Wiki@UCSF will be unavailable on Wednesday, September 30, 2020 from 5:00 AM to 7:30 AM while we upgrade the wiki software to long term release Confluence 7.4.1.
BFB-RMP-7: Protection of Administrative Records containing Personally Identifiable Information
Chief Information Officer & Vice President – Information Technology Services
ITS – Information Technology Services
Last Review Date:
This applies to all University employees, students and others who have authorized access to Administrative Records containing Personally Identifiable Information at all locations.
(510) 987- 9411
The University of California respects the privacy of individuals as fundamental to its mission and a value enshrined in the California constitution. Privacy:
- Is essential to promoting the values of academic and intellectual freedom,
- Plays an important role in upholding human dignity and safeguarding a strong, vibrant society, and
- Serves as the basis for an ethical and respectful workplace.
In its operations, activities, and management of information, the University is committed to protecting personal privacy. The University must balance this commitment with its other important commitments, including public accountability, the right of people to access information about the conduct of the public’s business. This policy outlines the requirements and processes for ensuring the University best protects information by meeting its legal obligations, as well as balancing information privacy and autonomy privacy with competing institutional obligations, values, and interests.
The purpose of this bulletin is to establish, in the context of the lifecycle of records, the universitywide principles and processes for safeguarding personally identifiable information in Administrative Records. In general, when personally identifiable information is requested, the University will examine whether its disclosure or use would constitute an unwarranted invasion of personal privacy. Where it does not, the requested personally identifiable information may be released in accordance with University policy or law.
This policy is for use by anyone in the university community who makes decisions about Administrative Records. Material provided in the Procedures may be helpful to anyone in the institution who creates or receives records of any type.
Administrative Records : in accordance with the definition of this term in RMP-1, this term is used to describe any record that documents or contains valuable information related to the organization, functions, policies, decisions, procedures, operations, or other business activities of the University.
California Information Practices Act (IPA) : The law that guarantees individuals the right of access to records containing personal information which are maintained on them, with certain limitations, and sets forth provisions to govern the collection, maintenance, accuracy, dissemination, and disclosure of information about them. Special procedures for providing access to and protecting the privacy of University records containing personal data are required by the IPA.
California Public Records Act : The law that allows the public to access government information in order to disclose government conduct and safeguard accountability.
Commercial Purposes : Any purpose that has financial gain as a major objective.
Confidential : As defined in the UC Records Retention Schedule Glossary , this applies broadly to information for which disclosure or access may be assigned some degree of sensitivity, and therefore, for which some degree of protection or restricted access may be identified. Unauthorized access to or disclosure of information in this category could seriously or adversely affect the University and cause financial loss, damage to the University’s reputation, loss of confidence or public standing, or adversely affect a partner, e.g., a business or agency working with the University. Information in this category may have limited, moderate, or severe impact on University functions, which must be determined through risk assessment or business impact analysis. (UC Business & Financial Bulletin IS-2: Inventory, Classification, and Release of University Electronic Information §III.A.1.a) .
Information Practices Coordinator : The Information Practices Coordinator at each location is responsible for administering responses to record requests, as well as providing technical and practical assistance to constituents at their locations on matters related to access to and disclosure of information maintained in university Administrative Records .
Information Privacy : As defined in the UC Statement of Privacy Values and Principles , this is the protection of information resources from unauthorized access, which could compromise their confidentiality, integrity, and availability.
Mailing Lists : This is any compilation of names and addresses, including email addresses.
Personally Identifiable Information : Any information that describes or identifies an individual, including but not limited to their name, social security number, physical description, home address, home telephone number, email address, education, financial matters, medical or employment history, and statements made by or attributed to the individual. This term may be used interchangeably with “personally identifying information” and “PII.”
Records Management Coordinator : In accordance with the definition in RMP-1 , the individual at each campus, the Office of the President, the Division of Agriculture and Natural Resources, and the Lawrence Berkeley National Laboratory responsible for the development, coordination, implementation, and management of the Records Management Program at the location.
Records Management Program : In accordance with RMP-1 , the Program consists of procedures that promote sound, efficient, and economical records management in the following areas: (1) creation, organization of, and access to records; (2) maintenance and retention of Administrative Records; (3) security and privacy of records; (4) protection of records vital to the university; (5) preservation of records of historical importance; (6) disposition of Administrative Records when they no longer serve their purpose; and (7) other functions the university may deem necessary for good records management.
Student Applicant Records : Records of a person during the period of application, acceptance, and admission to the University, prior to matriculation.
