I:03:05 Privacy of Information

 I. PURPOSE

The purpose of this policy is to establish principles to guide the evolution of Middle Tennessee State University (MTSU) community standards of information privacy. This is a first step to clarify the level and protection of information privacy that may be expected by students/potential students, University employees, and outside persons who have relationships with MTSU. This policy is intended to be flexible and independent of current definitions or concepts of technology and to rely on common sense and a culture supportive of mutual respect. While consideration has been given to the unique qualities of electronic information, this document reflects the reasoning that the core value of privacy is not confined to any information medium.

While recognizing that other MTSU policies address some privacy issues, primarily those based on federal and state laws, the objectives of this policy are to ensure that:

A. A sharper focus is given to the University’s values and beliefs related to information privacy.

B. The expectations for maintaining information privacy are provided for University employees and students.

C. Information privacy guidelines are provided for University employees and students.

 II. UNIVERSITY VALUES AND BELIEFS

Where discretionary considerations are possible, a balanced approach to resolving conflicts between privacy and other values must incorporate the perspectives of the University as an institution, the collective behavior of employees and students, and the protection of individual privacy.

A. Institutional Perspective: MTSU must not be unduly constrained with respect to administrative efficiency in the enforcement of policies related to information privacy. Considering the mission, internal control of information, and external mandates governing information collection and use, each organizational unit to which privacy issues are of concern is encouraged to develop related procedures. Where practical, the decentralization of responsibility and the encouragement of employee participation in the development of relevant division or department operating procedures is the preferred method of increasing the level of learning and trust regarding information privacy issues.

B. Ethical Stewardship as a Collective Responsibility: We are ethically obligated to respect the privacy of others and to adhere to a reasonable standard of conduct that supports this collective respect. For example, when employees gain unintentional access to information that a reasonable person would consider private, personal, or confidential, sensible actions are required, such as the notification of officials who are responsible for initiating corrective measures, or simply returning or forwarding the information to the intended recipient or owner.

C. The Individual’s Right to Know: While most employment-related records are public, even confidential records can be accessed under certain conditions. Therefore, information in any form should be presumed capable of acquisition by others for purposes not related to the original creation of that information. In most instances, employees of MTSU have a right to know when their individual records have been reviewed, subpoenaed by parties external to MTSU, or are under review by MTSU officials or administrators who do not manage the information as part of their official duties. In such instances where it is administratively practical, the employees should be notified by email, phone call or other means. Additionally, the Office of Human Resource Services will maintain records of all requests for employee public information when such requests are made by vendors or others for a business or commercial purpose. While most student-related records are private, even confidential records can be accessed under certain conditions. In most instances, students will be notified of the compliance with judicial order or subpoena by parties external to MTSU.

III. STUDENT AND EMPLOYEE RECORDS

A. Student Records: With regard to students’ educational records, MTSU adheres to the federal Family Educational Rights and Privacy Act of 1974 (“FERPA”). MTSU Policy III:00:01 Access to Educational Records and FERPA provide students with the right to inspect and review education records, the right to seek to amend these records, and to limit disclosure of information from the records.

1. The release of student information in any medium (including the internet), therefore, should be done only in accordance with FERPA and MTSU Policy III:00:01.

a. Students have the right to restrict release of directory information as outlined in MTSU Policy III:00:01.

b. Records are retained in accordance with Tennessee Board of Regents Guideline G-070 and the American Association of Collegiate Registrars and Admissions Officers (AACRAO) guidelines.

B. Employee Records: The Office of Human Resource Services maintains the official personnel files for the employees, except faculty. Official faculty personnel files are maintained in the Provost Office. See MTSU Policy IV:07:17 Personnel Records. With the exception of records that include medical information or other confidential information, all Human Resource Services information is public and accessibility is granted in compliance with MTSU Policy I:03:01 Public Records – Inspecting/Copying Public Records.

IV. WEB AND SOCIAL MEDIA SITES

MTSU respects the privacy of its students, employees, and other constituents and is committed to ensuring that any personal or confidential information that is collected is kept accurate and secure from unauthorized access. The University's campus homepage, and any other campus website linking to this page, does not collect personal information about visitors. MTSU may, however, use third party analytics services that may use browser cookies to anonymously collect and track site usage information. This information is then analyzed as an aggregate and no personally identifiable information is collected.

A. Scope: This section applies to the MTSU campus homepage and MTSU officially sponsored social media sites or groups, including http://www.mtsu.edu and any other official MTSU site. Since the MTSU web community consists of many websites, other websites may adopt more restrictive privacy and security statements as their specific needs require. The MTSU homepage, as well as other sites across campus, contain links to various external websites. The University is not responsible for the privacy and security practices or the content of external websites.

B. Information Gathered by MTSU

1. Personal information provided via email or through other online means will be used only for purposes necessary to serve the needs of the person providing that information, such as responding to an inquiry or other request for information. This may involve redirecting your inquiry or comment to another person or department better suited to meeting the inquirer’s needs.

2. MTSU’s website does use server logs to collect information concerning user’s internet connection and general information about their visit to MTSU’s website. This information may be used to analyze trends, to create summary statistics for the purpose of determining technical design specifications, and to identify system performance or problem areas. This means we sometimes acquire, record, and analyze portions of the data that is entered into, stored on, and/or transmitted through this site by the user. This information is only released to the extent allowed or required by applicable law.

