Privacy Policy, General

PRINT DISCLAIMER: Official version of this document is accessible in the online policy library at https://policyoffice.ku.edu/. Printed copies may not reflect the most recent updates.

DOCUMENT TYPE:

Policy

PURPOSE:

To set forth requirements regarding information entrusted to the University by the public and members of the KU community.

APPLIES TO:

All units in their handling of data, information and records in any form (paper, digital text, images, audio, video, microfilm, etc.) created, collected, accessed, used, handled, stored, managed or disposed of during the course of conducting University business (administrative, financial, instruction, research or service).

CAMPUS:

Edwards, Lawrence, Juniper Gardens, Parsons, Salina, Topeka, Yoder

POLICY STATEMENT:

KU Commitment to Privacy

The University of Kansas is committed to safeguarding all Private Information entrusted to the University by the public and members of the KU community. This notice describes the University’s general privacy policy as it relates to the collection, protection and disclosure of such information. (Note: see the “Definitions” section below for the definition of “Private Information.”)

Collection and Protection of Information

Information may be collected in a variety of ways, paper or electronic, including but not limited to, Web sites, surveys, email, information requests, databases, etc., as required to support University activities.

Information collected, regardless of the method of collection or format, may be used only to carry out the authorized business of the University. The University shall make reasonable efforts to limit the Private Information it collects to only that information strictly relevant to accomplish a clearly defined institutional purpose.

Every unit is responsible for maintaining the necessary confidentiality, integrity and availability of the information it handles. Every unit is responsible for granting to assigned individuals within the unit the reasonable, minimum access to Private Information needed to accomplish the necessary institutional purposes. All University employees are required to abide by state and federal laws and University policies, procedures and guidelines regarding the handling and protection of Private Information.

Employees who become aware of a breach of the privacy or security of Private Information must report such breach immediately to the Information Services Customer Service Center at 864-8080. The Information Services Customer Service Center will notify the Office of the General Counsel and/or the KU IT Security Officer as required by the particular incident.

Additional University policies, procedures and guidelines apply to specific types of information. Further, individuals for whom the University collects, maintains, or processes their personal data are directed to review the supplementary Privacy Notice, provided here in accordance with European Union General Data Protection Regulation (GDPR) available at this link.

Cookies

“Cookies” are small text files which are either used for the duration of a session ("session cookies"), or saved on a user’s computer or device in order to identify that user, or information about that user, the next time the user logs on to a website (“persistent cookies”). Users can manage cookies through their browser settings. University websites use cookies and similar technologies to improve functionality and performance of the sites and to understand the user experience, among other uses. By continuing to use University websites, users agree to the storing of cookies and related technologies on their computer or device until cookie expiration or deletion.

Disclosure of Information

Private Information may be disclosed only to the extent that is permitted or required by law. Disclosure must comply with applicable requirements regarding consent or authorization for disclosure.

Legally Mandated Disclosure of Information

The University may be required to release information, including Private Information, where required by state or federal law or upon receipt of a subpoena, search warrant or other court order.

KU Employee Privacy When Using University Resources

The University supports a climate of trust and respect. The University does not ordinarily read, monitor or screen employees’ routine use of information resources, except as necessary to maintain quality of service, to investigate a breach of security or misuse of University information resources or where required by law.

For additional information about the appropriate use of University resources, refer to the Acceptable Use Policy.

CONSEQUENCES:

Violations of this policy may result in disciplinary action, up to and including dismissal of employees. Employment actions will be conducted under the advice and guidance of Human Resources and the Office of the General Counsel.

CONTACT:

Information Services Customer Service Center
1001 Sunnyside Ave.
Lawrence, KS 66045
785-864-8080
itcsc@ku.edu

The Office of the General Counsel
245 Strong Hall
1450 Jayhawk Blvd.
Lawrence, KS 66045
785-864-3276
gencoun@ku.edu

KU IT Security Officer
1001 Sunnyside Ave.
Lawrence, KS 66045
785-864-9003
itsec@ku.edu

APPROVED BY:

Provost and Executive Vice Chancellor

APPROVED ON:

2007-10-30

EFFECTIVE ON:

2007-10-30

REVIEW CYCLE:

