The Privacy Team in the Office of the CIO offers the following privacy-based recommendations that are applicable to most situations. To set up a consultation for a specific use case (e.g., research project, a new/renewed contract with a vendor, new processing activity, etc.), to request a complete privacy review or to ask questions about items on this webpage, contact the Privacy Team at privacy@illinois.edu.
Definitions
| Data Subject | The individual to whom personal information relates. |
| Data Processing | Any collection, use, storage, transfer, sharing, modification or disposition of data. |
| Personal Information | Information relating to an individual who is or can be identified by the information, either on its own or combined with other information. |
Purpose specification & use limitation
Data processing should always be restricted to the “need to know” principle – only process the data that is absolutely necessary to get the job done. We recommend that units:
- Review proposed use cases and determine the specific purpose and the specific data required. Best practice it to restrict data collection/processing to the minimum required to complete the required processing of the use case.
- e.g., Collect age ranges or birth year rather than full birth date
- Be consistent with notices provided to data subjects. If the data processing changes, updated notices should be provided.
- Consult the Privacy Team to ensure no additional obligations are created from any processing changes.
Transparency & consent
Data subjects should be made aware of what is happening with their data. In order to provide this information to data subjects, units should follow these recommendations:
- Provide clear and accessible notice regarding creation, collection, use, processing, storage, maintenance, dissemination, and disclosure of personally identifiable information (PII).
- Provide the ability to consent to the data collection and data processing by the unit. This consent must be:
- Clearly explained to the data subject
- Definitively granted by the data subject through an action (e.g., checking a box)
- Retained and managed by the unit
- As easy to remove as it was for the data subject to grant
- The Privacy Team can assist units with consent language and placement.
Data lifecycle
Units should address and plan for how data is processed across the entire data lifecycle- from collection to disposition.
- Collect and store only the required essential personal information to perform functions and processes.
- Identify the retention period applicable to the processing activity and schedule automatic deletion, de-identification, or anonymization where possible and in accordance with university policy.
- Visit the University’s Records Retention Schedules page for more information.
Third Parties
The university works with many third parties. It is important they adhere to university policies, practices and procedures. When working with third parties:
- Access and disclosure of data subjects’ data should be based on the “need-to-know” principle. Third-party users should receive only the minimum amount of access required to perform their work.
- Establish robust data processing agreements or contracts with vendors and any sub-processors that clearly define the roles, responsibilities, and obligations for handling personal information.
Generative Artificial Intelligence (GenAI)
Generative AI should be closely managed by the unit. The Privacy Team hosts comprehensive Generative AI guidance on our website, but included below are some common items that apply to most situations involving Generative AI:
- Make data subjects aware that they are using a Generative AI tool prior to interacting with it.
- Only public data or data assessed and approved for use by the university can be provided to these tools.
- Set appropriate restrictions on Generative AI tools regarding how they learn from or are trained on university data or inputs.
- Prior to the completion of the purchase or contract finalization, the unit should
- Review the Generative AI Solutions Hub website, especially the “Best Practices” and “Resources” pages
- Complete and submit the Generative AI Risk Awareness and Acknowledgement Form from the System Digital Risk Office
Security
Proper security of data and the systems that process it are critical for maintaining appropriate privacy for the data. You can receive help from the Governance, Risk, and Compliance (GRC) Team at digitalrisk@illinois.edu to better secure your data across the lifecycle.
Ways to improve data security include:
- Implement a Single Sign-On (SSO) mechanism.
- If SSO integration is not feasible, then enforce robust password policies to enhance security, such as requiring regular password updates and utilizing multi-factor authentication.
- Use and maintain industry-standard encryption protocols and secure file transfer methods when transferring files containing personal information.
- Ensure that the third-party servers and vendors meet comparable security standards as required by the university.
- Conduct regular security audits to identify vulnerabilities and mitigate potential risks.
International data
| General Data Protection Regulation (GDPR) | United Kingdom General Data Protection Regulation (GDPR) | Personal Information Protection Law (PIPL) | |
|---|---|---|---|
| Jurisdiction | European Economic Area (EEA) | United Kingdom | Mainland China |
| Data Subject Rights | All three regulations grant individual data subjects several rights, including the ability to have their data deleted and/or corrected, to obtain a copy of their data, and to restrict its processing. | ||
| Locality | Data subjects must be located within the specific jurisdictions when the data is collected by or provided to the university in order for these regulations to apply. Any data that is collected by or provided to the university while the data subject is another location (ex. Illinois) is not covered by these regulations. | ||
| Privacy Team’s Compliance Requirements | The Privacy Team will require a Transfer Impact Assessment (TIA) be completed by the vendor or outside organization. This TIA will aid in the development of a documentation to support the appropriate contract. | Contact the Privacy Team | |
Laws & regulations to consider
Included below is a list of laws and regulations that are implicated by the use of personal data and should be considered by the unit to ensure full compliance, protect user rights, and promote ethical and responsible use of the data. This should not be considered an exhaustive list and the laws are not listed in any particular order.
