谷歌搜索设备

信息技术

马萨诸塞大学阿姆赫斯特分校隐私政策

 

2018年8月13日,

Introduction

个人信息的隐私, 是否金融, 健康, 人口, or otherwise identifiable is a value to which the 奔驰宝马游戏中心 adheres.  The purpose of this policy is to affirm the 奔驰宝马游戏中心 commitment to protect the privacy of its community, 以及其他将自己的数据托付给它的人.  The policy informs the 奔驰宝马游戏中心 community of its obligations around the privacy of personally identifiable information (PII), including their obligation to comply with all existing laws and institutional policies regarding the privacy of data.  This policy is structured in alignment with the Privacy Controls as identified in the National Institute of Standards and Technology’s Special Publication 800-53, 联邦信息系统和组织的安全和隐私控制.

经过奔驰宝马游戏中心校长的批准, 这一政策与所有其他制度政策一起存在.

 


 

Policy Statements

Maintaining the privacy of information is the responsibility of every 使用r of institutional information, 研究数据, 和信息技术资源.  所有创建, 访问, 管理, 或者操纵机构信息, 研究数据, 或信息技术资源 must comply with this policy’s administrative, 技术, 和物理安全措施.

单位,访问, 管理, 或操纵机构信息或研究数据必须有政策, Standards, 的指导方针, 以及充分保护个人PII隐私的程序.

机构私隐委员会(IPC), 与合规办公室合作, 数据管家, 和大学的顾问, 会发展和维护校园隐私计划吗.

 


 

To Whom This Policy Applies

此策略适用于所有用户(包括, 但不限于, 所有教师, 学生, 工作人员, 承包商, 来访人员, 或客人和志愿者)访问, 管理, 或者操纵机构信息, 研究数据, 或信息技术资源.

 


 

Standards

权威和目的

  • Units which collect information shall document both the authority upon which they are collecting the data, 以及收集资料的目的.

问责制、审计和风险管理

  • 机构私隐委员会(IPC), 与合规办公室合作, 数据管家, 和大学的顾问, 会发展和维护校园隐私计划吗, with a review of the program occurring no less frequently than once every two years.
  • IPC将制定和颁布一个隐私风险程序, 包括隐私影响评估模板, 供后续单位使用.  
  • University Procurement will develop privacy requirements for 合同s that cover private data
  • 单位, 与IPC和数据干事合作, will monitor and audit privacy controls with appropriate frequency to determine effectiveness.
  • The campus will strive to make available general privacy training for units to leverage. 单位 will ensure that this general training and any specific training is administered for  personnel who have responsibility for PII.
  • The overall efforts of the privacy program will be reported to the Campus Leadership Committee by the IPC and Compliance Office on an annual basis, 或根据需要.
  • Systems which contain PII must be designed to support privacy by striving to automate privacy controls.
  • 每个单位将记录任何未经授权的PII披露, and work with the Compliance office to ensure that all necessary notifications are fulfilled.

数据质量和完整性

  • Each unit will put processes in place that ensure the PII they create or collect is accurate, 有关, 及时、完整.
  • 尽可能地, 各单位要确保数据保持其准确性, 相关性, 及时性, 和完整性.

数据最小化和保留

  • 个人和单位应当相互认同, 只收集/维护他们提供服务所需的数据.
  • Units will maintain data according to a records retention schedule that complies with University Policy and law.  
  • Records no longer required will be disposed of/destroyed in a manner that preserves the privacy of any PII contained in the record.
  • Any testing, training, and research will minimize PII to only that which is necessary.

个人参与及赔偿

  • 在可行及适当的情况下, 单位将提供个人授权收集, 维护和共享PII. If the data is required for legal or 合同ual obligations, the requirement must be documented.
  • 应该允许个人删除他们的数据, 除非法律或合同要求保留.
  • Units will strive to provide individuals a mechanism to view and correct their PII.
  • 各单位将提供一个接收和回应投诉的程序, 担忧, 或者询问他们的隐私问题.

安全

  • 单位 shall maintain and update an inventory that contains a listing of all programs and information systems identified as collecting, 使用, 维护, 或共享个人身份信息(PII).
  • 校园应制定私隐事件应变计划.  Units will implement the plan within their area and tie in to the larger campus plan.

透明度

  • IPC将为校园制定一份隐私通知,内容如下:
  • Provides effective notice to the public and to individuals regarding: (i) its activities that impact privacy, 包括它的集合, 使用, 分享, 维护, 维护, and disposal of personally identifiable information (PII); (ii) authority for collecting PII; (iii) the choices, 如果有任何, individuals may have regarding how the organization 使用s PII and the consequences of exercising or not exercising those choices; and (iv) the ability to 访问 and have PII amended or corrected if necessary;
  • Describes: (i) the PII the organization collects and the purpose(s) for which it collects that information; (ii) how the organization 使用s PII internally; (iii) whether the organization shares PII with external entities, 这些实体的类别, and the purposes for such 分享; (iv) whether individuals have the ability to consent to specific 使用s or 分享 of PII and how to exercise any such consent; (v) how individuals may obtain 访问 to PII; and (vi) how the PII will be protected; and
  • Revises its public notices to reflect changes in practice 或政策 that affect PII or changes in its activities that impact privacy, 在更改之前或更改后尽快完成.
  • 如果一个单位的行为偏离校园通知, 应该开发一个单独的隐私通知,涵盖上述主题, 由数据管理人员和IPC审查.

使用限制

  • 该单位只能在内部为授权目的使用PII, 以及在通告中标明的用途, 或者法律和制度政策允许的.
  • 该单元将限制外部提供的PII, 包括马萨诸塞大学的其他部门, 只可通过以下途径作授权用途:
  • 限制与第三方共享的信息
  • 签订合同协议, 比如一份谅解备忘录, 或者是一份服务合同,用以确定数据的授权使用, 以及哪些数据可以被使用, 销毁或退还PII的要求, 并通知违反规定的情况.
  • Monitoring, auditing and training its 工作人员 on the issues related to 分享 PII with third parties
  • Evaluating proposed new 分享 of PII and whether a new public notice would be required.

 


 

Terms and Definitions

Personally Identifiable Information (PII): PII varies from regulation to regulation.  在马塞诸斯州大学的阿默斯特, it is any information that can be reasonably 使用d to determine the identity of an individual, along with information associated with that individual that they may wish to exercise control in the release of the information. 数据专员可以添加额外的规范, 包括健康标识或财务标识等项目.
Unauthorized Disclosure: The release of information to individuals or systems in a manner that violates one or more individual’s rights under law, 合同, 或政策.
单位:表示部门, center, 部门, 大学, 学校, or other identifiable collection of people or services that would be identified as doing business either for, 或与马萨诸塞大学合作.

 


 

References