[Minor revision–posted 6/12/14 (replaces 4/2/10 edition)]
Operating Policy and Procedure
OP 70.40: Information Privacy and Confidentiality Statements
DATE: June 12, 2014
PURPOSE: The purpose of this Operating Policy/Procedure (OP) is to establish procedures and safeguards for the protection of all information made confidential by law or TTU policy.
REVIEW: This OP will be reviewed in June of even-numbered years by the Managing Director of Human Resources, the chief information officers, and the Vice Chancellor/General Counsel with substantive revisions presented to the Associate Vice President for Administration and Chief of Staff.
1. General Policy
a. Anyone who has access to private and personally identifiable information concerning university faculty, staff, students, affiliates, or others, including donors or vendors, or who has access to any information made confidential by TTU policies or law (including, but not limited to the Family Educational Rights and Privacy Act of 1974 and the Gramm-Leach- Bliley Act of 1999) will take reasonable and necessary steps to ensure privacy of such information. "Private and personally identifiable information" includes, but is not limited to, social security numbers, birth dates, driver license numbers, unpublished home addresses or phone numbers, personal account numbers, computer passwords and accounts, protected health information (e.g., patient records and information), and financial information.
b. Each department administrator, within their respective area of responsibility, shall be responsible for notifying faculty, staff, students, and affiliates of the requirements of this policy and shall be responsible for scheduling faculty, staff, and students for any training required under the provisions of this policy and shall be responsible for ensuring that such training has been completed.
c. Each department administrator shall require the completion of a Confidentiality Statement (Attachment A) from faculty, staff, students, and affiliates prior to employment or affiliation with TTU and shall ensure all properly executed confidentiality statements become a permanent part of the employee, student, or affiliate record, as appropriate.
Each department administrator shall require the completion of a confidentiality of student information system records form (Attachment B) from employees prior to accessing the Student Information System and shall submit all properly executed forms to the Information Technology Division to become a permanent part of the IT records.
d. Use or disclosure of certain financial information that is covered by the Gramm-Leach-Bliley Act of 1999, 15 U.S.C. 6801, et. Seq., implemented by 16 C.F.R. Part 314, shall be governed by the TTU Information Security Plan for Financial Information (Attachment C). "Financial information" includes, but is not limited to, information obtained in connection with the award and issuance of student aid and billing.
e. With the exception of those parts of this policy governed by other TTU operating policies/procedures, responsibility for ensuring the implementation of and compliance with this policy shall rest with the Provost and the vice presidents within their areas of responsibilities.
2. Departmental Safeguards
Each department is responsible for establishing procedures necessary to implement this OP. When appropriate, departments should utilize the following practices to protect private or personally identifiable information.
Each department must maintain records listing employees who have access to files with sensitive information and the names of the types of files to which they have access.
b. Printed Copies
Use - Records containing private or personally identifiable information should be secured when not in use. For example, the records may be locked in a desk drawer or filing cabinet.
Disposal – When necessary to discard documents containing private or personally identifiable information, such documents should be disposed of by shredders or a comparable method designed to ensure privacy.
c. Electronic Data
Persons with access to electronic data containing private or personally identifiable information should take adequate steps to ensure that such information is not used by, accessible, or released to unauthorized sources. When necessary to erase files containing such information, the files should be erased completely so that the information contained in the files cannot be recovered by undelete software.
d. Review of Departmental Processes
A department should be aware of the types of information being gathered within the department such as sign-in sheets, forms of identification, retrieval and use of records, and posting of information. A department should determine the necessity of obtaining private or personally identifiable information and revise processes where appropriate.
e. Third Party Release of Information
Each department should also evaluate the potential risk for misuse when releasing any student, faculty, or staff private information to any internal or external third party.
The effort to safeguard private or personally identifiable information should not be limited to the above categories. Changing technologies or laws may make additional safeguards necessary.
3. Reporting Violations
a. Administration, faculty, staff, or students at TTU who know of or suspect a violation of this policy shall report that incident promptly to their immediate supervisor, the appropriate department administrator, the registrar, or, when appropriate, in accordance with the TTU Information Security Plan for Financial Information and/or OP 52.04, Information Technology (IT) Security. In cases where the immediate supervisor is the known or suspected violator, employees shall report the known or suspected violation to the next higher administrative supervisor.
b. All information acquired in the investigation of any known or suspected violation of this policy shall be confidential unless disclosure is authorized by law.
4. Disciplinary Action
Employees (faculty, staff, or student employees) found to be in violation of this policy will be subject to disciplinary action up to and including termination, and may be subject to additional legal action.
The procedures set forth in TTU OP 70.31, Employee Conduct, Discipline, and Separations, shall apply to non-faculty employees.
The procedures set forth in OP 32.04, OP 32.02, and Sections 04.03 and 04.04, Regents' Rules shall apply to faculty employees.
For the purpose of this policy, "students" refers to all students enrolled at TTU, TTUHSC, or an affiliated institution, who, as part of their curriculum, attend or participate in classes at TTU. Additional policies and procedures concerning students are set forth in the TTU Student Handbook.
For the purposes of this policy, "affiliates" refers to volunteers or other non-student or non- employee individuals working in TTU facilities. Violation of this policy will result in loss of privileges, removal from institutional facilities, and possible legal action.
5. Right to Change Policy
Texas Tech University reserves the right to interpret, change, modify, amend, or rescind this policy, in whole or in part, at any time without the consent of employees.
04 Audit Services
30 Academic and Student Affairs – General
32 Academic Policies – Faculty
34 Academic Policies – Students
36 Academic Programs
40 Equal Opportunity and Affirmative Action
48 Communication Services
52 Information Technology
60 Environmental Health and Safety
61 Facilities Management
62 Financial and Accounting
63 General Services
64 Graduate Programs (Faculty and Students)
65 Research Accounting
67 Mail Services
68 Communications and Marketing
69 Payroll and Tax Services
70 Human Resources
72 Purchasing, Contracting, and Payables
77 Student Services and Registrar
78 Traffic and Parking