POL-U5315.02 Affording Individual Privacy Rights

Dates and Approval

Effective Date:

February 4, 2021

Revised Date:

April 14, 2023

Approved by:

President Sabah Randhawa

Who does this policy apply to?

This policy applies to all data collected, handled, stored, shared, and disposed of by the University that may be protected by law or contractual agreement.

Overview

This policy requires the implementation of a University privacy program that affords individuals’ privacy rights regarding the collection, access, use, disclosure, and disposal of their protected information. The University manages its data as an asset of the institution and implements appropriate privacy and security controls through various policies and processes.

Definitions

Privacy

Privacy refers to the concept that an individual has the right to:

  • Reasonably control the collection, use, and disclosure of their protected information, and
  • To be free from intrusion into their personal matters and information.

For example, an individual may have the right to be aware of the collection of their information before the data collection occurs in order to (control) make an informed choice about participating in the data collection.

Protected Information

For the purpose of this policy, protected information refers to information protected by law, regulation, or policy, or legal agreements. What is considered personal information, what are an individual’s rights, and how it needs to be protected varies based on a particular law, regulation, or policy that is applicable to a specific situation and/or information.

Policy Statements

1. Western to Maintain a University Privacy Program

Following the effective date of this policy, the University will establish and maintain a centralized University Privacy program (“Program”) with a framework designed to proactively protect privacy and manage associated risks.

A designated Privacy Committee composed of University privacy compliance owners and strategic compliance partners will establish the Program through written principles, policy, standards, procedures, and training that consider business and operational needs with meaningful privacy protections when collecting, accessing, using, monitoring, disclosing, and disposing of protected information in a manner consistent with applicable laws and regulations and ethical duties.

The Program must be written, made public, and include at a minimum:

  1. A Privacy Committee roster and charter,
  2. A reporting structure for effective leadership oversight,
  3. A defined program framework and principles, and
  4. An action plan that reflects the federally required elements of an effective compliance program and regulatory requirements (see University Compliance Program), and
  5. Contact information for individuals to exercise their privacy rights.

The University Compliance Officer is responsible for facilitating the development and publication of the Program and reporting on progress to executive leadership.

2. University Privacy Program Supplements University Information Security Program

The goal of the Privacy Program is to implement policy, processes, controls, and training to ensure that individuals’ privacy rights are met. The goal of the Information Security Program to implement controls to ensure the confidentiality, integrity, and availability of information maintained by Western. The two programs will work collaboratively to meet legal and ethical requirements and the goals of each program. See Policy U3000.07 Securing Information Systems.

3. Privacy Compliance Owners are Responsible for Overseeing Compliance

Delegated privacy compliance owners (see University Compliance Matrix – “Information” category) are responsible for overseeing compliance in their respective privacy areas. See also University Compliance Program Roles and Responsibilities.

The Program will ensure the coordination of the various privacy areas in the development policies, procedures, controls, and training to more effectively and efficiently communicate expectations to employees regarding their responsibilities for privacy compliance.

4. All Employees are Responsible for Appropriate Handling of Information

All University employees must maintain the highest level of integrity and responsibility in collecting, accessing, safeguarding, using, disclosing, and disposing of protected information to which they may intentionally or incidentally gain access. All employees must strictly adhere to the University Confidentiality Agreement, which is to be signed upon hire, and thereafter as required by written standards.

5. All Employees are Responsible for Reporting Known or Suspected Violations

Employees must comply with all policies, standards, and procedures and promptly report known or suspected violations in accordance with reporting procedures. All reports of potential violations are to be taken seriously and responded to promptly by supervisors and management to determine appropriate and effective corrective action.

6. Supervisors are Responsible for Enforcement

Supervisors at all levels are responsible for enforcing all policies, standards, and procedures related to privacy.

7. Expectation of Privacy is Limited

Protected information maintained by or accessible to the University or a third party will be made available to certain employees and external parties but only to those with position and/or legitimate or contracted business needs that warrant access.

Western reserves the right to protect the University and individuals’ information by certain activities as permitted or required by law, state or University policy or standards, and/or legal agreements (including University Residences agreements).

The University may access and/or disclose an individual’s information without their consent as permitted or required by law, University policy, or other legal agreements.

8. Public Records Disclosure Complies with Applicable Law

All responses to public record requests are reviewed to ensure compliance with disclosure laws prior to being released by the University Public Records Officer.