Original Issuance Date: October 28, 2020
Last Revision Date: November 13, 2020
Effective Date: November 1, 2021
1. Purpose of Procedures
To establish standards for the handling, protection, and privacy of a Data Subject’s Personal Data throughout the University of Wisconsin (UW) System.
2. Responsible UW System Officer
Associate Vice President (AVP) for Information Security
Please see SYS 1000, Information Security: General Terms and Definitions, for a list of general terms and definitions. Terms and definitions found within this policy include:
- Data Subject
- Personal Data
- Personal Identifiable Information (PII)
- Protected Health Information (PHI)
I. Notice of Collection of Personal Data
The purpose for which Personal Data is collected must be specified at, or prior to, the time of collection.
II. Use of Personal Data
The use of Personal Data shall be limited to the purposes for which it was collected, as specified in 4.A.I. Only those with a legitimate business need to accomplish the institution’s mission are authorized to access, use, transmit, handle, retain, or receive Personal Data.
III. Disclosure of Personal Data
Personal Data may only be disclosed to third parties with the consent of the Data Subject, or under the following conditions:
- Legal Requirements: Records may be released in response to a lawful subpoena, warrant, open records request, or court order or where such records could be required or authorized by law to be produced, or a lawful request for any other reason, including disclosure to a government agency.
- Authorized Persons: Records may be disclosed to UW System officials and authorized individuals performing work for them who require the information for the performance of their job duties.
- Protection of Interests: UW System officials may disclose information contained in records to protect its legal interest when those records may be related to the actions of an Data Subject that the UW System reasonably believes may violate or have violated his/her conditions of employment or threaten injury to people or property.
- Emergencies: Information may be disclosed if, in the judgment of the designated data steward of such records, disclosure is necessary to protect the health, safety, or property of any person.
IV. Storage and Retention of Personal Data
UW System shall limit the storage and retention of Personal Data to that which is required to reasonably serve the institution’s academic, research, administrative functions, or other legally permitted purposes. Employees are prohibited from storing information containing Personal Data unless a specific business need exists to collect, maintain, and store the information.
5. Related Documents
Revision 1: November 13, 2020
First approved: October 28, 2020