- Family Educational Rights and Privacy Act (FERPA): Any data processing activity involves a record that is “directly related” to a student and maintained by the University or by a party acting for the school is an “education record” is subject to FERPA. This also includes data the University has deemed “directory data.”
- Health Information Portability and Accountability Act (HIPAA): A “covered entity” processing individually identifiable health information (IIHI) or Protected Health Information (PHI) must comply with HIPAA.
- General Data Protection Regulation (GDPR): Any data processing activity involving the personal data of individuals located in the European Economic Area is subject to GDPR.
- United Kingdom General Data Protection Regulation (UK GDPR): Any data processing activity involving the personal data of individuals located in United Kingdom is subject to UK GDPR.
- Privacy and Electronic Communications Regulations (PECR): This regulation sits alongside the Data Protection Act and the UK GDPR and gives people specific privacy rights in relation to electronic communications.
- China’s Personal Information Protection Law (PIPL): Any data processing activity involving the personal data of individuals physically located in Mainland China is subject PIPL.
- Illinois Personal Information Protection Act (PIPA): PIPA imposes certain obligations in the event of a breach involving enumerated categories of “personal information” which could apply.
- Illinois Identity Protection Act (IPA): Illinois law imposes certain obligations regarding the handling of Social Security Numbers.
- Illinois School Student Records Act: Any data that individually identifies a student and is maintained by the University is a “school student record” subject to the School Student Records Act.
- Student Online Personal Protection Act (SOPPA): SOPPA is intended to ensure that student data will be protected when it is collected by educational technology companies and that the data may be used for beneficial purposes.
- Children’s Online Privacy Protection Rule (COPPA): COPPA imposes certain requirements on operators of websites or online services directed to children under 13 years of age.
- Payment Card Industry Data Security Standard (PCI DSS): Information security standards for handling credit cards.
- Safeguards Rule of the Gramm-Leach-Bliley Act (GLBA): The FTC considers higher education institutions to be “financial institutions” because they participate in financial activities related to Federal Student Aid.
- Security Rule of the Gramm-Leach-Bliley Act (GLBA): The Security Rule imposes obligations how institutions collect, store, and use financial records (e.g., records regarding student tuition payments and/or financial aid) containing personally identifiable information.
- Fair Credit Reporting Act (FCRA): The FCRA regulates the collection and use of consumer credit information and ensures the accuracy and privacy of credit reports.
- The Fair Housing Act: This act prohibits discrimination in housing transactions.
- Intellectual Property and Copyright: Copyright laws are applicable when using text, images, or other content in AI, especially Large Language Models.
- Web Content Accessibility Guidelines (WCAG): A set of guidelines to make web content is accessible to all users, including individuals with disabilities.
- Electronic Communications Privacy Act (ECPA): This act encompasses several statutes, including the Wiretap Act and the Stored Communications Act, which regulate wiretapping, interception of electronic communications, and access to stored electronic communications.
- Illinois Freedom of Information Act (FOIA): FOIA allows for the release of university records to individuals and/or the public, provided a request was made and approved.
- Title IX of the Education Amendments of 1972: Title IX prohibits sex discrimination in education programs and activities for institutions that receive federal financial assistance.
- Title VII of the Civil Rights Act of 1964: This act prohibits discrimination based on race, color, or national origin in the admission of educational and/or academic programs or activities receiving federal financial assistance.
- University of Illinois Copyright Policy: This policy protects university student and staff content created under Copyright Article III of the General Rules Concerning University Organization and Procedure.
- Genetic Information Nondiscrimination Act (GINA): GINA prohibits employers and other entities covered by GINA Title II from requesting or requiring genetic information of individuals or their family members.
- Illinois’s Biometric Information Privacy Act (BIPA): This Illinois state law regulates the collection, storage, used, and dissemination of biometric information. This law does not apply to the University, but the University has made an effort to be compliant with BIPA regardless.