Policy Manual

Privacy Protections and Limits

Privacy protections

Personal Information: Both federal and state laws provide privacy protections for some information that identifies an individual.

Student Information: Users of electronic communications systems and resources shall not disclose information about students in violation of the federal Family Educational Rights and Privacy Act of 1974 (FERPA), and the University policies that provide guidance in meeting FERPA requirements.

Electronically Gathered Data Except where otherwise provided by law, users of University electronic communications systems and resources shall be informed whenever personally identifiable information other than transactional information will be collected and stored automatically by the system or resource. In no case shall electronic communications that contain personally identifiable information about individuals, including data collected by the use of “cookies” or otherwise automatically gathered be sold or distributed to third parties without the explicit permission of the individual. Any other distribution of such information shall be consistent with University policy.

Privacy limits

Public Records: Records of electronic communications pertaining to the business of the University, whether or not created or recorded on University equipment, are University records subject to disclosure under the Georgia Open Records Act, other laws, or as a result of litigation.

Possession of University Records: University employees are expected to comply with any University request for copies of records in their possession that pertain to the business of the University, or whose disclosure is required to comply with applicable laws, regardless of whether such records reside on University electronic communications resources.

Unavoidable Inspection: During the performance of their duties, personnel who operate and support electronic communications resources periodically need to monitor transmission or observe certain transactional information to ensure the proper functioning and security of University electronic communications resources and services. On these and other occasions, systems personnel might observe the contents of electronic communications. Except as provided elsewhere in University policy or by law, they are not permitted to seek out the contents or transactional information where not germane to the foregoing purposes, or disclose, or otherwise use what they have observed. Such unavoidable inspection of electronic communications is limited to the lowest level of invasive inspection required to perform such duties. This exception does not exempt systems personnel from the prohibition against disclosure of personal and confidential information, except insofar as such disclosure equates with good faith attempts to route an otherwise undeliverable electronic communication to its intended recipients.

Except as provided above, systems personnel shall not intentionally search electronic communications records or transactional information for violations of law or policy. However, as required by law or University policy, they shall report violations discovered inadvertently in the course of their duties.

Back-up Services: Operators of University electronic communications resources shall provide information about back-up procedures to users of those resources upon request.

Security

The University attempts to provide secure and reliable electronic communications resources. Operator of University electronic communications resources are expected to follow sound professional practices in providing for the security of electronic communications records, data, application programs, and systems under their jurisdiction based on the guidelines provided.

Security Mechanisms

Unless otherwise authorized by other provisions of University Policy, no person shall breach or attempt to breach any security mechanisms used by the University to protect electronic communications resources or facilities, or any records or messages associated with these resources or facilities.

Authentication

Electronic communications service providers shall maintain currency with technologies supported by the University and implement them in accordance with established policy.

Authorization

Service providers shall implement and employ authorization technologies commensurate with the security requirements of the service, application, or system.

Encryption

Transit: Electronic communications records shall be encrypted during transit across communications networks.

Storage: Records subject to disclosure under the Georgia Open Records Act or required to be accessible for defined periods of time to comply with policy or law shall be stored in an unencrypted format.

Recovery

Providers: University wide electronic communications resources shall implement recovery practices adequate to ensure rapid recovery from security intrusions and service interruptions.

Audit

Providers of electronic communications resources shall implement and employ cost-effective audit technologies and practices to help identify security violators and speed up recovery from security violations. The use of such audit technologies and practices shall not conflict with other provisions of University policy.