Original Issuance Date: October 28, 2020

Last Revision Date: November 13, 2020

Effective Date: November 1, 2021

1.     Purpose of Procedures

To establish standards for the handling, protection, and privacy of a Data Subject’s Personal Data throughout the University of Wisconsin (UW) System.

2.     Responsible UW System Officer

Associate Vice President (AVP) for Information Security

3.     Definitions

Please see SYS 1000, Information Security: General Terms and Definitions, for a list of general terms and definitions. Terms and definitions found within this policy include:

  • Data Subject
  • Personal Data
  • Personal Identifiable Information (PII)
  • Protected Health Information (PHI)

4.     Procedures

A. Standard

I. Notice of Collection of Personal Data

The purpose for which Personal Data is collected must be specified at, or prior to, the time of collection.

II. Use of Personal Data

The use of Personal Data shall be limited to the purposes for which it was collected, as specified in 4.A.I. Only those with a legitimate business need to accomplish the institution’s mission are authorized to access, use, transmit, handle, retain, or receive Personal Data.

III. Disclosure of Personal Data

Personal Data may only be disclosed to third parties with the consent of the Data Subject, or under the following conditions:

  1. Legal Requirements: Records may be released in response to a lawful subpoena, warrant, open records request, or court order or where such records could be required or authorized by law to be produced, or a lawful request for any other reason, including disclosure to a government agency.
  2. Authorized Persons: Records may be disclosed to UW System officials and authorized individuals performing work for them who require the information for the performance of their job duties.
  3. Protection of Interests: UW System officials may disclose information contained in records to protect its legal interest when those records may be related to the actions of an Data Subject that the UW System reasonably believes may violate or have violated his/her conditions of employment or threaten injury to people or property.
  4. Emergencies: Information may be disclosed if, in the judgment of the designated data steward of such records, disclosure is necessary to protect the health, safety, or property of any person.

IV. Storage and Retention of Personal Data

UW System shall limit the storage and retention of Personal Data to that which is required to reasonably serve the institution’s academic, research, administrative functions, or other legally permitted purposes. Employees are prohibited from storing information containing Personal Data unless a specific business need exists to collect, maintain, and store the information.

5.     Related Documents

Regent Policy Document 25-3 – Acceptable Use of Information Technology Resources
UW System Information Security Program
UW System Administrative Policy 1033, Information Security: Incident Response

UW System Administrative Policy 1040, Information Security: Privacy Policy
Wisconsin Stat. § 16.61
Wisconsin Stat. § 19

6.     History

Revision 1: November 13, 2020

First approved: October 28, 2020