Selected Privacy and Confidentiality Regulations

Described briefly, below, are some of the privacy regulations most relevant to campus online activities.

Information Practices Act (IPA)

This State of California law governs certain public entities, including the University of California. Some basic provisions include:

  • Except for certain explicit exceptions, personal information maintained about an individual may not be disclosed without the person's consent.
  • Before personal information is collected the entity must explain:
    • why it's being collected;
    • how it will be used;
    • whether providing it is mandatory or voluntary.
  • Individuals have access to certain types of information collected about themselves and a statement to this effect must be given to individuals from whom the entity collects personal information.
  • Individuals' names and addresses cannot be sold, rented, or leased.
  • California residents must be notified regarding any breach to the security of a computing system where there is a reasonable belief that an unauthorized person has acquired their unencrypted personal information.

Campus employee regulations

The online processing of employee-related data expands previous, paper-based, opportunities to access and exploit employee information, some of which is protected by the IPA.

Berkeley Campus employment policies and contracts include sections on confidentiality that govern the administration of various types of employee-related information. For example, the Academic Personnel Manual (APM) defines records that are public versus those that are not. See APM §160.

Family Educational Rights and Privacy Act (FERPA)

This federal law pertains to student records. Some basic provisions include:

  • A student's educational records may not be released without the student's consent.
  • The campus may choose certain types of information listed in FERPA and designates it as "directory information" which may be published. However, students must be given the means to elect to keep directory information about themselves confidential.
  • A student has the right to access his or her educational records.
  • A students has the right to correct his or her records and recourse for this purpose must be provided.

Campus websites such as faculty websites, course websites, organization websites, and any others that include student information must comply with FERPA requirements. For example, any student information that is confidential must be redacted from published course records.

FERPA is implemented for the Berkeley Campus by the Berkeley Campus Policy Governing Disclosure of Information from Student Records.

Public Records Act (PRA)

This State of California law provides that every person has a right to inspect any public record, with specified exceptions. A University Electronic Communications Record is a public record:

whether or not any of the electronic communications resources utilized to create, send, forward, reply to, transmit, distribute, broadcast, store, hold, copy, download, display, view, read, or print the electronic communications record are owned by the University. (See Appendix A of the University of California Electronic Communications Policy.)

Campus online service providers must have procedures for making their records available in accordance with any requests under the PRA, other laws, or as a result of litigation.

Records management and disposition schedules

Campus electronic records must be retained in accordance with applicable retention policies, as specified in the University of California Business and Finance Bulletin RMP-2 "Records retention and disposition: principles, processes, and guidelines".

Business and Finance Bulletin RMP-8, Legal Requirements on privacy of and access to information

The University of California Business and Finance Bulletin RMP-8 provides guidelines for the collection and use of information that personally identifies an individual, in conformance with federal and state law. RMP-8 guidelines apply to information collected and disseminated by electronic means just as they do to records stored on paper and other media.

Electronic Communications Policy (ECP)

The University of California Electronic Communications Policy (ECP) addresses many privacy and confidentiality topics, including:

  • Notification regarding personally identifiable information: Section IV.C.1.c. Electronically Gathered Data requires that, except when otherwise provided by law, users of University electronic communications systems and services shall be informed whenever personally identifiable information other than transactional information will be collected and stored automatically by the system or service.
  • Non-Consensual Access: Section IV. Privacy and Confidentiality states that the University does not examine or disclose electronic communications records without the holder's consent. Nonetheless, subject to the requirements for authorization, notification, and other conditions specified in this Policy, the University may examine or disclose electronic communications under very limited circumstances as described in Section IV.B. Access Without Consent:
    1. when required by and consistent with law;
    2. when there is substantiated reason to believe that violations of law or of University policies … have taken place;
    3. when there are compelling circumstances; or
    4. under time-dependent, critical operational circumstances.

    The ECP defines the terms used in these provisions in its Appendix A: Definitions.

    For local procedures and a sample request form see: Approval for Accessing Berkeley Campus Electronic Communications.

  • Privileged Access by System Administrators: The ECP discusses in detail the circumstances when service providers may occasionally observe the contents of electronic communications during the performance of their duties (section IV.C. Privacy Limits, 2.b. "System Monitoring"):

    University employees who operate and support electronic communications resources regularly monitor transmissions for the purpose of ensuring reliability and security of University electronic communications resources and services (see Section V.B, Security Practices), and in that process might observe certain transactional information or the contents of electronic communications. Except as provided elsewhere in this Policy or by law, they are not permitted to seek out transactional information or contents when not germane to system operations and support, or to disclose or otherwise use what they have observed. In the process of such monitoring, any unavoidable examination of electronic communications (including transactional information) shall be limited to the least invasive degree of inspection required to perform such duties. This exception does not exempt systems personnel from the prohibition (see Section IV.A, Introduction) against disclosure of personal or confidential information. Except as provided above, systems personnel shall not intentionally search the contents of electronic communications or transactional information for violations of law or policy. However, if in the course of their duties systems personnel inadvertently discover or suspect improper governmental activity (including violations of law or University policy), reporting of such violations shall be consistent with the Policy on Reporting and Investigating Allegations of Suspected Improper Governmental Activities [PDF] (the "Whistleblower Policy").

    (Also see the Model Privileged Access Agreement produced by IST, which may be adapted for use by campus departments.) The ECP Attachment 2: "Implementation Guidelines", section III.B. Privacy Protections and Limits, 4. "System Monitoring", further clarifies that "… automated inspection of electronic communications in order to protect the integrity and reliability of University electronic communications resources does not constitute nonconsensual access".

Health Insurance Portability and Accountability Act (HIPAA)

This federal law was enacted to protect the security and confidentiality of "electronic health information". It exempts FERPA records and student health care records. The University of California has determined that the UC system will act as a single entity for HIPAA compliance. A University-wide task force provides guidance and legal counsel for HIPAA issues. See:

Gramm-Leach-Bliley (G-L-B) Act

(Financial Services Modernization Act of 1999). This Federal Law was enacted to protect consumers' personal financial information. The UC Information Security Program is designed to ensure University compliance with the Gramm-Leach-Bliley (G-L-B) Act, and specifically with the G-L-B Safeguarding Rule issued by the Federal Trade Commission.

Campus mailing list regulations

Campus mailing list managers must provide the means for subscribers to find out what level of privacy protection is normally available for addressee names included on the list. List managers also must advise their list members that despite whatever settings are in place for normal access to list information, a public records request pertaining to the business of the University, or other legal instrument such as a subpoena in connection with a criminal investigation, could result in disclosure of list membership information. (A suggested notification statement, as well as other campus mailing list policy provisions, are included in the Mass Mailing section on "Campus Online Activities Policy".)

Fair Credit Reporting Act (FCRA)

This federal law limits the transfer or sharing of information related to a person's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living, unless directly being used in establishing credit, insurance, or employment. It does not apply to information solely related to transactions or experience between a consumer and the person making the report, but only to sharing or transfer of information between agencies.

Children's Online Privacy Protection Act (COPPA)

This federal law is intended to place parents in control over what information is collected online from children under 13 years old. It pertains to operators of general audience websites who have actual knowledge that they collect children's personal information. COPPA does not apply to collection of anonymous or aggregate (non personally-identifiable) information.