Initially approved: April 13, 2009
Revised: November 16, 2015
Revised and Renamed: January 21, 2020
Policy Topic: Information Security
Administering Office: Office of the CIO
Western Carolina University ("University" or "WCU") is committed to protecting the privacy and security of the confidential and personally identifiable information (PII) of our constituents. Furthermore, there are various regulations requiring that we do so. The purpose of this policy is to establish the requirements to fulfill our obligations to the relevant regulations by following our Identity Theft Prevention Program as well as other related university policies and procedures.
All employees (faculty and staff), contractors or entities that are using the University's information technology resources, whether located on or off-campus, whether University-owned or contracted for use by the University, in a non-student capacity.
“PII” means any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including, but not limited to: name; address; telephone number; social security number; date of birth; government-issued driver’s license or identification number; alien registration number; government passport number; employer or taxpayer identification number; or bank or other financial account routing code.
“Identity Theft” means a fraud committed or attempted using the PII of another person without authority.
Risks to privacy arise as a by-product of authorized processing of the data we collect. It is our policy to limit our processing and sharing of the data we collect to the purposes it was collected for and other legal or regulatory requirements.
Additionally, the federal government, individual states and other countries have enacted legislation placing controls on the collection, processing and transmission of PII to protect privacy. It is the responsibility of the data stewards and their designees to understand applicable regulations (see partial list below under Related Regulations) and approve the processing or transmission of PII.
WCU uses information collected only for stated, implied, or legal purposes. WCU will protect student, medical, and other protected records as required by applicable law, contract, and University policy. To maintain its compliance with federal and state legislation, WCU retains the right to release both personally identifiable and aggregate information to state and federal agencies as required.
WCU works with many vendors and contractors who assist the University with its day-to-day affairs. Personal information provided to WCU or which the University automatically collects is used or shared with these organizations for the express purposes for which the information was collected. University vendors and contractors are only permitted to use personal information for the express purposes permitted in their agreements with the University. Otherwise, personal information is not released to third parties unless permitted by applicable law, including in instances where the information needs to be disclosed to protect the safety and security of the University community or University property, or where the University is legally compelled by law or judicial order.
As a public institution, and instrumentality of the State of North Carolina, WCU is subject to the NC Public Records laws. This means that records, in all forms including email, provided to the University are subject to public disclosure, unless the record is designated by law as confidential or not a public record. Some examples of confidential records include education records of students; personnel records of employees; medical records; law enforcement records; research data, records, or information of a proprietary nature; and information received by the University deemed as trade secrets and marked “confidential.”
Records created by and submitted to WCU are maintained and destroyed according to requirements under the state laws of North Carolina, as well as federal laws and institutional policies.
Risks to the security of PII arise from un-authorized activities that may jeopardize the confidentiality or integrity of the data. To prevent unauthorized access, maintain data accuracy, and ensure the correct use of information, we have put in place appropriate physical, electronic, and managerial procedures to safeguard and secure the information we collect online. All individuals and entities that fall under the scope of this policy must follow the requirements set forth in the University’s Identity Theft Prevention Program and Data Handling Procedures
Willful inappropriate access to or disclosure of data may result in appropriate disciplinary action, up to and including dismissal, or legal action being taken.
Liability for the willful inappropriate access to or disclosure of data may, in certain circumstances, rest with the individual and not the institution.