Policy Number: 
IT-03
Approved Date: 
06/22/2021

The University of Iowa is committed to protecting the privacy of sensitive personal data.  This commitment supports the university’s core values of Excellence, Learning, Community, Diversity, Integrity, Respect, and Responsibility, as well as the university’s obligation to meet a variety of legal, regulatory, and ethical requirements. 

“Privacy” in the context of this policy refers to protecting the way information about an individual is collected, stored, processed, and used.   This policy serves to provide additional detail to the privacy requirements outlined in the Acceptable Use of Information Technology Resources policy found in the University of Iowa Operations Manual.  

Scope

  1. This policy applies to certain digital data collected, stored, processed and used by the university.  This includes, but is not limited to, the contexts of teaching, learning, research, service, employment, and other official functions of the university. 
  2. This policy applies to data shared with and/or stored by external third parties, whenever this is done within the context of an official function of the university.  

Policy Statements

  1. The goal of this policy is to protect the privacy of personal information when it is entrusted to the University’s care and subject to legal, regulatory, and/or ethical requirements.
  2. The Information Security and Policy Office (ISPO) will include an evaluation of privacy controls as part of the technology review process.
  3. Oversight of certain data domains (e.g., information protected by HIPAA, FERPA, etc.) is performed by the units that govern those data domains. ISPO will serve to facilitate the coordination of privacy controls and practices across data domains.

Standards

ISPO will maintain standards and best practices materials on the Privacy website.  

Roles and Responsibilities

  1. Each faculty and staff member, trainee, student, vendor, volunteer, contractor, or other affiliate of the University of Iowa who designs, develops, recommends, procures, manages or uses electronic and information technology is subject to and has responsibilities under this policy.
  2. Individuals responsible for the design, development, management and use of electronic and information technology involving personal data will include privacy considerations in all phases of the software lifecycle.

Resources

  1. ISPO will maintain a Privacy website.  This site will include news, information, tools, and best practices, as well as links to other campus resources related to privacy.  This site will also include frequently asked questions related to this policy.
  2. ISPO will offer training and consultation on topics related to privacy.
  3. ISPO will maintain a Privacy Impact Assessment (PIA) tool that will document conformance with legal, regulatory and other requirements, evaluate risks and outcomes, and suggest controls and/or alternate approaches to minimize privacy risks.

Enforcement

Enforcement of this policy falls under the procedures outlined in the Acceptable Use of Information Technology Resources policy found in the University of Iowa Operations Manual.

Policy Review

This policy will be reviewed bi-annually, understanding that updates or modifications may be made as the need arises.

Related Policies, References and Attachments

Institutional Data Policy  

IT Privacy Website  

University of Iowa Healthcare Privacy Policy 

Social Security Numbers (Operations Manual)  

European Union General Data Protection Regulation (Operations Manual) 

Acceptable Use of Information Technology Resources (Operations Manual)