|Responsible University Administrator:||Vice President for Finance and Administration|
|Responsible Officer:||Chief Information Officer|
|Current Revision Date:||04/12/16|
|Next Review Date:||04/12/20|
|End of Policy Date:||N/A|
This policy is required for the effective communication of university policies and practices regarding information privacy and to assist individuals in protecting their privacy.
All members of The University of Southern Mississippi community.
|official university components||Colleges, departments, divisions, administrative units, researchers or other units and any other areas specifically designated as official by the Institutions of Higher Learning (IHL), the President of Southern Miss, or the Provost or a Vice President personally identifiable information (PII).|
The university has adopted the following privacy policies and practices for any and all parts of Southern Miss where personally identifiable information (PII) in any format is created, received, maintained and transmitted. Privacy and public records obligations of the university are governed by applicable Mississippi statutes and U.S. federal laws. This Privacy Statement speaks generally to the information created, received, maintained and transmitted by and to official University of Southern Miss components. However, the amounts and types of information will vary from site to site within the University.
PERSONALLY IDENTIFIABLE INFORMATION (PII)
Personally Identifiable Information (PII) is considered sensitive information that can be used, either alone or in conjunction with other information, to identify a specific individual. For the purposes of this Southern Miss Information Privacy Statement, this information is divided into two categories: Moderately Sensitive and Highly Sensitive.
1. Moderately Sensitive: information that is generally available publicly and/or information that may have been provided by the individual. This information is typically referred to as Directory Information (DI). The University will never knowingly provide DI to any requester for commercial purposes. Individuals may request the university not release DI; however, the consequences of that action should be considered before making that request, such as:
Enrollment may not be verified to any outside source such as potential employers, colleges, universities or medical insurance companies.
Information will not appear in any official university publications distributed to the public, such as a commencement program.
Information will not be provided to the media when releasing academic recognition announcements (President's List or Dean's List).
This is the same and only information that is authorized to be released for faculty and staff without the express approval of the University Communications Office.
The following items are included in Moderately Sensitive information and are subject to public disclosure in accordance with the Family Educational Rights and Privacy Act of 1974:
Dates of attendance
Previous institutions attended
Participation in university-recognized organizations and activities
Weight and height of athletic team member
Honors and awards
Unique electronic identification number (including, without limitation, student identification number (emplid, for instance), address, or routing code)
2. Highly Sensitive: information that is NOT generally available publicly. This information may have been provided by you when you filled out a registration or other form. This information is generally stored and transmitted in encrypted format to minimize the possibility of unintended disclosure. This information in combination with Moderately Sensitive information can be used to specifically identify an individual and is never disclosed by the university without permission from the individual and/or a rigid agreement that extends the protection of the information from potential disclosure or an order from a court of competent jurisdiction.
1. Names and Numbers:
Social security number
Date of birth
Mother's maiden name
Official state-issued or U.S.-issued driver's license or identification number
Alien registration number
Government passport number
Employer or taxpayer identification number
Medicaid or food stamp account number
Bank account number
Credit or debit card number
Personal identification number or code assigned to the holder of a debit card by the issuer to permit authorized electronic use of such card
2. Unique biometric data, such as fingerprint, voiceprint, retina or iris image or other unique physical representation
3. Medical records
4. Telecommunication identifying information or bulk records (SOAR, SOARFIN, email)
5. Other number or information that can be used to access a person's financial resources
THE INFORMATION WE COLLECT
When you contact official Southern Miss components, certain client information may be collected. No information is collected unless you deliberately provide it to us (for example, by leaving your name and telephone number, by completing a university form, or by clicking a web- link to send us an email). Examples of the information you might choose to give us are listed below:
Your name, address, telephone number and email address
Names, addresses, telephone numbers and email addresses of family members and/or friends
Your date of birth, ethnicity, gender and country of origin
Your height, weight, hair and eye color and blood type
Your academic history, including schools attended, grades received and test scores
Your financial profile, including income and assets
Your employment history, including previous employers and duties
Credit or debit card and bank account information for yourself and others
Your criminal history, including convictions, time served and probation status.
