Skip to main content

University Policy 106

Identity Theft Prevention Program

Protecting the Privacy and Security of Personally Identifiable Information (PII)

Initially approved: April 13, 2009
Revised: November 16, 2015
Revised and Renamed:  January 21, 2020 
Revised: January 9, 2024

Policy Topic:  Information Technology
Administering Office: Office of the CIO

I. Policy Statement

Western Carolina University ("University" or "WCU") is committed to protecting the privacy and security of the confidential and personally identifiable information (PII) of our constituents. Furthermore, there are various regulations requiring that we do so. The purpose of this policy is to establish the requirements to fulfill our obligations to the relevant regulations by following our Identity Theft Prevention Program as well as other related university policies and procedures.

II. Scope

All employees (faculty and staff), contractors or entities that are using the University's information technology resources, whether located on or off-campus, whether University-owned or contracted for use by the University, in a non-student capacity.

III. Definitions

“PII” means any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including, but not limited to: name; address; telephone number; social security number; date of birth; government-issued driver’s license or identification number; alien registration number; government passport number; employer or taxpayer identification number; or bank or other financial account routing code.

“Identity Theft” means a fraud committed or attempted using the PII of another person without authority.

IV. Protecting the Privacy of PII

Risks to privacy arise as a by-product of authorized processing of the data we collect. WCU shall reasonably limit the collection of PII to the minimum that is relevant, proportional, and necessary for the identified purposes. It is our policy to limit our processing and sharing of the data we collect to the purposes it was collected for and other legal or regulatory requirements.

Additionally, the federal government, individual states and other countries have enacted legislation placing controls on the collection, processing and transmission of PII to protect privacy. It is the responsibility of the data stewards and their designees to understand applicable regulations (see partial list below under Related Regulations) and approve the processing or transmission of PII.

A. Use of Collected PII

WCU uses information collected only for stated, implied, or legal purposes. WCU will protect student, medical, and other protected records as required by applicable law, contract, and University policy. To maintain its compliance with federal and state legislation, WCU retains the right to release both personally identifiable and aggregate information to state and federal agencies as required.

B. Sharing PII with Third Parties

WCU works with many vendors and contractors who assist the University with its day-to-day affairs. Personal information provided to WCU or which the University automatically collects is used or shared with these organizations for the express purposes for which the information was collected. University vendors and contractors are only permitted to use personal information for the express purposes permitted in their agreements with the University. Otherwise, personal information is not released to third parties unless permitted by applicable law, including in instances where the information needs to be disclosed to protect the safety and security of the University community or University property, or where the University is legally compelled by law or judicial order.

C. Public Record Disclosure Requirements

As a public institution, and instrumentality of the State of North Carolina, WCU is subject to the NC Public Records laws. This means that records, in all forms including email, provided to the University are subject to public disclosure, unless the record is designated by law as confidential or not a public record. Some examples of confidential records include education records of students; personnel records of employees; medical records; law enforcement records; research data, records, or information of a proprietary nature; and information received by the University deemed as trade secrets and marked “confidential.”

D. Maintenance and Retention of PII

Records created by and submitted to WCU are maintained and destroyed according to requirements under the state laws of North Carolina, as well as federal laws and institutional policies.

WCU shall ensure that PII is as accurate, complete, and up-to-date as is necessary for the purposes for which it is processed, throughout the life cycle of the PII. The University shall minimize inaccuracies in the PII it processes. Constituents may request that inaccurate PII be corrected by utilizing the process outlined in Section VII of University Policy 3: Information Privacy.

V. Protecting the Security of PII

Risks to the security of PII arise from un-authorized activities that may jeopardize the confidentiality or integrity of the data. To prevent unauthorized access, maintain data accuracy, and ensure the correct use of information, we have put in place appropriate physical, electronic, and managerial procedures to safeguard and secure the information we collect online. All individuals and entities that fall under the scope of this policy must follow the requirements set forth in the University’s Identity Theft Prevention Program and Data Handling Procedures

VI. Penalties

Willful inappropriate access to or disclosure of data may result in appropriate disciplinary action, up to and including dismissal, or legal action being taken.

Liability for the willful inappropriate access to or disclosure of data may, in certain circumstances, rest with the individual and not the institution.

VII. Related Policies and Resources

VII. Related Regulations

  • FTC Red Flags Rule (Detection, Prevention, and Mitigation of Identity Theft)
  • FTC Safeguards Rule related to GLBA (Standards for Safeguarding Customer Information)
  • Family Education Rights and Privacy Act (FERPA)
Office of Web Services