September 1, 2004
Section I - Privacy Protection
Section II - Access, Security and Control of Data and Information Policy
Section III - Specific Compliance with FTC Safeguard Rules
The University of Wisconsin-Platteville is committed to safeguarding all personally identifiable information we obtain about our customers and visitors, whether internal or external. The only personally identifiable information the University collects via electronic mail, administrative systems or the campus web site, including those web sites currently being maintained by third-party, trusted providers is that which is voluntarily provided by our customers and visitors. Tracking information is collected and analyzed so that we may improve our service offerings to our users. This tracking information is kept confidential to the University of Wisconsin-Platteville. In certain instances, tracking information may be shared with approved vendors for diagnostic purposes. However, agreements are established with vendors to insure the confidentiality of any shared information.
The University of Wisconsin-Platteville will share personally identifiable information about you to other companies, organizations or people only when one or more of the following conditions apply:
- We have your consent to share the information;
- We need to share your information to provide the product or service you have requested;
- We need to send the information to companies/agencies who work on behalf of the University of Wisconsin - Platteville to provide a product or service you have requested. These companies do not have any right to use the personally identifiable information we provide to them beyond what is necessary to assist us.
- We respond to legally issued subpoenas, court orders or a legal process; or
- We find it necessary to protect and defend the legal rights or property of the University of Wisconsin-Platteville.
Access, Security and Control of Data and Information Policy
Purpose and Scope
The University of Wisconsin-Platteville maintains both paper records and computer information systems to carry out its educational mission. Federal and State laws and regulations govern access to these records. The University establishes local policies and procedures to ensure compliance with these laws and regulations and to protect the integrity of University records and the privacy of individuals. The following policy statements are applicable to all areas of the University and must be observed by all persons dealing with such information, including all University employees and students, as well as other individuals or entities that share University information for business purposes.
Policy and Principles
Data contained in the University's systems are the property of the University of Wisconsin-Platteville and represent official University records. Exceptions to this policy are: faculty developed curricular material, student developed curricular material, or certain licensed information such as electronic journal subscriptions. Questions regarding exemptions should be discussed with the University Legal Counsel.
Users who accept access to University data, regardless of the medium, also accept responsibility for adhering to certain principles in the use and protection of that data. These principles are:
- Information systems within the University shall be used only for and contain only data necessary for fulfillment of the University's mission.
- University data shall be used solely for the legitimate business of the University.
- Due care shall be exercised to protect University data and information systems from unauthorized use, disclosure, alteration or destruction.
- University data regardless of who collects or maintains it, shall be shared among those faculty or staff whose responsibilities require knowledge of such data.
- Applicable federal and state laws and University policies and procedures concerning storage, retention, use, release, transportation and destruction of data and/or all information systems, content and components shall be observed.
- Appropriate university procedures shall be followed in reporting any breach of security or compromise of safeguards.
- University computerized information systems shall be constructed in such a manner to assure that:
- Accuracy and completeness of all system contents are maintained during storage and processing;
- Data, text and software stored and processed can be traced forward and backward for audit ability;
- Information systems capabilities can be reestablished within an acceptable time due to loss or damage by accident, malfunction, breach of security or act of God; and
- Actual or attempted breaches of security can be detected promptly.
- Any faculty or staff member engaging in unauthorized use, disclosure, alteration or destruction of information systems or data in violation of this policy shall be subject to the appropriate disciplinary action, including possible dismissal and/or criminal prosecution.
- Any student engaging in unauthorized use, disclosure, alteration or destruction of information systems or data in violation of this policy shall be subject to appropriate disciplinary action, including possible expulsion and/or criminal prosecution.
- Users may not use, query, release or print data in any application which they have not been given deliberate access to, which can include but is not limited to
- Transcripts, grade reports, enrollment reports;
- Financial Aid information;
- Personnel, leave, salary reports;
- Reports for government or funding agencies;
- Fund-raising activities;
- Mailing lists and labels; and
- Private or public release of data to outside parties such as student, parents, and the news media.
- All requests for information under the Freedom of Information Act, the Wisconsin Public Records Law, law enforcement agencies, subpoenas, etc. must be referred to the University Legal Counsel before releasing any records. Records will only be released at the direction of the University Legal Counsel.
Safeguarding of University information systems and data shall be the responsibility of each faculty, staff or student with knowledge of the system or data. Specific responsibilities are as follows:
- Management - All levels of management are responsible for ensuring that system users within their area of accountability are aware of their responsibilities as defined in this policy. Specifically, managers are responsible for validating the access requirements of their staff according to their job functions prior to submitting requests for access, and for ensuring a secure office environment with regard to University information systems. Managers of major University offices should appoint an individual within their staff to ensure these responsibilities are observed. Managers are also responsible for ensuring that their staff attend appropriate training sessions offered by the University to ensure compliance with laws, regulations and local policies.
- Employees - Faculty, staff, and student employees, are responsible for the protection, privacy, and control of all University data they access or create, regardless of the data storage medium. All employees must ensure that the data and data media are maintained and disposed of in a secure manner. All employees are responsible for understanding the meaning and purpose of the data to which they have access, and may use this data only to support the normal functions of the employees' administrative and academic duties. All employees are responsible for all transactions occurring under his/her userid and/or password. Passwords and userids may not be shared with anyone under any circumstances unless the Assistant Vice Chancellor for Information Services in consultation with the University Legal Counsel approves an exception.