Telephone Directories : A collection of individuals’ names, maybe addresses, and phone numbers, may include employee (campus) or student directories.
UC Privacy Balancing Process : A process designed to address privacy risks when there is no policy in place pertaining to the situation.
III. POLICY STATEMENT
This policy applies to all PII in the University’s Administrative Records, regardless of the record’s function or medium, and addresses requirements related to the treatment of such information. However, requests for academic personnel records from government agencies will be controlled by Records Management and Privacy Policies 9a , 9b , and 9c . 
All faculty, staff, and other individuals associated with the University who have access to PII must understand their responsibilities for safeguarding the privacy of that information. The responsible Information Practices Coordinators,
Records Managers, and
in consultation with the Office of the General Counsel, provide overall policy and procedural guidance to University locations about privacy and access to Administrative Records.
A. Rules of Conduct for Employees Access to Information Concerning Individuals
The University of California requires employees adhere to the following rules of conduct concerning the minimum standards for the collection, maintenance, disclosure, safeguarding, and destruction of Administrative Records containing PII. Any officer or employee who intentionally violates this policy, including these Rules of Conduct, may be subject to discipline, up to and including termination.  Further, the IPA provides for civil action by an individual against the University when the University fails to comply with the provisions of the IPA to the individual’s detriment. The University may also be subject to court injunction for noncompliance with the IPA.
1. Employees responsible for the collection, maintenance, use, and dissemination of records about individuals which may contain information related to the individual’s personal life, including but not limited to employment and medical history, financial transactions, marital status and dependents, must comply with the provisions of the State of California Information Practices Act.
2. Employees must not require individuals to disclose personal or confidential information about themselves which is not necessary and relevant to the purposes of the University or to the particular function for which the employee is responsible.
3. Employees must make every reasonable effort to see that inquiries and requests by individuals for their personal or confidential records are responded to quickly, courteously, and without requiring the requester to repeat the inquiry to others unnecessarily.
4. Employees must assist individuals who seek information pertaining to themselves in making their inquiries sufficiently specific and descriptive so as to facilitate locating the records.
5. Employees must not disclose personal or confidential information relating to individuals to unauthorized persons or entities.
6. Employees must not seek out or use personal or confidential information relating to others for their own interest or advantage.
7. Employees responsible for the maintenance of personal and confidential records shall take all necessary precautions to assure that proper administrative, technical, and physical safeguards are established and followed in order to protect the confidentiality of records containing personal or confidential information.
B. Management of Records containing PII
What follows is basic information about the management of any Administrative Records containing PII. The University strives to collect and maintain only information that is necessary and pertinent to accomplish its University mission. For specific procedures concerning mailing lists and student records including application records, see Section VI Procedures. For information concerning Confidential Academic Peer Review Records, see APM-160 .
To the greatest extent practical, information about an individual should be collected directly from the individual to whom it pertains. When this is not possible, the University will maintain the source or sources of information, in a readily accessible format in order to provide it to the individual upon request. When PII is disclosed, individuals may be notified according to existing legal requirements, University policy, and campus practices.
be notified whether the University maintains records about them
may inspect those records.
These procedures must be consistent with the requirements of the IPA.
1. Use of PII for Commercial Purposes
The University will not distribute for commercial purposes, sell, or rent PII unless such action is specifically authorized by law.
Disposition of PII in Administrative Records
Information held by the University should be disposed of in accordance with federal and state law, as well as required by RMP-2 Records Retention and Disposition and the UC Records Retention Schedule , unless it is needed as evidence in an investigation, foreseeable or on-going litigation, on-going audit, on-going Public Records Request or other special circumstance until these actions have been completed or resolved .
Procedures for Reporting Unauthorized Disclosures or Breaches of PII
Each location is responsible for identifying
procedures for reporting unauthorized disclosures or breaches of PII for both paper and electronic records. Procedures for reporting electronic unauthorized disclosures or breaches of PII must be done in alignment with the UC IS-3 and the UC Incident Response Plan.
C. Evaluating Use or Disclosure of Information Containing PII
In addition to the University’s legal obligations and the UC Statement of Privacy Values and Principles , when policy does not expressly clarify or provide action for a circumstance, the University will use the UC Privacy Balancing Process to adjudicate privacy and other competing interests.
Within this risk-based approach to disclosing information and the University’s legal obligations, the University will not make public disclosures of information when it can demonstrate that the public interest served by not making the record public clearly outweighs the public interest served by disclosing the information. In determining this information, the University will review specific statutory exceptions that might allow for disclosure of PII. Situations involving unprecedented and significant balancing concerns shall be referred to the location’s Privacy Board unless a relevant alternative adjudication path is already established.