Annual (As Needed)

RELATED STATUTES, REGULATIONS, AND/OR POLICIES:

Student Records Policy

Information Technology Security Policy

Data Classification and Handling Policy

Data Classification and Handling Procedures Guide

Electronic Data Disposal Policy

Electronic Data Disposal Procedure

E-Commerce Policy

Password Policy

Acceptable Use of Electronic Information Resources

Procedures for Investigative Contact by Law Enforcement

Electronic Mail (Email) Policy

Gramm-Leach-Bliley Student Financial Information Security Program

RELATED OTHER:

Laws:

Family Educational Rights and Privacy Act (FERPA) and related guidance

Health Insurance Portability and Accountability Act (HIPAA) and HIPAA Fact Sheet

Gramm-Leach-Bliley Financial Services Modernization Act (GLB)

Electronic Communications Privacy Act (ECPA)

PATRIOT Act and the Department of Justice Highlights of the USA PATRIOT Act

Computer Fraud & Abuse Act

Kansas Open Records Act

Americans with Disabilities Act (ADA) and Information and Technical Assistance on ADA

European Union General Data Protection Regulation (GDPR)

DEFINITIONS:

Private Information: includes all information protected by state and/or federal law or that the University is contractually obligated to protect. Private Information also includes information designated by the University as private (confidential or sensitive) through the creation of standards, procedures and guidelines. Access to these data must be tightly monitored.

Examples of Private Information include, but are not limited to the following:

  • Nondirectory student records as defined by FERPA and the University Student Records Policy
  • Financial aid and scholarship records
  • Individually identifiable personnel records
  • Personal information utilized to verify identity, including but not limited to Social Security numbers (SSN) and University ID numbers (KU ID)
  • Passwords and PINS
  • Digital signatures
  • Individually identifiable health information protected by state or federal law (including but not limited to “protected health information” as defined by the Health Insurance Portability and Accountability Act (HIPAA)
  • Individually identifiable information created and collected by research projects
  • Credit card numbers and financial transactions covered by the Payment Card Industry (PCI) Standard.
  • Information resources with access to confidential or sensitive data
  • Information covered by nondisclosure agreements
  • Any information relating to an identified or identifiable person, or personal data, as defined in the GDPR

CHANGE HISTORY:

03/24/2025: Migration to TeamDynamix from Drupal.
09/20/2024: Updated Human Resource Management (HRM) to Human Resources (HR). 
01/26/2022: Added section regarding cookies.
05/29/2018: Updated link to European Union Data Protection Regulation.
05/25/2018: Updated to comply with European Union General Data Protection Regulation (GDPR).
05/30/2017: Fixed broken link.
01/09/2015: Policy formatting cleanup (e.g., bolding, spacing).
12/17/2014: Updated contact information, made technical edits related to formatting and hyperlinking of related documents.
04/06/2009: Reviewed for accuracy; no changes made.
10/30/2007: Approved by the Provost and Executive Vice Chancellor.

Was this helpful?
0 reviews
Print Article

Related Articles (20)