- Students - Students are responsible for protecting their userids and passwords so that no unauthorized persons would have access to their University records. Students are responsible for reading and understanding the Acceptable Use Policy, Email Policy, and Student Handbook, and complying with these policies and practices. Students should participate in University sponsored training sessions to improve their understanding of how to safeguard their own privacy.
- The Assistant Vice Chancellor for Information Services is responsible for providing administrative, technical and educational support in the area of information security for all users of the information systems. This support may include but is not limited to: computer account management; system and network security administration; firewall management; and information security training programs.
Responsibility for Implementation
The Assistant Vice Chancellor for Information Services serves as the coordinator of the Information Security Program of the University of Wisconsin-Platteville.
Responsibility for Interpretation
The Assistant Vice Chancellor for Information Services will consult with the University Legal Counsel regarding interpretation of this policy. Final authority for interpretation rests with the University Legal Counsel.
Specific Compliance with FTC Safeguard Rules
|The Gramm-Leach-Bliley (GLB) Act requires financial institutions to ensure the security and confidentiality of personal information that is collected from customers, such as their names, addresses and phone numbers; bank and credit card account numbers; income and credit histories; and Social Security numbers. This policy is to comply with rules established by the Federal Trade Commission for financial institutions for the safeguarding of Non-Public Personal Information (NPI) under the GLB Act. The University meets the definition for a financial institution under the GLB Act. Provisions of the GLB Act relating to privacy are covered under the University policy with respect to the Family Educational Rights and Privacy Act (FERPA). This policy covers the safeguarding of customer records and information. Listed below is a compliance assessment for the University of Wisconsin-Platteville as of May 23, 2003.
Designate one or more employees to coordinate the safeguards.
The designated employee for the coordination and execution of this information security plan is John Krogman, Assistant Vice Chancellor for Information Services & Chief Information Officer (CIO). All correspondence and inquiries should be directed to: Chief Information Officer, University of Wisconsin - Platteville, 1 University Plaza, Platteville, Wisconsin 53818.
Identify and assess the risks to customer information in each relevant area of institution's operation, and evaluate the effectiveness of the current safeguards for controlling these risks.
The following campus operations have been identified as relevant areas requiring compliance to this policy:
Financial Aid Office
Perkins Student Loan Office
Cashier/Student Accounts Receivable Office
Student Records (Registrar's Office)
Office of Information Technology
The risks to customer information and the plans for safeguarding such information are as follows:
The basic risk is the ability of unauthorized individuals or organizations to access, by any means, the confidential non-public personal information (NPI) of our customers. Such information is gathered in the course of our business operations to provide resources and services to such customers.
Such risks present themselves in hardcopy and electronic formats. Data gathering is accomplished by a variety of methods and forms. As such, the risks exist from the time of acquisition, through the storage phase (hardcopy/electronic), and until physical destruction of hardcopy files or purging of electronic records.
Storage facilities may consist of file cabinets, lateral files, cardboard boxes, or other appropriate medium including electronic data storage on numerous servers across campus. Third party vendors could also retain NPI in any of the mentioned formats.
The storage medium shall dictate the precautions necessary to preserve confidentiality of the NPI.
Design and implement a safeguards program, and regularly monitor and test it.
The CIO will coordinate with the internal auditor's office to maintain the information safeguarding/security program.
The CIO will provide guidance in complying with all privacy regulations. Each relevant area is responsible to secure customer information in accordance with all privacy guidelines. The addendum to this policy details the information security policies and processes for compliance by each relevant area. Copies of the policy shall be made available to anyone upon request.
In addition, the Office of Information Technology (OIT) will maintain and provide access to policies and procedures that protect against any anticipated threats to the security or integrity of electronic customer information and that guard against the unauthorized use of such information. OIT will also provide periodic training for departments accessing customer information.
Select appropriate service providers and contract with them to implement safeguards.
The University of Wisconsin - Platteville, in conjunction with the University of Wisconsin System, will select appropriate service providers that are given access to customer information in the normal course of business and will contract with them to provide adequate safeguards. In the process of choosing a service provider that will have access to customer information, the evaluation process shall include the ability of the service provider to safeguard customer information. Contracts with service providers shall include provisions similar to the following:
- an explicit acknowledgment that the contract allows the contract partner access to confidential information;
- a specific definition of the confidential information being provided;
- a stipulation that the confidential information will be held in strict confidence and accessed only for the explicit business purpose of the contract;
- a guarantee from the contract partner that it will ensure compliance with the protective conditions outlined in the contract;
- a guarantee from the contract partner that it will protect the confidential information it accesses according to commercially acceptable standards and no less rigorously than it protects its own customers' confidential information;
- a provision allowing for the return or destruction of all confidential information received by the contract partner upon completion of the contract;
- a stipulation allowing the entry of injunctive relief without posting bond in order to prevent or remedy breach of the confidentiality obligations of the contract;
- a stipulation that any violation of the contract's protective conditions amounts to a material breach of contract and entitles the University of Wisconsin Platteville to immediately terminate the contract without penalty;
- a provision allowing auditing of the contract partners' compliance with the contract safeguard requirements; and
- a provision ensuring that the contract's protective requirements shall survive any termination agreement.
Designation of monitoring and evaluation provisions.
This information safeguarding/security plan shall be evaluated and adjusted in light of relevant circumstances, including changes in the University of Wisconsin - Platteville's business arrangements or operations, or as a result of testing and monitoring the safeguards. Periodic reviews will be performed by internal audit to identify and assess the risks to customer information and evaluate the effectiveness of current safeguards in controlling these risks. The services of the University of Wisconsin System's Office of Operations Review and Audit and Office of General Counsel shall be consulted as needed in evaluating risk.