A. Implementation of the Policy
Chancellors, Medical Center Directors, Vice President of Agriculture and Natural Resources, and UC Managed Laboratory Directors are responsible for designating an Information Practices Coordinator to administer and implement this policy at their Location.
The Vice President and Chief Information Officer is responsible for issuing and updating any requirements, standards or guidelines that support this policy.
The UC Information Practices Coordinator,
UC Records Manager,
UC Privacy Manager
shall facilitate regular communication among local Information Practices Coordinators,
Records Management Coordinators,
to address consistent implementation of this policy throughout the University of California. Each Information Practices Coordinator,
Records Management Coordinator,
will partner at their respective locations to ensure consistent implementation of this policy, as necessary.
B. Revisions to the Policy
The Regents are the Policy Approver for this policy and have the authority to approve any policy revisions upon recommendation by the President.
The Vice President and Chief Information Officer has the authority to initiate policy revisions and is responsible for regular reviews and updates consistent with approval authorities and applicable Bylaws and Standing Orders of The Regents.
C. Roles & Responsibilities
The following functions are critical to ensuring the University handles information in a manner consistent with the University’s legal obligations, policy requirements, and the
Statement of Privacy Values and Principles
. Together, Information Practices Coordinators,
Officials, and Records Management Coordinators, serve as subject matter experts and collaborate with other disciplines to strengthen the University’s information governance framework.
1. University Employees
The University requires that all faculty, staff, and other University community members with access to information understand their responsibilities for safeguarding the privacy of that information.
2. University Managers
All managers should ensure that any personnel who have access to PII are made aware of their responsibilities for handling such records, including protecting the records from unauthorized access and disclosure.
3. Information Practices Coordinator
The Information Practices Coordinator at each location is responsible for administering responses to record requests, as well as providing technical and practical assistance to constituents at their locations on matters related to access to and disclosure of information maintained in university Administrative Records. The CPRA Office within the OGC provides guidance to campuses and may manage multi-campus CPRA requests on behalf of the campuses. Information Practices Coordinators also:
- Ensure records’ access and disclosure procedures and practices adhere to federal and state laws, including but not limited to IPA and the California Public Records Act (CPRA).
Rules of Conduct outlined in Section
II.A. at their Location.
- Determines whether employment information about University employees at the location, in addition to the below descriptors  , will be released to the public. Such determinations are made locally, on a case-by-case basis, by the Information Practices Coordinator, in consultation with the Office of the General Counsel and local Privacy Official, as needed. Requests that involve all locations may be managed in the CPRA Office within the OGC.
Ensures that individuals’ requests for access to amend records containing their PII are administered in accordance with
universityand legal requirements, and that local procedures to access and amend their information are clear and accessible.
- Develops local guidelines on information practices, including training programs.
- Reviews local personally-identifiable information collection and notice practices upon request.
- Assists with interpretation of federal and state access and disclosure laws and university policies including but not limited to the CPRA, IPA and the UC Rules of Conduct.
Campus Privacy Officials at each location are responsible for overseeing the strategic direction and application of the University’s Privacy Values, Principles , and Balancing Process throughout the activities of the University and each location. Campus Privacy Officials collaborate with responsible domain-specific resources to accomplish their responsibilities, including:
iii. Information Security Officers and local Police Chiefs, as appropriate, regarding physical and electronic information safeguarding, including responding to known or suspected electronic system breaches in accordance with UC IS-3 Electronic Information Security .
iv. Location Privacy and Information Security Boards to adjudicate between conflicting University interests in situations presenting novel or complex privacy questions.
- Other University employees, as appropriate, regarding privacy breaches and other practices.
As defined in RMP- 1 , Records Management Coordinators are responsible for the development, coordination, implementation, and management of the Records Management Program at that location.
6. Chancellors, Medical Center Directors, Vice President of Agriculture and Natural Resources, and UC Managed Laboratory Directors
The above are responsible for designating an Information Practices Coordinator, Campus Privacy Official, and Records Management Coordinator to administer and implement this policy at their Location.
For specific categories of PII, the following procedures will be followed across the University to ensure consistency.
A. Student Applicant Records
In accordance with California law, the University collects only information that clearly assists the University in determining admission and financial criteria. Disclosure of any allowable portion of the information will be in accordance with state and federal law.