THE WAY WE USE INFORMATION
As a general rule, Southern Miss maintains various types of records for individuals based upon their association with the university. We also analyze aggregate information for resource management and planning purposes. Southern Miss reserves the right to use information details about individuals to investigate its resource management or security concerns.
Personally identifiable information is used to accurately compile, store and retrieve an individual's records; to place and track individuals appropriately for academic purposes, and to award academic degrees and honors; to properly employ individuals and compensate them for their work; to correctly diagnose and medically treat individuals; to respond appropriately (or in a personalized format) to individuals' requests for services; and to improve the university's services and products.
Under Mississippi's Public Records Law, most records in our possession are subject to inspection by or disclosure to members of the public upon their request. Information must be retained according to applicable federal and state laws, and must be available for inspection, unless otherwise exempt from the Public Records Law.
We use the information you provide about yourself or about someone else when placing a request for service only to complete that order or request. To enhance the educational experience we do share this data with third parties, within the requirements of state and federal statute, with approval of the University President.We generally use return addresses, telephone numbers and email addresses only to answer the communications we receive. Such addresses are generally not used for any other purpose and by university and state policy are not shared with outside parties, except in accordance with Public Record Laws.
PROVIDING INFORMATION IS YOUR CHOICE
Most of the services and products available to you require essential relevant information to be collected from you. While there is no legal requirement for you to provide some information to us, state and federal law require certain information, which may be requested.
OUR COMMITMENT TO DATA SECURITY
The University of Southern Miss is dedicated to preventing unauthorized information access, maintaining information accuracy, and ensuring the appropriate use of information. We strive to put in place appropriate physical, electronic and managerial safeguards to secure the information we collect in all formats: on paper, electronically and verbally. These security practices are consistent with the policies of the university and with the laws and regulatory practices of the state of Mississippi and multiple federal agencies.
THIRD PARTY PROVIDER ACCESS TO STUDENT DATA
Any personally identifiable information (or PII) from students’ education records that a third party provider receives under FERPA’s university official exception may only be used for the specific purpose for which it was disclosed (i.e., to perform the outsourced institutional service or function, and the university must have direct control over the use and maintenance of the PII by the third party provider receiving the PII). Further, under FERPA’s university official exception, the third party provider may not share (or sell) FERPA-protected information, or re-use it for any other purposes, except as directed by the university and as permitted by FERPA. Additionally, the following must be adhered to:
Educational Purpose: Third party providers collect, use, or share student PII only for educational and related purposes for which they were engaged or directed by the university, in accordance with applicable state and federal laws.
Transparency: Third party providers disclose in contracts and/or privacy policies what types of student PII are collected directly from students, and for what purposes this information is used or shared with third parties.
Authorization: Third party providers collect, use, or share student PII only in accordance with the provisions of their privacy policies and contracts with the university, or with the consent of students or parents as authorized by law, or as otherwise directed by the university or required by law.
Security: Third party providers have in place security policies and procedures reasonably designed to protect personal student information against risks such as unauthorized access or use, or unintended or inappropriate destruction, modification, or disclosure.Data Breach Notification: Third party providers have in place reasonable policies and procedures in the case of actual data breaches, including procedures to both notify the university, and as appropriate, to coordinate with the university to support their notification of affected individuals, students and families when there is a substantial risk of harm from the breach or a legal duty to provide notification.”
HOW TO CONTACT US
Should you have other questions or concerns about these privacy policies and practices, please call us at Office of CIO (601) 266-4190. You may contact the University Technology Security Officer (601) 266-5587 or email InfoSecFREEMississippi.If you wish to review or change information about you that you provided to an official University of Southern Miss component but you do not know how, the University Technology Security Privacy Officer will assist in locating the persons responsible for that area so that you may make your request directly to them.
The Chief Information Officer is responsible for the review of this policy every four years (or whenever circumstances require immediate review).
Amendments: Month, Day, Year – summary of changes10/23/09 : Posted to website.
Amendments: January 13, 2016 - Third Party Provider Access to Student Data