Frequently Asked Questions
-
What is information or data privacy?
When someone mentions the word “privacy” several types of privacy usually immediately come to mind. For instance, bodily privacy focuses on the physical self and the right to control invasive procedures, like drug testing, genetic testing, or body searches. Communications privacy is involved when we talk about activities such as phone tapping and mail interception. Encroachments on personal space invoke territorial privacy where our personal boundaries might include our car, home, or personal locker. In each of these types of privacy the objective is to control what and how we present details about ourselves to the world.
Information or data privacy is empowering individuals to choose what happens to their personal data. This is sometimes referred to as “information self-determination”. Organizations implement data privacy by informing individuals about the organization’s data handling practices; providing opportunities for the individual to choose how personal information will be collected, used, and shared, and abiding by the individual’s requests.
-
What is the difference between privacy and security?
Information security (InfoSec) and privacy are complementary but separate disciplines.
InfoSec focuses on electronic data and generally refers to protecting that data from unauthorized access, use and disclosure. Privacy involves individuals’ rights to control how their data is collected and used. Privacy encompasses the analysis of policy and business processes to ensure the legal and ethical obligations of an organization are upheld when the organization collects, stores, uses and/or discloses sensitive information. This includes informing the public of the organization’s information practices; providing information on opportunities to choose whether personal information will be shared and of options to restrict access to sensitive information; and assessing risks associated with the unauthorized access to, or loss of, sensitive information. For privacy, information in all formats and forms is within scope.
-
What are some examples of privacy in action?
To build a culture of privacy, we must weave privacy principles into how we manage data in our day-to-day business processes. Examples of privacy in action include
Principle Action Critically challenge data needs prior to collection. Validate the data to be collected supports a specific University mission or operation. Know your data. Inventory the data you maintain, understand its sensitivity or classification, and apply the appropriate protections. Hold ourselves and partners accountable. Train employees on their responsibilities to protect data. Establish data sharing agreements. -
What is the first step Departments should take to enhance data privacy protections?
We can’t protect the data entrusted to us if we don’t know what we have, so the first step toward data protection is to inventory and classify your Department’s data. Contact the Privacy Program to collaborate on the best approach for your area. We’ll develop a strategy together.
-
How do I know if I have data that needs special protections?
The University Data Classification Policy establishes and describes categories of data based on the level of sensitivity. The University has adopted four data classification categories: Restricted, Confidential, Internal Use and Public. Contact the Privacy Program to further discuss the types of data you handle.
-
We already have laws that protect privacy, why do we need to be mindful of the privacy principles described in the University Privacy Policy?
There is no one-size-fits-all for privacy. Expectations of privacy vary from person to person, change over time, and can be contextual. The number of state and federal privacy laws continues to increase each year, and technological advances and adaptation move faster than society’s ability to understand its full implications. Privacy principles guide behavior and decision making as we navigate this constantly changing environment.
University Privacy Policy -
My department has more questions about privacy. How can we learn more?
Let’s talk about your data! Request a privacy consult.
-
What do I do if I think information has been mishandled or compromised?
Report data and information security incidents to CCIT. Refer to the CCIT Information Security Incident Reporting Procedures for additional reporting guidance.