Applies to: Faculty (e.g. adjunct, part-time, full-time, volunteer, and visiting faculty), researchers, postdoctoral scholars, staff, students (e.g. graduate, undergraduate, visiting, student workers, and graduate assistants), volunteers, and trainees, engaged by, or who work or act at the direction of the University of Southern California and its subsidiaries including Keck Medicine of USC; as well as third parties acting on behalf of the University of Southern California and its subsidiaries (e.g. vendors, independent contractors, consultants) – collectively “USC Personnel”.
1. Policy
Issued: 09/01/2022
Last Revised: N/A
Last Reviewed: N/A
2. Policy Purpose
As the University of Southern California (the “University” or “USC”) pursues its academic, research, and health care mission, it is vital that we understand our ethical, academic, and compliance related obligations when it comes to privacy requirements and standards over certain data and information. This policy represents USC’s commitment to respecting and protecting the privacy of its students, patients, faculty, staff, research subjects, and anyone from whom USC Personnel collect or receive Personal Information. The University is also committed to protecting the privacy of Personal Information within its direct and indirect control in a manner consistent with applicable laws, regulations, and University policies, procedures, and principles.
At USC, our values of integrity, accountability and open communication guide our behavior when we make decisions related to Personal Information we collect, use, disclose, retain, and dispose. We recognize our students, patients, faculty, staff, research subjects, and anyone from whom USC Personnel collect or receive Personal Information trust us to handle their Personal Information with care and diligence.
This policy is designed to support compliance with the laws, regulations, and University policies, procedures, and principles, as well as reinforce our values of integrity and accountability, thereby demonstrating our commitment to doing the right thing with Personal Information in our possession.
3. Scope and Application
Given’s USC’s scope of activity, there is a multitude of data privacy laws and regulations that apply in different settings and jurisdictions (e.g., federal, state, local, international). These data privacy laws govern the collection, use, disclosure, retention, and disposal of Personal Information and, in some instances, may afford specific rights to individuals related to their Personal Information. The type of Personal Information covered by the privacy laws, includes but is not limited to, name, address, date of birth, race, ethnicity, social security number, and any other information that can directly or indirectly identify an individual (see additional information under Definition section). Examples of data subjects/individuals whose Personal Information is governed by the laws include, but are not limited to, employees, students, patients, minors, research subjects, alumni, and donors. A non-exhaustive list of privacy laws frequently addressed at the University can be found on the OCEC-Data Privacy website.
This policy establishes the foundation of the University’s key data privacy principles and best practices, complemented by the following additional USC policies that address specific data privacy requirements. Associated procedures are expected to be followed by USC Personnel:
- Protection of Social Security Numbers and Other Restricted Information Policy contains requirements for using, storing, and transmitting Restricted Information.
- Student Records Policy (FERPA) further describes the student information protected under FERPA, who may access the information and under what circumstances may the information be used and disclosed, as well as describes the rights students have regarding their information.
- Health Insurance Portability and Accountability Act (HIPAA) Policies further describe the privacy and security requirements related to the use and disclosure of protected health information and rights individuals have related to their health information.
- Payment Card Industry Data Security Standards (PCI-DSS) Policy further describes information and requirements for USC entities considered to be merchants on complying with standards adopted by the major credit card brands on protecting credit card data, regardless of where the data is processed or stored.
- Protection of Consumer Financial Information Policy further describes, under the Gramm-Leach-Bliley Act (GLBA), requirements for protecting the privacy and security of information collected in the course of providing certain financial services, such as student financial aid or faculty and staff housing loans.
It is important to note that if USC Personnel perform multiple roles (e.g., researcher, faculty, clinician), additional consideration for data use should be made as there may be different requirements that apply to the data depending on the USC Personnel’s role at a specific point in time.
