1.0 Policy Purpose
This policy affirms Brown University’s (the University’s) commitment to ensuring that the privacy of Personal Information collected from and about its applicants, students, faculty, staff, donors, contractors, program participants, those who use its systems, tools and platforms, and others is respected. The University protects the privacy of Personal Information within its control in a manner consistent with applicable laws, regulations, and University policies.
2.0 To Whom the Policy Applies
This policy applies to all faculty, staff, students, alumni, affiliates, and contractors who are authorized by the University to collect, store, process, transfer and/or use Personal Information.
3.0 Policy Statement
3.1 General Policy
At Brown University, we care about your privacy. This right to privacy is carefully balanced with University values and needs that are consistent with Brown’s education mission; its obligation to protect and maintain its property, information systems and resources; preserving the health and safety of University members and guests; and the need to comply with applicable federal, state and international laws and regulations, and University policies. The University is committed to:
- Collecting, storing, using, or disclosing Personal Information in a manner that ensures appropriate security of the Personal Information.
- Limiting the collection, storage, use, and disclosure of Personal Information to what is appropriate for its academic, research, and administrative functions.
- Ensuring that University members and guests, who have access to Personal Information through employment at or affiliation with the University, use the Personal Information solely for the purpose for which access was granted.
- Retaining Personal Information only as long as necessary for the purpose for which it was collected, in accordance with the University’s Record Retention Schedule, as required by applicable laws and regulations, or as disclosed to providers of the Personal Information.
This policy is not intended to replace or supersede other existing University policies and procedures relating to the use and maintenance of Personal Information, such as for Family and Educational Rights and Privacy Act (FERPA) compliance, Gramm-Leach Bliley Act (GLBA) compliance, and Health Insurance Portability and Accountability Act (HIPAA) compliance.
3.2 Categories of Personal Information
The University has established policies and principles governing certain categories of Personal Information, including but not limited to:
- Acceptable Use of Information Technology Resources Policy
- Accepting and Handling Payment Cards to Conduct University Business
- Brown University FERPA Policy
- Code of Conduct
- Data Risk Classifications
- Electronic Information Access Policy
- Employee Files and Records, Employment Verifications Policy
- Health Services Notice of Privacy Practices
- Notice of Privacy Practices (Brown University Health Insurance Plans)
For the purpose of this policy, the term below has the following definition:
- Personal Information:
Non-public data in a University system or record.
All individuals to whom this policy applies are responsible for becoming familiar with and following this policy. University supervisors are responsible for promoting the understanding of this policy and for taking appropriate steps to help ensure compliance with it.
6.0 Consequences for Violating this Policy
Failure to comply with this and related policies is subject to disciplinary action, up to and including suspension without pay, or termination of employment or association with the University, in accordance with applicable (e.g., staff, faculty, student) disciplinary procedures. For third-party relationships, non-compliance may result in the suspension or revocation of the third-party relationship with Brown University.
7.0 Related Information
Brown University is a community in which employees are encouraged to share workplace concerns with University leadership. Additionally, Brown’s Anonymous Reporting Hotline allows anonymous and confidential reporting on matters of concern online or by phone (877-318-9184).
The following information complements and supplements this document. The information is intended to help explain this policy and is not an all-inclusive list of policies, procedures, laws and requirements.
7.1 Related Policies
See Policy Section 3.2
7.2 Related Procedures
See Policy Section 3.2
7.3 Related Forms
7.4 Frequently Asked Questions (FAQs)
7.5 Other Related Information
- Family Educational Rights and Privacy Act (FERPA): 20 U.S.C. § 1232g; 34 C.F.R. § 99
- Federal Information Security Management Act (FISMA): 44 U.S.C. § 35
- Gramm Leach Bliley Act (GLBA): 16 C.F.R. § 314 and 17 C.F.R. § 248
- Health Insurance Portability and Accountability Act of 1996 (HIPAA): Public Law No. 104-191; 45 C.F.R. § 160; 45 C.F.R. § 164
- Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009: Public Law No. 111-5; 45 C.F.R. § 160; 45 C.F.R. § 164