Policy
Original Issuance Date: October 28, 2020
Last Revision Date: February 24, 2023
1. Policy Purpose
To establish a foundation for the privacy of a Data Subject’s Personal Data throughout the University of Wisconsin (UW) System. To safeguard the privacy rights of members of the UW System community and maintain accountability for protecting all types of Personal Data. To balance a Data Subject’s privacy rights with the need and access to Personal Data to serve or protect core values and operations of UW System and/or to meet legal requirements.
2. Responsible UW System Officer
Associate Vice President for Information Security
3. Scope
This policy applies to all members of the UW System community, including but not limited to students, faculty, staff, third-party vendors and contractors, visitors to any program or facility within UW System, and to others with access to Personal Data of UW System’s community. This policy governs all formats of Personal Data collected by UW System and its institutions.
4. Background
Governments around the world are addressing the widespread availability of individuals’ Personal Data and concerns regarding abuse of that data. UW System is committed to ensuring the privacy and security of Personal Data. Central to this commitment is the priority to be transparent about the Personal Data collected about members of the UW System, how it is used, and with whom it is shared. This policy is designed to create a foundation for the privacy of Personal Data throughout UW System and establish a governance structure to address privacy-related matters and advance UW System’s Privacy Program, once developed.
5. Definitions
Please see SYS 1000, Information Security: General Terms and Definitions, for a list of general terms and definitions. Terms and definitions found within this policy include:
- Data Subject
- Personal Data
- Personal Identifiable Information (PII)
- Protected Health Information (PHI)
6. Policy Statement
A. General Privacy
UW System shall limit the collection, use, sharing, and storage of Personal Data to that which reasonably serves the institution’s academic, research, administrative functions, or other legally permitted purposes. Such collection, use, sharing, and storage shall comply with applicable federal and state laws and regulations, and with the policies, standards, and procedures of UW System or any individual institution within UW System.
B. Notice and Consent
Prior to collection of Personal Data, institutions shall make available to the Data Subject a notice that describes the Personal Data that will be collected, how it will be processed, and with whom the Personal Data will be shared.
If Personal Data is to be collected or processed for reasons that do not otherwise serve the institution’s academic, research, administrative functions, or other legally required purposes, the institution shall make available to the Data Subject processing preferences and the ability for the Data Subject to opt in to such collection or processing.
Exceptions to this notice and consent requirement are permitted to the extent allowed under federal and state laws and regulations (such as in situations where human subject research occurs pursuant to a waiver of HIPAA’s authorization requirement).
C. Access to Personal Data
Institutions shall provide means for Data Subjects to review their own Personal Data collected and/or processed by the institution and provide means for Data Subjects to request corrections of the data if inaccuracies are found. Institutions shall take reasonable steps to review requests for corrections and amend, supplement, or correct Personal Data where warranted.
D. Privacy Officers and Governance
Each institution shall appoint an individual or individuals at their institution to address privacy-related questions or concerns. The individual(s) will also serve as the liaison between the institution and the UW System Chief Privacy Officer on privacy-related matters and initiatives.
UW System shall appoint or designate an individual, to be known as the Chief Privacy Officer to develop and lead the UW System Privacy Program, act as a subject matter expert for privacy laws and regulations, and initiate, facilitate, and promote activities to foster information privacy awareness.
The UW System Administration Chief Privacy Officer shall advise the UW System President on privacy related matters.
E. Expectation of Privacy
UW System recognizes the reasonable privacy expectation of employees, affiliates, business partners and students in relation to Personal Data maintained in any format, subject only to applicable state and federal laws and UW System policies and procedures. UW System nor any individual institution can guarantee absolute privacy of Personal Data. Data Subjects can expect Personal Data to be used by UW System under the following conditions:
- For system maintenance or business necessity, including security measures;
- When consent is received from the Data Subject to monitor their data;
- To investigate suspected violations of laws or UW System or institutional policy;
- To fulfil obligations under Wisconsin Public Records Law or other laws, regulations, or institutional policies, rules, or guidelines; or
- As permitted by applicable law or policy.
F. Suspected Violations or Breaches of Privacy
If, at any time, an individual or department suspects or confirms that any Personal Data maintained by an institution has been subject to unauthorized access and/or disclosure, the incident must be reported in accordance with UW System Administrative Policy 1033, Information Security: Incident Response. Notification to affected Data Subjects shall be made in accordance with applicable law.
G. Website Privacy Statement
Each institution shall publish a website privacy statement to describe, at a minimum, the type of information an institution collects, how the information is used, and with whom the information is shared when users visit the institution’s primary public website. This applies to the collection of general information and Personal Data. Users should be prompted to read the Web Privacy Statement when visiting the institution’s website for the first time and the statement should also be conspicuously posted on the institution’s website’s home page or website directory.
7. Related Documents
Regent Policy Document 25-3, Acceptable Use of Information Technology Resources
s. 134.98, Wis. Stats., Wisconsin Breach Notification Law
UW System Information Security Program
UW System Administrative Policy 1033, Information Security: Incident Response
UW System Administrative Procedure 1040.A, Information Security: Privacy Procedure
8. Policy History
Revision 2: February 24, 2023
Revision 1: November 13, 2020
First approved: October 28, 2020
9. Scheduled Review
February 2026