Reporting Privacy Breach & Information Incidents
What should you do if you become aware of a privacy breach or information incident?
Any incident which involves the unauthorized disclosure, acquisition or breach of the University’s data, maintained in an electronic form or medium, is considered an information incident which must be reported immediately to the Chief Compliance Officer and or the Chief Information Security Officer. It is important to remember that not all incidents are privacy breaches.
Any incident which involves the unauthorized disclosure, acquisition, or breach of information – whether on paper, electronically, or verbally – which the University is obligated to maintain private and confidential, e.g., social security numbers, student education records and patient identifiable health information, is considered a privacy breach and must be reported to the Chief Compliance Officer and or the Chief Information Security Officer should be notified as soon as possible, but no more than 24 hours after discovery.
Personal information about an individual for which the individual can reasonably expect will not be made available to the public. This type of information includes personally identifiable information (a category of private information regulated by federal and state laws), as well as other non-public private information that would adversely impact an individual if inappropriately used or disclosed.
The Chief Compliance Officer works in close collaboration with the Chief Information Security Officer in assessing the viability and strength of the administrative, physical and technical safeguards in place to secure personally identifiable information in all formats: on paper, electronically, and verbally.