privacy and Terms and
Conditions
Each Campus shall develop a privacy statement in accordance with the
Federal Family Educational Rights and Privacy Act of 1974 (FFERPA) and
complimentary to the DAS privacy statement.”
Privacy and Security (issue theme), Educause Review, September/October
2006 (multiple articles)
(JES) Some hot higher education privacy-related topics right now…
Either UO or OWEN/NERO (or possibly both) will need to take steps to become CALEA
compliant in the immediately forseeable future
If you accept credit cards, there are specific privacy-related requirements which
the payment card industry insists you follow as a condition of accepting charge card
payments.
Phishing represents a targeted attack which may result in unauthorized disclosure
of sensitive information, potentially with both personal and institutional consequences
(as may occur when a privacy invading keylogger or screen grabber gets installed on
a desktop or laptop as a result of a malware-related infection)
PII Breaches (wholesale disclosure of Personally Identifiable Information as a result
of hacked/cracked systems, loss of laptops or backups with social security numbers or
credit card numbers, etc.)”
Some institutions are developing data stewardship policies to specifically articulate privacy-related responsibilities associated with research or administrative data which includes PII. The Oregon Legislature is considering legislation that would mandate disclosure of compromised personal information (see SB 583, the Oregon Consumer Identity Theft Protection Act of 2007)
Send Comments on this policy review
last update 14 April 2007 (ARB)