Including a Privacy Statement on U Web Pages
Last Update: January 2014
Responsible University Officer:
- Vice President for Information Technology
- Vice President for Information Technology
- Updated: January 2014
- Primary Contact : Brian Dahlin
Printed on: . Please go to http://policy.umn.edu for the most current version of the Policy or related document.
The University respects the privacy of web site visitors to the extent permitted by law. University web sites must include a privacy statement notifying visitors of the information that the site collects. University web sites include:
- Official University sites
- Sites that collect online information from visitors
- Sites that track user actions
The privacy statement must be written to assure web site users that the University will:
- Inform visitors about information collected, its intended use, and options for using the site without providing such information.
- Follow laws governing the collection of online information.
- Notify visitors of their options concerning accessing information collected.
- Establish appropriate security measures for any personally identifiable information collected.
Units and individuals responsible for web sites must select the standard privacy statement included within this policy, if applicable, or develop a customized privacy statement.
Each page of the web site must display a link to a privacy statement, or display the statement itself.
The Institutional Review Board (IRB) is responsible for reviewing sites conducting web-based research.. The IRB develops its own guidelines for the use of web sites in research and applies those guidelines to research projects requiring IRB review.
REASON FOR POLICY
This policy requires University web sites to inform visitors about how their web site collects, uses and protects information voluntarily provided by the visitor and information collected by the web site. This policy complies with the Minnesota Government Data Practices Act - Minn. Stat. 13.01 et seq., which governs the notification of public and private information collected by public organizations.
There are no forms associated with this policy.
FREQUENTLY ASKED QUESTIONS
- For commercial reasons, our unit operates a web site with a .com address. Is this site subject to this policy?
Yes. Any site operated on the University network or by a University unit or using University resources must adhere to the policy, whether or not it is accessed through a umn.edu address. These sites typically require a custom privacy statement.
- Does this policy apply to web sites that are limited to only internal University use?
It applies to any web site that meets the three criteria described in the policy statement.
Office of General Counsel
- A verification that substantiates that a person is who the person says he or she is. For purposes of this policy, people are considered authenticated members of the University community if they have an Internet ID, and that they are able to prove that they know the password associated with that Internet ID listing.
- Data that a web site transfers to an individual's browser where they are stored and later returned to the site upon request. They allow sites to identify users within and across visits, to track usage patterns, and to more easily compile data on transactional information for individuals visiting web sites.
- Any means of identifying an individual, manual or automated. A process that enables recognition of an entity by an automated information system is usually accomplished through the use of unique machine-readable user names.
- Official University Web Site
- Web sites representing themselves as presenting information from a department or unit of the University.
- Online Information Collected From Visitors
- Any data typed into a web page by a visitor and collected and stored by the web site. For example the web page may have prompts for this information such as "enter your name" or input boxes. This definition does not include routine e-mail links to send comments for site improvement to the webmaster.
- Personally Identifiable
- Data or information that include (1) the name of the person or other family members; (2) the person's address; (3) a personal identifier such as a Social Security number, student ID number, e-mail address, telephone number, or other user number (4) a list of personal characteristics, or (5) other information that would make the person's identity easily traceable.
- Security Measures
- Processes, software, and/or hardware used by system and network administrators to assure confidentiality, integrity, and availability of computers, networks, and data belonging to the University and users of University computer and network resources. Security measures include monitoring of network traffic to detect security attacks, the automated or manual review of files for potential or actual security or policy violations, and the investigation of security-related issues.
- Transactional Information
- Information gathered as part of identifying, processing, and billing electronic communication including, but not limited to: electronic mail headers, summaries, and addresses; records of telephone calls; IP addresses; and URLs.
- University Community
- University faculty, staff, and students, as well as any others (e.g., alumni) are considered a part of the University community. The General Counsel may designate other members of the University Community.
- University Web Sites
- All sites on University networks, or using University resources, or residing within the University's "umn.edu" domain.
- Any authorized user of a web site. This may include members of the University community as well as the general public.
- Web Sites Tracking Visitor Actions
- Any web sites that use "cookies" or other technical means to store information about the visitors or visitor's actions. This definition includes either the routine information stored in server security logs (date and time of visit, internet address of the referring site, domain name and IP address) by almost all web sites.
- Chief Information Security Officer
- Maintain the versions of the online privacy statements within this policy.
- Department Head
- Select or develop an information collection and online privacy statement that fits the unit's web site. Determine which web pages are Official University pages.
- General Counsel
- Provide advice to Units on legal requirements for maintaining, securing, and releasing information collected from web visitors.
- Individual Web Site Operator/Administrator
- Post or link to an online privacy statement. Bring to the attention of the Department Head any web sites that should display the privacy statement.
- Web Site Visitor
- Be informed of your rights and responsibilities related to any personally identifiable information you provide.
- Board of Regents Policy: Student Records
- Administrative Policy: Internal Access to University Information
- Administrative Policy: Acceptable Use of Information Technology Resources
Other Related Information
- Information on Privacy in Research
- Minnesota Government Data Practices Act - MS. 13.01 et. seq.
- Health Insurance Portability and Accountability Act
- January 2014 - Enhanced the Online Privacy Statement, and provided instructions for developing a customized privacy statement. Improved the FAQ and made changes to the links.
- December 2003 - Updated Statement and Reason for Policy, Definitions, FAQ, and online privacy statement because of new provisions in Minn. Stat. 13.15. Title changed from Collecting Information From Visitors To U Web Sites (Online Privacy) to Including a Privacy Statement on U Web Pages.
- August 2001 - Deleted the word "Proposed" from Policy Title. Clarified Policy Statement.
- February 2001 - Updated Policy Statement, Contacts, Who Should Know, Definitions, Procedure, FAQ and appendices in response to feedback from the University Community.
- September 2001