Regulation Number: 1.0103

Policies on Restricted Data

Category: Compliance and Ethics

Responsible Office: Chief Compliance, Ethics, and Privacy Officer

REGULATIONS OF THE

UNIVERSITY OF FLORIDA

1.0103 Policies on Restricted Data.

(1)     As part of its educational mission, the University of Florida acquires, develops and maintains restricted data. For the purposes of this regulation, the term “restricted data” is defined as data in any format collected, developed, maintained or managed by or on behalf of the University, or within the scope of University activities, that are subject to specific protections under federal or state law or regulations or under applicable contracts. The collection and use of restricted data are intended for University-related purposes, including but not limited to direct and indirect support of the University’s education, research and service missions, and University administrative functions. The following policies, available at the University Privacy Office or privacy website, http://privacy.ufl.edu/pandp.html, apply to all users of University restricted data, whether affiliated with the University or not:

(a)     Information Privacy Statement

(b)     Online/Internet Privacy Statement

(2)     All faculty, staff, students or other persons (such as University appointees or volunteers) who collect, develop, use, maintain or manage restricted data, whether on University property or at other locations, must adhere to the following requirements:

(a)     Restricted data shall be secured from unauthorized access to protect the data from damage, loss, alternation, tampering and fraudulent use.

1.       Users of restricted data shall implement appropriate administrative, technical and physical safeguards to maintain the privacy and security of restricted data.

2.       Users of restricted data shall implement methods for the storage, retention and disposal, (under the University of Florida Records Retention Policy) of restricted data.

(b)     The University of Florida will review and attempt to resolve complaints and confirmed incidents of restricted data breaches, including without limitation, privacy laws, this regulation and other University privacy regulations and policies.

1.      Any such complaints and suspected incidents may be reported to the Privacy Office at PO Box 103175, Gainesville, FL 32610-3175, 352-294-8720, privacy@ufl.edu. If an incident must be reported under applicable law, including but not limited to Health Insurance Portability and Accountability Act (HIPAA) and Red Flag regulations (social security, driver’s license, passport, bank account, alien registration, taxpayer identification and credit card numbers), the incident shall be reported to the Privacy Office when discovered.

2.     If evidence of a violation is found, disciplinary action may be taken.

Authority: BOG Regulation 1.001.

History: New 3-17-11; Amended 3-23-18 (technical changes only).