An applicant has the right to inspect records referencing them with regard to the application process, with the exception of evaluation forms and records “created with the documented understanding of confidentiality.”
When the applicant is outside the U.S., they may have a person within the U.S. act as their representative. This representative would have the same access rights to the applicant’s file. The University may disclose information to this representative if forms, documents, or correspondence within the University’s possession demonstrate with reasonable certainty that this is the applicant’s intended representative.
1. Parents of Applicants
In accordance with the IPA, the University will not release information from the applicant’s files to the applicant’s parents without the applicant’s written consent, regardless of the individual’s age or financial status. The University’s current admissions process provides the opportunity to furnish this consent.
In accordance with FERPA, the University will not release application records (or any other student records) pertaining to a Matriculated Student to parents without the student’s written consent, regardless of age or financial status, unless it is done under a specific exception under FERPA.
2. School Administrators and Teachers
In accordance with state law, the University may disclose PII about a University applicant to third parties (e.g., school counselors). This information may include eligibility status or lack of certain grades. The University will disclose this information only if:
b. The information is necessary for performance of the third party’s official duties and its use will be compatible with its original collection purpose; or
c. The requested information will be used for scientific or statistical research and assurances of confidentiality and protection of personal identity are guaranteed.
3. Advancement, Development, and Alumni Office Staff
Advancement, Development, and Alumni office staff have legitimate educational interest in applicants’ records. These offices may access applicant information, including PII, when the information is relevant and necessary to carry out their assigned duties and clearly related to the purpose for which the information was originally collected.
B. University Mailing Lists and Telephone Directories
Upon written request from any individual, any University office which maintains a mailing list must remove that individual’s name and address from such list, unless the list is used by the University solely for necessary direct contact with the individual.
The University will not use or disclose its directories and mailing lists for commercial purposes.
- Health Information Portability and Accountability Act of 1996
- HITECH Act
For specific additional requirements about student records, Protected Health Information (PHI), and Confidential Academic Peer Review Records please refer to the policies below:
- The University’s Policies Applying to the Disclosure of Information from Student Records and the Federal Family Educational Rights and Privacy Act (FERPA) primarily govern the handling of student education records.
- The University systemwide HIPAA policies , the Health Information Portability and Accountability Act of 1996 (HIPAA), and subsequent amendments in the HITECH Act govern the handling of Protected Health Information.
- See APM 160-20-d-3, http://www.ucop.edu/academic-personnel-programs/_files/apm/apm-160.pdf
This policy replaces the following policies:
- BFB-RMP-7: Privacy of and Access to Information Responsibilities. November 1, 1985 Initial Version.
- BFB-RMP-8: Requirements of Privacy of and Access to Information. November 13, 2015 Rescinded.
- BFB-RMP-11: Student Applicant Records. June 15, 1989 Initial Version.
- BFB-RMP-12: Guidelines for Assuring Privacy of Personal Information in Mailing Lists and Telephone Directories. June 15, 1989 Initial Version
December 1, 2011 Initial version
 For more information, see Roles and Responsibilities. For a list of current privacy officials, see http://www.ucop.edu/ethics-compliance-audit-services/compliance/privacy/campus-privacy-officials.html .
 For additional requirements concerning requests for and access to academic peer review records (“confidential academic review records”), please see policy APM-160.
 For more information about the specific responsibilities of each role, see Section IV.C.
 The IPA requires that any intentional violation of that law or its required Code of Conduct by an employee or officer be subject to discipline, up to and including termination.
 The university has determined that the basic terms and conditions of employment of university employees, while descriptive of specific individuals, will be published or disclosed upon request without prior consent of the subject individual. University locations may adopt procedures to notify employees regarding disclosures when such notifications are not otherwise prohibited by law and courtesy notification is generally considered a best practice.
The university has determined that the following information about University employees is public:
- Date of hire or separation
- Position title
- Salary and/or compensation
- Organization unit assignment, including office address & telephone number
- Job description
- Full time or part time, and appointment type (career, casual or probationary status)
- Other cash payment information including but not limited to perquisites, benefits, “By agreement” payments, incentive compensation, moving expenses, housing and relocation allowances, etc.
[DL1] alpha sort
[DL2] alpha sorted
[DL3] alpha sorted
[DL4] Deleted “Campus” for consistency with other mentions throughout the document. I actually like the term “Campus Privacy Officals” better, but the point is consistency; pick one term and use it throughout.
Also, this mention of the group WAS alpha sorted. I commented on other mentions of this group to alpha sort.
[DL5] Deleted for consistency with other mentions of the term.