4. Definitions
Term | Definition |
Data Subject | An identified or identifiable person via data elements such as name, address, and ID. |
Disclosure | The release of, transfer of, provision of access to, or other communication of Personal Information.Note that certain privacy laws may have a slight variation in this definition. |
Office of Culture, Ethics, and Compliance – Data Privacy Team (OCEC-Data Privacy) | The team responsible for administering the data privacy compliance program for USC’s University Park Campus, including University Clinical Services entities (non-Keck Medicine of USC). |
Office of Healthcare Compliance (OHC) | The office responsible for administering the health care data privacy compliance program for Keck Medicine of USC. |
Personal Information | All University information that can be used to identify, relate to, describe, or link, directly or indirectly, to a particular individual, alone or when combined with other identifying information – whether in electronic, paper, and verbal format. Personal Information includes but is not limited to: – Name – Date of birth – Gender – Ethnicity – Nationality – Sexual orientation – Address – Contact Information (e.g., mobile phone, home phone) – Healthcare and health insurance information (e.g., medical diagnosis) – Biometric data (i.e., DNA, Retinal scan, Fingerprints, Voice signature) – Email address Bank account number – Credit card number – Identification number (i.e., U.S. Social Security Number, Employee ID number, Insurance Number, Driver’s license number, National Identification Card, Passport Number, Student ID Number) – Political party – Religion – Social organizations – Marital Status – Employment Records – Criminal Records – IP (Internet Protocol) Address |
Restricted Information | Information typically regulated by a specific law/regulation (e.g., HIPAA, FERPA, GLBA) or would cause a significant business impact if it were disclosed. Other data and information may be classified as restricted if it is in the best interest of the University. |
USC Personnel | Faculty (e.g. adjunct, part-time, full-time, volunteer, and visiting faculty), researchers, postdoctoral scholars, staff, students (e.g. graduate, undergraduate, visiting student workers, and graduate assistants), volunteers, and trainees, engaged by, or who work or act at the direction of the University and its subsidiaries including Keck Medicine of USC, as well as third parties acting on behalf of the University and its subsidiaries– including:A supplier or vendor of goods or purchased servicesPast or present students or patients, their families, or their foundationsA customer, person, or entity with whom USC has a business or other relationship, or with whom negotiations may be in progressA sales representative acting on behalf of a Third PartyJoint venture partnersProfessional organizations |
Use | The accessing, sharing, or other utilization of Personal Information for the purposes for which it was collected.Note that certain privacy laws may have a slight variation in this definition. |
5. Policy Details
USC Personnel are accountable for following USC policies and procedures for Personal Information they collect, possess, use, and manage. USC Personnel must follow the applicable USC data privacy policies and Data Privacy Program Principles. These Principles form the core of the University’s position on its collection, use, disclosure, retention, and disposal of Personal Information.
While USC’s data privacy policies may contain specific requirements related to specific types of information (e.g., student, patient, employee), USC Personnel shall follow the key best practices below when handling USC Personal Information, unless an exception exists by law or regulation, or approval is granted by OCEC-Data Privacy or OHC.
- Limit the collection of Personal Information to only what is needed to complete the intended purpose. The collection and processing of Personal Information must be adequate, relevant, and limited to what is necessary in relation to the reasons for which the information is processed.
- Only access, disclose, and share Personal Information in accordance with the purposes for which it has been collected. USC Personnel are expected to maintain the privacy and confidentiality of all Personal Information accessed in the context of their employment.
- Access only the Personal Information in accordance with one’s roles and responsibilities and for the purpose it was accessed. USC Personnel with multiple roles must ensure that they only access Personal Information collected and maintained for the specific role.
- Example: a faculty member who has access to student data in connection with teaching a class may not use the data for a separate role as a researcher, unless proper consents for research are obtained.
- Disclose only the minimum Personal Information to fulfill the request for information. Take all reasonable efforts to limit the disclosure of Personal Information to only what the requestor needs to satisfy the objective and only after validating that disclosure is permitted under the circumstances.
- Disclose Personal Information to only individuals authorized to receive it. All reasonable steps are taken to confirm the identity and authority of the individual or entity receiving Personal Information, including USC Personnel.
- Encrypt the transmission of sensitive Personal Information and all devices containing Personal Information. USC Personnel must ensure any emails or other type of exchange containing sensitive Personal Information and any USC issued and personal devices containing University data (e.g., laptops, USB drives, portable hard drives) are encrypted.
- For questions about encrypting data transfers and devices, please contact your designated IT Support or USC Information Technology Services at consult@usc.edu.
- Retain Personal Information in accordance with the USC Record Management Policy. USC Personnel must be mindful of USC record retention requirements and not keep Personal Information longer or shorter than necessary.
- Dispose of Personal Information securely when no longer needed. When Personal Information no longer needs to be retained in accordance with USC’s Record Management Policy, USC Personnel must dispose of the Information in a secure manner, such as shredding.
- Contact designated IT Support or the Office of the Chief Information Security Officer when needing to dispose of electronic devices containing Personal Information.
- Report data privacy incidents as soon as possible. USC Personnel must report all possible or actual data privacy incidents to their supervisor, the Office of Culture, Ethics, and Compliance (compliance@usc.edu), OHC (compliance@med.usc.edu) or the Office of Professionalism and Ethics (report.usc.edu) as soon as possible but no later than 24 hours after the incident has been identified.
