601 - Treatment of Confidential Information
Subject: Treatment of Confidential Information
Date: July, 2017
To identify information that is considered confidential and to establish guidelines for the use of confidential information.
Who is governed by this policy:
This policy applies to all employees.
Employees must not misuse confidential information.
Confidential information generally consists of non-public information about a person or an entity that, if disclosed, could reasonably be expected to place either the person or the entity at risk of criminal or civil liability, or damage the person or entity's financial standing, employability, privacy or reputation. The University is bound by law or contract to protect some types of confidential information, and in other instances the University requires protection of confidential information beyond legal or contractual requirements as an additional safeguard. Confidential information includes but is not limited to:
- payroll records, salary and non-public benefits information
- Social Security numbers, driver's license numbers, state identification card numbers, passport numbers
- credit and debit card information, and financial account information
- personnel records, including but not limited to information regarding an employee's work history, credentials, salary and salary grade, benefits, length of service, performance, and discipline (see Policy U705 Employee Access to Personnel Records)
- individual criminal background check information
- individual conflict of interest information
- individually identifiable biometric information
- computer system passwords and security codes
- unpublished grant proposals and unpublished research data
- unpublished manuscripts and correspondence
- budgetary, departmental, or University planning information
- non-public financial, procurement, health/safety, audit, insurance and claims information
- internal investigation information, pre-litigation, and non-public litigation and administrative agency charge, audit and inquiry information
- student records, including but not limited to student education records within the meaning of the Family Educational Rights and Privacy Act (FERPA)
- proprietary or intellectual property in which the University asserts ownership that is created by University employees in connection with their work
- non-public law enforcement records generated or maintained by the University of Chicago Police Department
- all University attorney-client communications and University attorney work product
- non-public donor and alumni information
- patient care records including patient benefit plan enrollment, claims, billing matters, and data concerning human research subjects
- medical records, personally identifiable medical information, and all information designated as "Protected Health Information" under the Health Insurance Portability and Accountability Act (HIPAA), or otherwise protected by law
- all information, materials, data and records designated confidential by a University unit, by law or by contract, including information obtained by the University from third parties under non-disclosure agreements or any other contract that designates third party information as confidential
All employees are required to safeguard confidential information and only use or disclose it as expressly authorized or specifically required in the course of performing their specific job duties.
Misuse of confidential information can be intentional (acts and/or omissions), or a product of negligence or inadvertence. Misuse includes but is not limited to:
- Accessing information not directly germane or relevant to the employee's specifically assigned tasks
- Disclosing, discussing and/or providing confidential information to any individual not authorized to view or access that data, including but not limited to third parties, volunteers, vendors and other University employees
- Reckless, careless, negligent, or improper handling, storage or disposal of confidential data, including electronically stored and/or transmitted data, printed documents and reports containing confidential information
- Deleting or altering information without authorization
- Generating and/or disseminating false or misleading information
- Using information viewed or retrieved from University systems for personal or any other unauthorized or unlawful use
Employee Access Codes
Employees who have been assigned personal access codes to work with systems that generate, store or manage confidential information bear the responsibility for preserving the complete confidentiality of such codes to ensure against unauthorized use by any other person. Employees who negligently or intentionally share their system passwords or accounts with anyone else for any reason will be held responsible for any resulting misuse of the system by others.
Employees who have any reason to believe or suspect that someone else is using their personal access codes must immediately notify their supervisor. Employees are prohibited from logging onto University data bases and administrative systems with their personal access codes and then permitting another person to access information in those data bases and/or systems.
Student Education Records
Student education records are governed by the Family Educational Rights and Privacy Act (FERPA) and applicable University policy (see the University of Chicago Student Manual). FERPA-protected student education records may only be disclosed with the prior written consent of the University student (or former student), to other University employees with a “legitimate educational interest” as described in the Student Manual, or as authorized by the University's Office of Legal Counsel or the University's Registrar. Although FERPA permits the University to disclose student directory information (as defined by FERPA), no such information may be disclosed until the Office of the Registrar has confirmed that the student has not elected to block their directory information, as permitted by FERPA.
Employee Duties Related to Confidential Information
Employees are expected to:
- Identify confidential information and materials
- Proactively seek information regarding and comply with any restrictions on the use, administration, processing, storage or transfer of the confidential information in any form, physical or electronic
- Learn about and comply with any procedures regarding the appropriate handling of such information and materials
- Understand their responsibilities related to information security
In many instances, employees will be required or expected to attend training relevant to the information/materials being handled. Employees who are hired into positions that require adherence to government-mandated compliance (e.g., HIPAA, Medicare Compliance, grant and contract administration, pathogens or select agents) will be subject to strict procedures for handling such materials, must attend all mandated training sessions, and comply with compliance-specific policies and applicable law.
Employees must notify the University of any violation of these rules.
Consequences for Misuse of Confidential Information
Employee misuse of confidential information and/or the systems in which the information is stored is a serious breach of job responsibilities and will result in discipline such as:
- immediate dismissal from work and disqualification from future University employment;
- other personnel and/or student conduct code disciplinary action;
- civil and/or criminal legal action as appropriate.
|Center of Expertise – Employee and Labor Relations||Employee and Labor Relations partners with department/division/unit HR professionals and Supervisors to provide guidance in the areas of policy, contract administration, performance management, leaves of absence, employment law compliance and various other employment matters.|
|HR Partner||Department/division/unit personnel who serve as the representatives for the department in all human resources issues and initiate key HR processes in campus HR systems on behalf of their department/division/unit.|
|Local Unit||Campus department/division/unit.|
|Shared Services Office||The centralized body that processes transactions, reviews and verifies documentation, enforces policies and regulations, and ensures consistency and accuracy of processes.|
|Supervisor||Unit personnel who oversee and regulate employees in their performance of assigned or delegated tasks, as well as enforce compliance with policy.|
Roles and Responsibilities:
|Governed Party||Roles and Responsibilities|
|Center of Expertise – Employee and Labor Relations||The Center of Expertise – Employee and Labor Relations is responsible for working with the HR Partner and Supervisor to determine disciplinary action needed in the case of employee misuse of confidential data and approve disciplinary actions.|
|Employee||Employees are responsible for maintaining confidentiality of information they have access to in the course of their employment at the University. Employees are responsible for notifying their supervisor of any breach of confidentiality. Employees are also responsible for attending training related to system access and signing a confidentiality agreement during the onboarding process. Employees are also responsible for using two-factor authentication when accessing core systems at the University.|
|HR Partner||The HR Partner is responsible for following policies and procedures relating to the confidentiality of information. The HR Partner, together with the Supervisor, is also responsible for initiating system access requests for onboarding employees, as well as submitting revoke system access or “quick closure” requests in the case of a terminating or transferring employee. The HR Partner is also responsible for reviewing system access when an employee’s position or responsibilities are updated. The HR Partner is also responsible for working with the Center of Expertise – Employee and Labor Relations to determine disciplinary action needed when employee misuse of confidential information has been identified.|
|Supervisor||Supervisors are responsible for enabling system access during the onboarding process or communicating system access requirements to HR Partners during the onboarding process. Supervisors are also responsible for requesting system access removal or notifying HR Partners to responsibility changes which alter an employee’s system access requirements.|
|Shared Service Office||Shared Services is responsible for processing system access requests for core systems, as well as processing revoke system access or quick closure requests in the case of employee job changes or terminations.|
|Center of Expertise – Employee and Labor Relationsfirstname.lastname@example.org||4-7345|
|Shared Services Office|