Acceptable Use of Educational Technologies Guidelines for Faculty and Staff
The acceptable use of instructional delivery technologies guidelines are intended to assist faculty and instructional staff by outlining various issues that need to be considered when delivering course content through a technological medium.
Acceptable Use of Electronic Information Resources
This policy outlines the expectations for the use of electronic information resources at the University of Kansas.
Code of Student Rights and Responsibilities (Student Code)
The Code of Student Rights and Responsibilities outlines the rights of students and many of the standards of conduct expected within the University of Kansas community.
Data Classification and Handling Policy
Information is a valuable University asset and is critical to the mission of teaching, research, and service to Kansans.Determining how to protect and handle information depends on a consideration of the information’s type, importance, and usage.Classification is necessary to understand which security practices should be used to protect different types of information. The more protected the information needs to be, the more practices are required.
Data Classification and Handling Procedures Guide
This Procedures Guide for the University community was created to help you effectively manage information in your daily mission-related activities. Determining how to protect & handle information depends on a consideration of the information’s type, importance, and usage. These procedures outline the minimum level of protection necessary when performing certain activities, based on the classification of the information being handled. Classification is necessary to understand which security p
Data Protection Privacy Notice - General Data Protection Regulation (GDPR)
This GDPR- Privacy Notice is a supplement to the University’s General Privacy Policy and the GDPR Policy of the University of Kansas Medical Center (KUMC). This GDPR-Privacy Notice governs the capture, use, transfer, and storage of your personal data, as defined under the GDPR. This Privacy Notice will be provided to you whenever you provide personal data to the University or its affiliated entities, as applicable, and is available at: https://policy.ku.edu/This GDPR- Privacy Notice explains how
E-commerce Policy
To provide the requirements for processing e-commerce transactions and any acceptance of credit card payments by administering entities for the University of Kansas Lawrence campus and its reporting units; to establish protocols to reduce the risk of exposure of cardholders’ personal financial information when such information is processed electronically through an e-commerce transaction; and to subject all e-commerce transactions to mandatory compliance with the Payment Card Industry (PCI) Data
Electronic Data Disposal Policy
Data confidentiality is an issue of legal and ethical concern. The purpose of this policy is to provide for proper cleaning or destruction of sensitive/confidential data and licensed software on all computer systems, electronic devices and electronic media being disposed, recycled or transferred either as surplus property or to another user.
Electronic Data Disposal Procedure
The purpose of this procedure is to implement the University of Kansas Electronic Data Disposal Policy.
Electronic Mail Policy
To define appropriate use of electronic mail in the University
Gramm-Leach-Bliley Student Financial Information Security Program
This document outlines the University of Kansas, Lawrence, program to protect critical information and data and to comply with Federal Law[1] on student financial information. The goal of this document is to define the University's Gramm Leach Bliley (GLB) Student Financial Information Security Program, to provide an outline to assure ongoing compliance with federal regulations related to the Program and to enhance the University’s ability to respond to likely future privacy and security regulat
Information Technology Security Policy
This Information Security Policy (“Policy”) defines the security requirements that everyone who works or studies at KU Lawrence campus and all reporting units is expected to be familiar with and consistently follow. These security measures are set forth to avoid problems that affect the Confidentiality, Integrity, and Availability of information and systems at the University.
Investigative Contact by Law Enforcement, Policy and Procedures
To assist University faculty and staff in responding to investigative contact by law enforcement officials.
KU Libraries: Code of Conduct for Library Users
In the interest of protecting the rights of all users and in order to provide an environment suitable for pursuit of scholarly activities, the University of Kansas Libraries have enacted a Code of Conduct for Library Users. This Code of Conduct supplements existing University and other Library policies and provides guidance for all library users. Library users must ensure their use of library facilities, services, collections, electronic resources, and equipment does not infringe on or disrupt t
KU Libraries: Privacy and Confidentiality
To document the KU Libraries' commitment to maintaining the privacy of each person's intellectual investigations and the confidentiality of their interactions with the Libraries.
Password Policy
The purpose of this policy is to establish a standard for creation of strong passwords, the protection of those passwords, and the frequency of password change.
Roles and Responsibilities for Information Management Policy
The proper stewardship and custodianship of University administrative information will facilitate access to data that supports the work of those with official educational or administrative responsibilities within the institution, consistent with legal, ethical, competitive, and practical considerations.This document informs information stewards, managers, custodians, and users of data of their responsibilities.Note:  Nothing in this document precludes or addresses the release of institutional da
Student Records Policy
This policy is intended to inform students of their rights and responsibilities pertaining to their university records, in compliance with federal notification requirements; to reflect the University's responsibility; to protect the privacy of student records; and to articulate definitions relating to student records, how they may be accessed and disclosed, the complaint procedure and other information relevant to the student record.
Systems Development Life Cycle (SDLC) Policy
The purpose of the Systems Development Life Cycle (SDLC) Policy is to describe the requirements for developing and/or implementing new software and systems at the University of Kansas and to ensure that all development work is compliant as it relates to any and all regulatory, statutory, federal, and /or state guidelines.
Systems Development Life Cycle (SDLC) Standard
The purpose of the Systems Development Life Cycle (SDLC) Standards is to describe the minimum required phases and considerations for developing and/or implementing new software and systems at the University of Kansas.