Privacy (421)

Aug. 22, 2008

Effective 1/08

PRIVACY

Kansas Athletics is committed to safeguarding all Private Information entrusted to it by the public and members of the KU community. This notice describes Kansas Athletics and the University’s general privacy policy as it relates to the collection, protection, disclosure, and disposal of such information.

Collection and Protection of Private Information

Information may be collected in a variety of ways, paper or electronic, including but not limited to, Web sites, surveys, email, information requests, databases, etc., as required to support Kansas Athletics and University activities.

Information collected, regardless of the method of collection or format, may be used only to carry out the authorized business of Kansas Athletics. Kansas Athletics shall make reasonable efforts to limit the Private Information it collects to only that information strictly relevant to accomplish a clearly defined purpose.

Every department within Kansas Athletics is responsible for maintaining the necessary confidentiality, integrity and availability of the information it handles. Every department is responsible for granting to assigned individuals within the department the reasonable, minimum access to Private Information needed to accomplish the necessary purposes. All Kansas Athletics employees are required to abide by state and federal laws and University policies, procedures and guidelines regarding the handling and protection of Private Information.

Employees who become aware of a breach of the privacy or security of Private Information must report such breach immediately to the KU Information Services Customer Service Center at 864-8080. The Information Services Customer Service Center will notify the KU Privacy Office and/or the KU IT Security Officer as required by the particular incident.

Private Information includes all information protected by state and/or federal law or that Kansas Athletics or the University is contractually obligated to protect. Private Information also includes information designated by Kansas Athletics as private (confidential or sensitive) through the creation of standards, procedures and guidelines. Access to these data must be tightly monitored.

Examples of Private Information include, but are not limited to the following:

– Nondirectory student records as defined by FERPA and the University Student Records Policy (www.vpss.ku.edu/records.shtml)

– Financial aid and scholarship records

– Individually identifiable personnel records.

– Personal information utilized to verify identity, including but not limited to Social Security numbers (SSN) and University ID numbers (KU ID)

– Passwords and PINS

– Digital signatures

– Individually identifiable health information protected by state or federal law (including but not limited to “protected health information” as defined by the Health Insurance Portability and Accountability Act (HIPAA).

– Individually identifiable information created and collected by research projects.

– Credit card numbers and financial transactions covered by the Payment Card Industry (PCI) Standard.

– Information resources with access to confidential or sensitive data

– Information covered by nondisclosure agreements

Disclosure of Private Information

Private Information may be disclosed only to the extent that is permitted or required by law. Disclosure must comply with applicable requirements regarding consent or authorization for disclosure.

Legally Mandated Disclosure of Information

Kansas Athletics and the University may be required to release information, including Private Information, where required by state or federal law or upon receipt of a subpoena, search warrant or other court order.

Employee Privacy When Using Kansas Athletics or University Resources

Kansas Athletics supports a climate of trust and respect. It does not ordinarily read, monitor or screen employees’ routine use of information resources, except as necessary to maintain quality of service, to investigate a breach of security or misuse of Kansas Athletics or University information resources, or where required by law. Disposal of Private Information Currently, there are 2 methods recommended to securely dispose of confidential, paper documents (or CD’s, DVD’s, etc.) including:

1. shredding (cross cut or diamond cut shredder recommended) or pulverizing materials; or

2. disposal in secure, locked shredding consoles For removal of Private Information on computers, contact the IT department for assistance to make sure the information is properly removed.

Consequences

Violations of this policy may result in disciplinary action, up to and including dismissal of employees. Employment actions will be conducted under the advice and guidance of the Corporate Counsel, Human Resources and the University Office of the General Counsel.