601 - Treatment of Confidential Information
Subject: Treatment of Confidential Information
Date: February 1, 2010
To identify information that is considered confidential and to establish guidelines for the use of confidential information.
Employees must not misuse confidential information.
Confidential information generally consists of non-public information about a person or an entity that, if disclosed, could reasonably be expected to place either the person or the entity at risk of criminal or civil liability, or damage the person or entity's financial standing, employability, privacy or reputation. The University is bound by law or contract to protect some types of confidential information, and in other instances the University requires protection of confidential information beyond legal or contractual requirements as an additional safeguard. Confidential information includes but is not limited to:
- payroll records, salary and non-public benefits information
- Social Security numbers, driver's license numbers, state identification card numbers, passport numbers
- credit and debit card information, and financial account information
- personnel records, including but not limited to information regarding an employee's work history, credentials, salary and salary grade, benefits, length of service, performance, and discipline (see Policy U705 Employee Access to Personnel Records)
- individual criminal background check information
- individual conflict of interest information
- individually identifiable biometric information
- computer system passwords and security codes
- unpublished grant proposals and unpublished research data
- unpublished manuscripts and correspondence
- budgetary, departmental, or University planning information
- non-public financial, procurement, health/safety, audit, insurance and claims information
- internal investigation information, pre-litigation, and non-public litigation and administrative agency charge, audit and inquiry information
- student records, including but not limited to student education records within the meaning of the Family Educational Rights and Privacy Act
- proprietary or intellectual property in which the University asserts ownership that is created by University employees in connection with their work
- non-public law enforcement records generated or maintained by the University of Chicago Police Department
- all University attorney-client communications and University attorney work product
- non-public donor and alumni information
- patient care records including patient benefit plan enrollment, claims, billing matters, and data concerning human research subjects
- medical records, personally identifiable medical information, and all information designated as "Protected Health Information" under the Health Insurance Portability and Accountability Act (HIPAA), or otherwise protected by law
- all information, materials, data and records designated confidential by a University unit, by law or by contract, including information obtained by the University from third parties under non-disclosure agreements or any other contract that designates third party information as confidential
- All employees with job duties that require them to handle confidential information are required to safeguard such information and only use it or disclose it as expressly authorized or specifically required in the course of performing their specific job duties.
- Misuse of confidential information can be intentional (acts and/or omissions), or a product of negligence or inadvertence. Misuse includes but is not limited to:
- Accessing information not directly germane or relevant to the employee's specifically assigned tasks
- Disclosing, discussing and/or providing confidential information to any individual not authorized to view or access that data, including but not limited to third parties, volunteers, vendors and other University employees
- Reckless, careless, negligent, or improper handling, storage or disposal of confidential data, including electronically stored and/or transmitted data, printed documents and reports containing confidential information
- Deleting or altering information without authorization
- Generating and/or disseminating false or misleading information, and
- Using information viewed or retrieved from the systems for personal or any other unauthorized or unlawful use.
- Employees who have been assigned personal access codes to work with systems that generate, store or manage confidential information bear the responsibility for preserving the complete confidentiality of such codes to ensure against unauthorized use by any other person. Employees who negligently or intentionally share their system passwords or accounts with anyone else for any reason will be held responsible for any resulting misuse of the system by others.
- Employees who have any reason to believe or suspect that someone else is using their personal access codes must immediately notify their supervisor.
- Employees are prohibited from logging onto University data bases and administrative systems with their personal access codes and then permitting another person to access information in those data bases and/or systems.
- Student education records are governed by the Family Educational Rights and Privacy Act (FERPA) and applicable University policy (see the University of Chicago Student Manual). FERPA-protected student education records must not be disclosed under any circumstances absent the express consent of the University student (or former student) or as authorized by the University's Office of Legal Counsel or the University's Registrar. Although FERPA also permits the University to disclose student directory information (as defined by FERPA), no such information may be disclosed until the Office of the Registrar has confirmed that the student has not elected to block his or her directory information, as permitted by FERPA.
- Employees are expected to:
- Identify confidential information and materials
- Proactively seek information regarding and comply with any restrictions on the use, administration, processing, storage or transfer of the confidential information in any form, physical or electronic
- Learn about and comply with any procedures regarding the appropriate handling of such information and materials
- Understand their responsibilities related to information security
- Employees who have access to confidential information are expected to know and understand associated security requirements, and to take measures to protect the information, regardless of the data storage medium being used, e.g., printed media (forms, work papers, reports, microfilm, microfiche, books), computers, data/voice networks , physical storage environments (offices, filing cabinets, drawers), and magnetic and optical storage media (hard drives, diskettes, tapes, CDs, flash drives). Computer display screens should be positioned so that only authorized users can view confidential information, and confidential information should be discarded in a way that will preserve confidentiality (e.g., in a shred box, not in a trash can or recycling bin).
- In many instances, employees will be required or expected to attend training relevant to the information/materials being handled. Employees who are hired into positions that require adherence to government-mandated compliance (e.g., HIPAA, Medicare Compliance, grant and contract administration, pathogens or select agents) will be subject to strict procedures for handling such materials, must attend all mandated training sessions, and comply with compliance-specific policies and applicable law.
- Employees must notify the University of any violation of these guidelines. Employees may report their concerns immediately to their supervisor, department head, or central University administration. Alternatively, concerns may be reported to the University's hotline at 800-971-4317.
- Employee misuse of confidential information and/or the systems in which the information is stored is a serious breach of job responsibilities and will result in discipline up to and including termination of employment. [See Policy U703 Progressive Corrective Action]
Employees represented by a union may be governed by the appropriate bargaining unit agreement.