Policies

4.35 Confidential Information

Purpose

This policy is intended to provide University of Northern Iowa (UNI) employees with a basic understanding of their responsibilities to protect and safeguard the Confidential Information to which they have access as a result of their employment. 

Policy

Security and confidentiality of Confidential Information is of the utmost importance at UNI. It is the responsibility of every employee to respect and maintain the security and confidentiality of Confidential Information.  A violation of this policy may result in disciplinary action.

For purposes of this policy, "Confidential Information" is defined as information disclosed to an individual employee or known to that employee as a consequence of the employee’s employment at UNI, and not generally known outside UNI, or is protected by law. Examples of “Confidential Information” include but are not limited to – student grades; financial aid information; social security numbers; payroll and personnel records; health information; self-restricted personal data; credit card information; information relating to intellectual property such as an invention or patent; research data; passwords and other IT-related information; and UNI financial and account information.  Individual offices, departments, or programs may have additional types or kinds of information that are considered “Confidential Information” and are covered by this policy. “Confidential Information” includes information in any form, such as written documents or records, or electronic data.

Each employee shall have the following responsibilities under this policy:

  1. During employment and after the termination of employment, an employee will hold all Confidential Information in trust and confidence, and will only use, access, store, or disclose Confidential Information, directly or indirectly, as appropriate in the performance of the employee’s duties for UNI.  An employee must comply with all applicable state and federal laws and UNI policies relating to access, use, and disclosure of Confidential Information, including but not limited to the Family Educational Rights and Privacy Act (FERPA); Health Insurance Portability and Accountability Act (HIPAA); Iowa Code section 22.7 (relating to confidential records); UNI policies 9.54 (Use of Computer Resources) and 13.12 (Policy on Use of Social Security Numbers); and Payment Card Industry (PCI) standards and related policies.  (Note: As necessary and appropriate, the Iowa Open Records law, Iowa Code Chapter 22, may apply to certain Confidential Information, but only within the specific parameters of the Iowa Open Records law.)
  2. An employee will not remove materials or property containing Confidential Information from the employee’s department or program area unless it is necessary in the performance of the person’s job duties.  Any and all such materials, property, and Confidential Information are the property of UNI.  If materials or property containing Confidential Information are removed from UNI, the employee must safeguard the materials/property and control access as necessary.  This responsibility to safeguard and control access to materials and property similarly applies to any telework/remote access situation as provided in UNI policy 4.26 Telework Policy <http://www.uni.edu/policies/426>.  Upon termination of any assignment or as requested by an employee’s supervisor, the employee will secure all such materials/property and copies thereof or return all such materials/property and copies to the employee’s supervisor or supervisor’s designee. 
  3. An employee will not seek to obtain any Confidential Information involving any matter which does not involve or relate to the person’s job duties.  Confidential Information or UNI records, documents, or other information may not be maliciously tampered with, altered, or destroyed.    
  4. In the case of a health or safety emergency, relevant Confidential Information may be disclosed as necessary to appropriate individuals, e.g., a counselor, UNI police, a supervisor, or the UNI Threat Assessment Team. 
  5. If an employee has any question relating to appropriate use or disclosure of Confidential Information, the employee shall consult with the employee’s supervisor or other appropriate University personnel. 
  6. Each employee must promptly report to the employee’s supervisor any known violation of this policy, other UNI confidentiality or privacy policies, or federal or State confidentiality or privacy laws, by the employee or a UNI student, faculty member or staff member. 

Enterprise Risk Management Council, approved September 26, 2011             

President’s Cabinet, approved August 6, 2012