Privacy Complaints

Scope

This policy applies to all:

• information privacy concerns related to personally identifiable information – whether in printed, verbal, or electronic form – created, collected, stored, manipulated, transmitted or otherwise used in the pursuit of Indiana University's mission that the university is obligated to address pursuant to applicable IU policy or law.
• physical privacy concerns within buildings or on grounds that are owned and controlled - via leases or other contractual arrangements - by Indiana University (IU or university), and whose operations are controlled by Indiana University (facilities) that the university is obligated to address pursuant to applicable IU policy or law.

Back to top

Policy Statement

IU will receive, evaluate, and respond to complaints regarding IU’s privacy practices.  The process for addressing such complaints may vary depending on the nature of the complaint and whether there are, for example, external regulatory compliance demands or not.  The process for addressing such complaints will adhere to the following general principles.

The university will not require an individual to waive his or her right to file a privacy complaint with governmental officials as a condition of providing services.

Individuals will not be subject to acts of retaliation for filing a privacy-related complaint or engaging in other such protected activities, consistent with applicable federal and state laws as well as university policy.

The university will cooperate with government officials who receive and investigate privacy complaints regarding IU’s policies, procedures or practices as they relate to compliance with applicable law.

Nothing in this policy is meant to nor shall it be construed to be inconsistent with applicable university policy, state, or federal law

Back to top

Reason for Policy

Indiana University has adopted privacy-related policies and procedures applicable to all members of the university community and strives to implement safeguards to address privacy issues consistent with the university mission and environment, applicable legal requirements and professional standards, generally accepted privacy norms, and available resources.

The purpose of this policy is to outline Indiana University's approach to providing a mechanism for individuals to submit complaints regarding IU’s privacy practices. The policy also describes how the university will address such complaints.

Back to top

Procedures

Notice

Where required by law or regulation, the university will inform individuals, through the method stipulated in the law, of their right to make a privacy complaint to IU and/or applicable government or regulatory officials.

Submitting Complaints

Complaints focusing on any of the following areas may be submitted regarding: (i) IU’s privacy policies and procedures; (ii) compliance with those policies and procedures; (iii) concerns related to the use, disclosure and protection of personally identifiable information; or (iv) concerns related to physical privacy.  All such complaints must contain a brief description of the surrounding circumstances as well as the alleged violation of policy, procedure or legal requirement.

Individuals are encouraged to work directly with the management of the unit where the privacy concern is experienced. If the response by the unit is not satisfactory, individuals may report privacy complaints to the most relevant IU privacy official for the type of complaint; however, when in doubt as to which is the most relevant, complaints may be submitted to any of the university’s privacy officials. The receiving privacy official will transfer the complaint to the most relevant official as appropriate.

• For complaints relating to student education records and/or FERPA-related issues, submit to the Registrar for the campus involved. See: How do I contact the Office of the Registrar at each IU campus? for a listing.
• For complaints relating to health sciences and/or patient care and/or HIPAA-related issues, submit to the HIPAA Privacy Officer for the IU School or unit involved. If it is unclear as to what School or unit is involved, or if multiple Schools or units are involved, submit to the University HIPAA Privacy Officer. See HIPAA Compliance Contacts for a listing.
• For physical privacy complaints, report to the unit, School, or campus facilities management office involved.
• For privacy complaints relating to human subjects research, please contact the appropriate IU Institutional Review Board office (IRB).
• For privacy complaints when it is unclear as to the most relevant privacy official, or area involved, or when multiple areas are involved, including those not relevant to the aforementioned privacy officials; report to the University Chief Privacy Officer at 812-855-8476 or privacy@iu.edu.

Back to top

Definitions

Critical Information

See Policy DM-01.

FERPA

the Family Educational Rights and Privacy Act (FERPA), found at  20 U.S.C. §1232g, is a federal law that protects the privacy of student education records.  It gives students rights to access their own education records and restricts the school’s disclosure of those records to others without the student’s permission, except in limited circumstances.

HIPAA

the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, is a Federal law that includes the HIPAA Privacy Rule, which establishes the conditions under which protected health information (PHI) may be used or disclosed by covered entities for research purposes. PHI includes information such as physician / psychologist notes, test results, genetic information, medical conditions, diagnoses, treatments, and medications. It also includes the HIPAA Security Rule, which specifically focuses on protecting the confidentiality, integrity, and availability of EPHI, as defined in the Security Rule.

Information system

a discrete set of information resources, procedures and/or techniques, organized or designed, for the classification, collection, accessing, use, processing, manipulation, maintenance, storage, retention, retrieval, display, sharing, disclosure, dissemination, transmission, or disposal of information. An information system can be as simple as a paper-based filing system or as complicated as a tiered electronic system.

Privacy Complaint

a concern or grievance regarding how personally identifiable information is used, disclosed or safeguarded, or concerning physical privacy.

Privacy Official

an individual designated as responsible for developing and implementing privacy policies and procedures and/or responding to privacy complaints for a sector at IU (e.g., FERPA, HIPAA, other privacy sector; or for the university as a whole).

Personally Identifiable Information

1. Information which can be used to distinguish or trace an individual's identity, such as name, Social Security number, biometric records, etc., alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother's maiden name, etc.
2. Individually identifiable information about an individual collected online, including: a first and last name; a residence or other physical address, including a street name and name of a city or town; an e-mail address; a telephone number; a Social Security number; or unique identifying information that an internet service provider or a government website operator collects, that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual.
3. Any information about an individual including, but not limited to, education, financial transactions, medical history, and criminal or employment history, and information which can be used to distinguish or trace an individual's identity, such as name, Social Security number, date and place of birth, mother's maiden name, biometric records, etc., including any other personal information, which is linked or linkable to an individual.

Web Site Privacy Notice

a public description of an organization's information management practices with respect to information collected by the organization's web site.

Back to top

Sanctions

Indiana University will handle reports of misuse and abuse of information and information technology resources in accordance with existing policies and procedures issued by appropriate authorities. Depending on the individual and circumstances involved this could include the offices of Human Resources, Vice Provost or Vice Chancellor of Faculties (or campus equivalent), Dean of Students (or campus equivalent), Office of the General Counsel, and/or appropriate law enforcement agencies. See policy IT-02, Misuse and Abuse of Information Technology Resources for more detail.

Failure to comply with Indiana University information technology policies may result in sanctions relating to the individual's use of information technology resources (such as suspension or termination of access, or removal of online material); the individual's employment (up to and including immediate termination of employment in accordance with applicable university policy); the individual's studies within the university (such as student discipline in accordance with applicable university policy); civil or criminal liability; or any combination of these.

Back to top

History

• Revised May 31, 2013 to update references.
• Approved November 2, 2012
• Revised March 14, 2012, June 28, 2012, August 30, 2012, and October 30, 2012.
• Last Edited February 24, 2012.
• Drafted Fall 2011.

Back to top