3. Such logging includes, but is not limited to:

a. Hostname - The hostname and/or IP address of the user/client requesting access.

b. HTTP header, "user-agent" - The user-agent information includes the type of browser, its version, and the operating system it is running on.

c. HTTP header, "referrer" - The referrer specifies the page from which the client accessed the current page.

d. System date - The date and time of the user/client request.

e. Full request - The exact request the user/client made.

f. Status - The status code the server returned to the user/client.

g. Content length - The content length, in bytes, of the document sent to the user/client.

h. Method - The request method used.

i. Universal Resource Identifier (URI) - The location of a resource on the server.

j. Query string of the URI - Anything after the question mark in a URI.

k. Protocol - The transport protocol and version used.

l. E-mail address – In some cases, the e-mail address of the intended recipient of an e-mail may be logged when a link is accessed inside of an e-mail.

C. Cookies: A cookie file contains unique information that a website can use to track such things as passwords, pages the users has visited, the date the user last looked at a specific page, and to identify the user’s session at a particular website. MTSU does not use cookies to track or collect any information that could personally identify individual visitors.

D. E-Commerce: Some MTSU web sites may enable you to pay for products or services online with a credit card or other electronic payment mechanism. Unless otherwise noted, these transactions are encrypted. It is MTSU’s practice that confidential financial information will be used only for the purposes described in that transaction unless an additional use is specifically stated on that site. Data provided specifically to facilitate credit card or other electronic business transactions are retained only for a reasonable time to effect the transaction.

E. Access to Information: Except for education records governed by FERPA, all information collected from any MTSU website or social media group, including summary server log information, emails sent to the website or group, and information collected from web-based forms, may be subject to state and federal laws. This means that while MTSU does not actively share information, in some cases it may be compelled by law to release information gathered from its web servers or social media groups.

F. Information Usage: In the course of using the websites or social media groups, you may choose to provide information to the University via web forms, e-mail or other electronic means. Personally identifiable information submitted will be used only for MTSU related purposes. MTSU will not sell this data to outside parties. Requests for information and information submitted via forms on websites or social media groups will be directed to the appropriate staff to respond to those requests and may be recorded to help us improve our site to better respond to similar requests. MTSU may use this information in any investigation of a potential violation of MTSU policies and procedures or as required by federal, state or local law.

G. Security: Extensive security measures have been employed to protect against unauthorized access, disclosure, modification, or destruction of information under our control, as well as the loss, misuse, or alteration of university websites, social media sites and/or associated electronic information resources.

H. Contractors/Outsourced Development: Any entity contracted to develop or provide web or social media services is bound by and must follow MTSU’s Privacy of Information Policy and MTSU Policy I:03:06 Information Security Policy, as well as all applicable University policies in order to protect personally identifiable information (PII).

I. Google Analytics: Some MTSU websites use Google Analytics, a web analytics service provided by Google, Inc. Google Analytics uses cookies to collect information such as URLs, internet domain and host names, browser software, and the date and time that the site is visited. This information is used to monitor the effectiveness of the website and to consider potential improvements to the website. The information is non-personal and is transmitted to and stored by Google on its servers. MTSU does not share any specific information about a particular user. Please visit the following pages for more information on Google Analytics Terms of Use, Google's Privacy Practices, and Google Analytics opt-out browser add-on.

V. ADDITIONAL PRIVACY-RELATED POLICIES

Several current MTSU policies are directly or indirectly related to information privacy issues, illustrating the nature and complexity of the topic. These include the following:

A. I:01:24 Protection of Human Subjects in Research

B. I:03:03 Information Technology Resources Policy

C. I:03:06 Information Security Policy

D. I:03:10 Social Networking and Media

E. II:01:10 Misconduct in Scholarly Activities and Research

F. III:04:00 Guidance and Counseling Center

G. IV:07:02 Conditions of Employment

VI.  DISCIPLINARY ACTIONS

Employees who access files or browse data of others, or access any information technology resources for personal gratification or unauthorized dissemination of information obtained from these resources, may have violated the privacy of others. If so, such behaviors are subject to disciplinary actions that are in proportion to the nature of the offense. MTSU Policy IV:07:10 Disciplinary Procedures – Classified Personnel and II:01:05A Policies and Procedures for Tenure prescribe disciplinary actions and processes. In cases where employees dispute a charge, they may respond based on MTSU Policies  IV:07:11 Employee Grievance/Complaint Procedures or II:01:05C Tenure and Promotion Appeals Process. Refer to the Student Handbook for disciplinary actions regarding students.

Revision: February 8, 2000; March 16, 2004; March 25, 2015.

Cross-references:  Family Educational Rights and Privacy Act of 1974; MTSU Policies III:00:01 Access to Education Records; IV:07:17 Personnel Records; I:03:01 Public Records-Inspecting/Copying Public Records; I:01:24 Protection of Human Subjects in Research; I:03:03 Information Technology Resources Policy; I:03:06 Information Security Policy; I:03:10 Social Networking and Media; II:01:10 Misconduct in Scholarly Activities and Research; III:04:00 Guidance and Counseling Center; IV:07:02 Conditions of Employment; IV:07:10 Disciplinary Procedures-Classified Personnel; II:01:05A Policies and Procedures for Tenure; IV:07:11 Employee Grievance/Complaint Procedure; and II:01:05C Tenure and Promotion Appeals Process; Tennessee Board of Regents Guideline G-070; American Association of Collegiate Registrars and Admissions Officers Guidelines.