- Use (link to) the USC Privacy Notice when collecting Personal Information in an electronic manner (e.g., application, website, survey). Individuals must be provided notice on what Personal Information is collected, how it is being used, with whom it is being shared, and how it is protected. If a customized USC Privacy Notice is required, please contact OCEC-Data Privacy.
- Do not sell Personal Information.
- Dispose or securely retain any unsolicited Personal Information shared by a known or unknown sender either intentionally or inadvertently. For example, if USC Personnel receives an unsolicited email with Personal Information that does not need to be retained, promptly delete the email and all attachments. Otherwise, store all data in a secured location (e.g., OneDrive with appropriate permission settings).
Schools, departments, and units may create more restrictive policies, procedures, or standards related to the collection, use, disclosure, retention, and disposal of Personal Information. However, they must not violate laws, regulations, or overarching principles of this policy. USC schools, departments, and units should consult with OCEC-Data Privacy or Keck Medicine of USC’s OHC for guidance before developing department, school, or unit specific standards, policies or procedures.
Privacy Impact Assessment (PIA)
PIA, a key building block to effective data privacy compliance, is a process to identify, assess, and minimize privacy risks and impacts associated with the continued use or implementation of new systems, technologies, or processes. In cases where USC Personnel need to process Personal Information through new projects, systems, technologies, services, processes, or other initiatives, OCEC-Data Privacy should be engaged as soon as possible.
Data Subject Rights
Under certain privacy laws (e.g., HIPAA, FERPA, GDPR), individuals, or Data Subjects, have certain rights related to their data, such as the right to access, delete, correct, restrict data processing, and be notified (e.g., Notice of Privacy Practices, breach).
When USC receives a request, it will take reasonable steps to verify the Data Subject’s identity and respond in a timely manner and in accordance with applicable laws and regulations. Please contact OCEC-Data Privacy for questions.
Third-Parties
When USC engages in relationships with third-parties (i.e. vendors, consultants, independent contractors, collaborators) that involve Personal Information, it shall incorporate applicable data privacy language in relevant contracts as needed.
Reporting
USC Personnel who believe that these data privacy policies have been violated or have data privacy concerns should contact OCEC Data Privacy (compliance@usc.edu), or OHC (compliance@med.usc.edu). Complaints or concerns may also be reported anonymously by calling the Compliance Hot Line at (213) 740-2500 or 800-348-7454 or submit online at report.usc.edu. The University expects USC Personnel to report incidents and violations as soon as possible, but no later than 24 hours after the incident has been identified.
Violations of Policy
USC Personnel who fail to follow proper data privacy policies regarding the collection, use, access, storage, retention, and disposal of Personal Information may be subject to corrective and/or disciplinary action, up to and including termination of employment or relationship. Matters may also be referred to applicable administrative offices for further review.
6. Procedures
N/A
7. Forms
N/A
8. Responsibilities
The Office of Culture, Ethics and Compliance – Data Privacy Team; Office of Healthcare Compliance | Develop and review exceptions to the policy.Monitor activity relative to the policy requirements as well as provide periodic communications and training designed to support the policy and related procedures. |
USC Personnel | Understand and comply with this policy.In any situations where it is not clear if the actions being contemplated are permitted, seek guidance from their supervisor, OCEC–Data Privacy, and OHC.Timely report data privacy concerns, violations, and incidents to OCEC-Data Privacy and OHC in accordance with the policy. |
Supervisors, department chairs, and Deans | Set expectations with USC Personnel to comply with the data privacy policies and emphasize the importance of demonstrating USC’s trust with individuals by protecting their privacy and Personal Information.Timely report data privacy concerns, violations, and incidents to OCEC-Data Privacy and OHC in accordance with the policy. |
9. Related Information
- Cooperation with Compliance Investigations
- Data Privacy Program Principles
- Health Insurance Portability and Accountability Act (HIPAA) Policies
- Information Technology Policies
- Payment Card Industry Data Security Standards Policy
- Prohibited Discrimination, Harassment, and Retaliation
- Protecting Minors Policy
- Protection of Consumer Financial Information Policy
- Protection of Social Security Numbers and Other Restricted Information Policy
- The USC Student Handbook
- Student Records Policy (FERPA)
- USC Data Classification Standard
- USC Record Management Policy
10. Contact Information
Please direct any questions regarding this policy to:
OFFICE | PHONE | |
Office of Culture, Ethics and Compliance | 213-740-8258 | compliance@usc.edu |
Office of Healthcare Compliance | compliance@med.usc.edu |