Formerly Known As Policy Number: 16.1
Stanford University has an interest in ensuring that the privacy of its students, faculty, and staff is respected. The University is committed to protecting the privacy of Prohibited, Restricted and Confidential Information within its control in a manner consistent with applicable laws, regulations and University policies.
Applicability: This policy is applicable to all members of the Stanford community and visitors to the University, including but not limited to students, post doctoral scholars, faculty, lecturers/instructors, staff, third-party vendors, and others with access to Stanford's campus and University Prohibited, Restricted and Confidential Information.
"Disclosure" is the release of, transfer of, provision of access to, or other communication of Information outside of the Stanford community.
"Use" is the examination, sharing, or other utilization of Information within the Stanford community.
"Information" is all Stanford University Prohibited, Restricted and Confidential information, whether in electronic or paper format, defined in Stanford's Data Classification, Access, Transmittal and Storage Guidelines (http://www.stanford.edu/group/security/securecomputing/dataclass_chart.html).
"Guidelines" refer to the Information Security Office's secure computing guidelines (http://www.stanford.edu/group/security/securecomputing/iso-guidelines.html) and its Data Classification, Access, Transmittal and Storage Guidelines (http://www.stanford.edu/group/security/securecomputing/dataclass_chart.html).
Stanford should limit the collection, use, disclosure or storage of Information to that which reasonably serves the University's academic, research, or administrative functions, or other legally required purposes. Such collection, use, disclosure and storage should comply with applicable Federal and state laws and regulations, and University policies.
Notwithstanding the General Policy contained in section 2.a, the University may disclose Information in the course of investigations and lawsuits, in response to subpoenas, for the proper functioning of the University, to protect the safety and well-being of individuals or the community, and as permitted by law.
Stanford has adopted policies governing certain categories of Information. These policies are listed in this section, 2.c. To the extent that there is a conflict between this Administrative Guide Memo 16.1 and any of these special policies, the special policy will control. For more information about Stanford's compliance with any of the laws and policies referenced below, please contact the University Privacy Officer at privacyofficer@stanford.edu (mailto:privacyofficer@stanford.edu) or the individual listed in section 4.b as responsible for compliance.
Stanford should not use an individual's SSN or DLN as a personal identifier unless required by law or approved by Stanford's Vice President for Business Affairs and Chief Financial Officer or the Data Governance Board. Prohibited information, including SSNs and DLNs, may be stored electronically only in compliance with the Guidelines. If Prohibited Information must be stored on paper, the files must be stored securely with access provided only to authorized persons.
Students have rights with respect to access to their education records under the Family Educational Rights and Privacy Act of 1974 ("FERPA"). These rights are outlined in the Stanford Bulletin (http://www.stanford.edu/dept/registrar/bulletin/).
Individuals have rights with respect to the privacy and security of their health information under Federal and state laws and regulations, including the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") (http://www.hhs.gov/ocr/privacy/). These rights are outlined in Guide Memo 1.6.2 (https://adminguide.stanford.edu/chapters/guiding-policies-and-principles/privacy-policies/privacy-and-security-health-information) and in the University health information privacy policies that can be found at the HIPAA website (https://privacy.stanford.edu/policies/hipaa-privacy-policies).
In addition to the rights afforded by HIPAA and other laws related to health information, the Federal Policy for the Protection of Human Subjects ("Common Rule") (http://www.hhs.gov/ohrp/humansubjects/commonrule/index.html) outlines provisions specific to the privacy of research participants and the confidentiality of their information. The Stanford Research Compliance Office maintains the Human Research Protection Program ("HRPP") (https://researchcompliance.stanford.edu/panels/hs) that includes the University policies related specifically to human subjects' research information.
The Gramm-Leach-Bliley Act ("GLBA") (http://business.ftc.gov/privacy-and-security/gramm-leach-bliley-act) requires that Stanford protect the privacy and security of information collected in the course of providing certain financial services, such as student financial aid or faculty staff housing loans. Stanford has adopted polices to protect this information. These policies are located on the Office of General Counsel's website (https://ogc.stanford.edu).
Some areas of the Stanford website operate commercial enterprises online. Stanford also delivers online service through its network. To comply with the California Online Privacy Protection Act of 2003 (http://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?lawCode=BPC&division=8.&title=&part=&chapter=22.&article=) when Stanford (or any of its partners) collects personally identifiable consumer information on one of the commercial areas of its website or as the operator of an online service, it will conspicuously post either a privacy policy or a link to a privacy policy on the portal page for the commercial activity. This policy will:
Members of the Stanford community are subject to the Confidentiality and Privacy provisions set forth in Section 3 of the Code of Conduct contained in Administrative Guide Memo 1. As a reminder of Stanford's commitment to privacy, students, faculty, staff and other members of the workforce may be asked to sign a confidentiality statement based on the Code of Conduct and this privacy policy. Failure to sign such a statement in no way diminishes the obligation to uphold Stanford's policies.
Departments within Stanford University are responsible for ensuring that all members of their workforce (including, among others, faculty, staff, students, consultants and volunteers) receive appropriate training on Stanford's privacy and security policies to the extent necessary and appropriate for them to carry out their required job functions. Departments will maintain adequate records of workforce training, which will be provided upon request by the Office of the General Counsel, the University Privacy Officer, the Chief Information Security Officer, Internal Audit, Human Resources or other University official with a reasonable Stanford-related need for the information.
Stanford respects and values the privacy of its faculty, students and staff and will not monitor its community members without cause except as required by law or as permitted by the policies and agreement referenced below:
In order to protect the privacy of the Stanford community, photographs, video recordings and other recordings may be made only in accordance with University policies on campus photography (https://ucomm.stanford.edu/policies/film-photo-video-requests/).
The University is private property; however, some areas of the campus typically are open to visitors. These areas include White Plaza, public eating areas, retail establishments, outdoor and indoor guided touring areas, roads, walkways, designated parking areas and locations to which the public has been invited by advertised notice (such as for public educational, cultural, or athletic events). Even in these locations, visitors must not interfere with the privacy of students, postdoctoral scholars, faculty, lecturers/instructors, and staff, or with educational, research, and residential activities. The University may revoke at any time permission to be present in these, or any other areas. Visitors should not be inside academic or residential areas unless they have been invited for appropriate business or social purposes by the responsible student, post doctoral scholar, faculty member, lecturer/instructor, or staff member.
The University shall have a Privacy Officer who is responsible for:
In order to discharge these responsibilities, the University Privacy Officer will collaborate with Stanford's Chief Information Security Officer, the General Counsel, other University privacy officials and other University administration, as appropriate.
The University has designated certain officials with primary responsibility for establishing policies and procedures governing University compliance with certain specific privacy laws and regulations:
Each individual who retains custody of Information, and each system owner, is responsible for the application of this Guide Memo 1.6.1 (https://adminguide.stanford.edu/chapters/guiding-policies-and-principles/privacy-policies/privacy-policy) and all related University policies to the systems and Information under their care or control.