Privacy Policy

Data decisions are based on policy and pillars

The privacy team works with data stewards, governance, and data authorities to inform and advise in their data use decisions. We create awareness of privacy considerations for units and university stakeholders and connect individuals to appropriate compliance and legal advisers to aide their ability to meet good privacy practices and regulatory compliance. 

University Privacy Policies

Terms to Know

Commonly used privacy acronyms and their meanings: 

PI – Personal Information      TIA– Transfer Impact Assessment 
PII – Personally Identifiable Information DSAR – Data Subject Access Request   
NPI – Nonpublic Personal InformationPbD – Privacy by Design
SPI – Sensitive Personal InformationPIA– Privacy Impact Assessment 
DPIA – Data Protection Impact Assessment PIQ – Privacy Impact Questionnaire  

Privacy Principles

We are guided by three Privacy Pillars:  

  • Trust – Individuals should be able to trust that the university handles their data with the utmost care and protection. 
  •  Transparency – Individuals should be notified and understand how the University collects personal data, and for what processing purpose(s) the data is collected. 
  •  Consent – Individuals should be able to freely consent or withdraw consent wherever practical, and especially when consent is used as the legal basis for collecting and processing personal data. 

What’s Behind the Privacy Principles?

The Privacy Pillars are based upon the Organization for Economic Cooperation and Development’s (OECD) eight Fair Information Practices Principles (FIPPs). These principles are, summarized: 

  1.  Collection Limitation: There should be limits to the collection of personal data and it should be lawfully obtained. 
  2.  Data Quality: Personal data collection should be relevant to the purposes for which it is collected and should be accurate, complete, and kept up to date. 
  3.  Purpose Specification:  The purposes for collecting personal data should be specified at the time of data collection. 
  4.  Use Limitation:  Personal data should not be disclosed, made available or otherwise used for purposes other than those specified, except with the consent of the data subject; or by the authority of law. 
  5.  Security Safeguards:  Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification, or disclosure of data. 
  6.  Openness:  There should be a general policy of openness establishing the existence and nature of personal data, and the main purposes of their use. 
  7.  Individual Participation:  Individuals should have the right to obtain data relating to them within a reasonable time, and to request that data be erased, rectified, completed, or amended as appropriate.  
  8.  Accountability: A data controller should be held accountable to the principles stated above. 

Privacy by Design (PbD)

Collecting personal data brings added responsibilities which can increase requirements, overhead and maintenance costs for new initiatives. Privacy-by-design (PbD) is a framework that can be used to reduce project costs and risks while improving default privacy offerings. PbD involves thinking about data throughout its entire lifespan – from collection through destruction. Our team can help you develop plans that consider:

  • Data minimization & purpose limitation: Is collecting personal data a requirement for a new offering, or can you reach the same or similar outcomes without collecting data or by using anonymized data? If anonymized data will not meet business requirements, is it possible to limit the amount of data collected? Can the principles of least access and separation of duties minimize access to data? Consider evaluating policies around user access review.
  • Full lifecycle protection: How will data that is collected be protected throughout its full lifecycle? Obviously personal data must be encrypted at rest and in flight, but don’t forget to encrypt snapshots, backups, and limit writing PII to log files. Consider whether there might be secondary, downstream uses of user data. Keep in mind how long user data can or should be retained per contractual, legal and business requirements?
  • Positive-sum, not zero-sum: Could a high standard for privacy result in a competitive advantage and distinguish your offering from similar competing efforts? Would enhancing your default privacy settings also improve your information security posture? Could offering high standards for privacy unlock partnerships with our peers, especially internationally where some countries have stricter privacy regulations?
Images of Data Lifecycle that starts with Collection of data followed by: Use, Disclosure, Retention, and Destruction.
Data Lifecycle

Privacy Regulations

  • FERPA: Student records are protected under the Family Education Rights and Privacy Act (FERPA). The Office of the Registrar manages student record privacy. FERPA-Office of the Registrar  
  •  FOIA: External Relations and Communications at the System Offices processes all Freedom of Information requests to the University of Illinois System or any of the three universities. The Illinois Freedom of Information Act (FOIA) provides public access to government documents and records. FOIA-University of Illinois 
  •  GDPR: Data privacy laws issued by the European Commission, also known as the General Data Protection Regulation (GDPR), govern data collected from individuals located in the European Union. GDPR – University of Illinois  
  •  HIPAA: The Health Information Portability and Accountability Act (HIPAA) protects health information. The University President is responsible for the University’s HIPAA compliance program.  The University-wide Privacy and Security Compliance Council, also known as the HIPAA Subcommittee of the University Information Privacy and Security Committee, is a key part of the President’s oversight effort.  HIPAA-University of Illinois System 
  •  IPA: The Identity Protection Act (5 ILCS 179) (IPA) is an Illinois state law that governs the collection and use of Social Security Numbers (SSNs) by state and local government agencies. It prohibits certain uses of SSNs, creates collection and protection requirements, and requires state agencies, such as the University of Illinois, to enact policy for public view and for employees working with SSNs. IPA – University of Illinois System 
  •  PIPA: Whenever a breach of the security of the data collector’s system data occurs, the Personal Information Protection Act (PIPA) specifically requires public universities, such as the University of Illinois, and other data collectors to notify affected individuals PIPA-UIUC 
  •  PIPL: The University of Illinois Supplemental Privacy Notice – Personal Information Protection Law (“Supplemental Notice – PIPL”) supplements the University of Illinois System Privacy Statement for certain individuals in the People’s Republic of China (“PRC”). PIPL-University of Illinois