UW System Administrative Procedure 1040.A

Information Security: Privacy Procedure

Original Issuance Date: October 28, 2020

Last Revision Date: February 24, 2023

1. Purpose of Procedures

To establish standards for the handling, protection, and privacy of a Data Subject’s Personal Data throughout the University of Wisconsin (UW) System.

2. Responsible UW System Officer

Associate Vice President for Information Security

3. Definitions

Please see SYS 1000, Information Security: General Terms and Definitions, for a list of general terms and definitions. Terms and definitions found within this policy include:

  • Data Subject
  • Personal Data
  • Personal Identifiable Information (PII)
  • Protected Health Information (PHI)

4. Procedures

A. Standard

  1. Notice of Collection of Personal Data
    The purpose for which Personal Data is collected must be specified at, or prior to, the time of collection.
  2. Use of Personal Data
    The use of Personal Data shall be limited to the purposes for which it was collected, as specified in 4.A.I. Only those with a legitimate business need to accomplish the institution’s mission are authorized to access, use, transmit, handle, retain, or receive Personal Data.
  3. Disclosure of Personal Data
    Personal Data may only be disclosed to third parties with the consent of the Data Subject, or under the following conditions:

    1. Legal Requirements: Records may be released in response to a lawful subpoena, warrant, open records request, or court order or where such records could be required or authorized by law to be produced, or a lawful request for any other reason, including disclosure to a government agency.
    2. Authorized Persons: Records may be disclosed to UW System officials and authorized individuals performing work for them who require the information for the performance of their job duties.
    3. Protection of Interests: UW System officials may disclose information contained in records to protect its legal interest when those records may be related to the actions of a Data Subject that UW System reasonably believes may violate or has violated his/her conditions of employment or threaten injury to people or property.
    4. Emergencies: Information may be disclosed if, at the judgment of the designated data steward of such records, disclosure is necessary to protect the health, safety, or property of any person.
  4. Storage and Retention of Personal Data
    UW System shall limit the storage and retention of Personal Data to that which is required to reasonably serve the institution’s academic, research, administrative functions, or other legally permitted purposes. Employees are prohibited from storing information containing Personal Data unless a specific business need exists to collect, maintain, and store the information.

5. Related Documents

Regent Policy Document 25-3 – Acceptable Use of Information Technology Resources

UW System Information Security Program

UW System Administrative Policy 1033, Information Security: Incident Response

UW System Administrative Policy 1040, Information Security: Privacy Policy

Wisconsin Stat. § 16.61

Wisconsin Stat. § 19

6. History

Revision 2: February 24, 2023

Revision 1: November 13, 2020

First approved: October 28, 2020