susan blair msj mba cipp uf chief privacy officer n.
Skip this Video
Loading SlideShow in 5 Seconds..
Privacy In Academia PowerPoint Presentation
Download Presentation
Privacy In Academia

Loading in 2 Seconds...

play fullscreen
1 / 30

Privacy In Academia - PowerPoint PPT Presentation

  • Uploaded on

Susan Blair, MSJ , MBA, CIPP UF Chief Privacy Officer. Privacy In Academia. Goals of this Training. To describe the Role of the Chief Privacy Officer To define restricted information and identify the scope of UF’s Privacy Office

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Privacy In Academia' - kamran

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
goals of this training
Goals of this Training
  • To describe the Role of the Chief Privacy Officer
  • To define restricted information and identify the scope of UF’s Privacy Office
  • To make you aware of the most relevant privacy laws and their impact on UF
  • To outline UF’s greatest privacy risks
  • To make you aware of your obligations to preserve the privacy and confidentiality of restricted information
  • To provide some basic tools for responding to a privacy breach
structure organization
Structure & Organization

Vice President

For Human Resources

Shands Privacy


UF Information

Security Initiatives

Chief Privacy Officer

UF Healthcare


IRB’s and

Privacy Board


UF Healthcare

Affiliated Entities

All Other UF Colleges,

Departments, and


UF Jacksonville

role of uf s chief privacy officer
Role of UF’s Chief Privacy Officer
  • Required by federal regulation, effective April 2003
  • Analyze relevant privacy regulations; assess institution privacy-related risks; provide oversight for regulatory compliance; track results
  • Develop and implement strategies, policies, and procedures
  • Act as central contact and investigation authority for privacy complaints, alleged breaches and notifications
  • Recommend disciplinary actions, up to and including dismissal.
what is restricted information
What is Restricted Information?
  • Any and all personal identification information, protected health information, financial information, and other information protected by law in any format (paper, electronic, or other).
  • Examples include:
    • Medical records and medical record numbers;
    • Student UFID numbers, grades, schedules, records, and reports;
    • Human resource data, including disciplinary actions;
    • Florida Drivers License numbers;
    • Social security numbers; and
    • Any financial account information, including credit and debit card numbers.
privacy confidentiality defined
Privacy & Confidentiality Defined
  • Privacy
    • Freedom from intrusion or observation
    • Maintaining control over personal information
    • Not a US Constitutional right – but it is in the Florida Constitution:
      • (Article One, Section 23) “Every natural person has the right to be let alone and free from governmental intrusion into the person's private life”; exception: Not to limit the public's right of access to public records and meetings as provided by law.
  • Confidentiality
    • Only permitting certain authorized persons to have information, with the understanding that they will not share the information except to other authorized persons
scope of privacy regulations at uf federal
Scope of Privacy Regulations at UF - Federal
  • Federal Statutes
    • Family Educational Rights and Privacy Act (FERPA)
    • Privacy Act of 1974
    • Patriot Act
    • Graham-Leach-Bliley Act
    • Fair Credit Reporting Act
    • Right to Financial Privacy Act
    • Children’s Online Privacy Protection Act (COPPA)
    • Electronic Communications Privacy Act
    • Stored Wire and Electronic Communications Act
    • Cable Communications Policy Act
federal privacy regulations continued
Federal Privacy Regulations (continued)
  • Federal Health laws
    • HIPAA (Health Insurance Portability & Accountability Act) for healthcare components: Faculty practice plans, HSC Colleges, CLAS, IFAS, Student Health Care Center, Institutional Review Boards, Benefit and Disability Plans, and UF Foundation
    • HIPAA II – The HITECH Act, enacted as part of the American Recovery and Reinvestment Act of 2009
    • Americans with Disabilities Act
    • Federal Substance Abuse Record Confidentiality Rule
scope of privacy regulations at uf state
Scope of Privacy Regulations at UF - State

Florida Statutes with privacy requirements - Healthcare

Florida Statutes with privacy requirements – All Others

Chapter 90: Evidence

Chapter 119: Public Records

Chapter 501: Consumer Protection

Chapter 817: Breach Notification

Chapter 1002-1006: Education Records

  • Chapter 381.004: HIV Testing
  • Chapter 384: STDs
  • Chapter 385: Chronic Diseases
  • Chapter 392: TB Control
  • Chapter 393: Developmental Disabilities
  • Chapter 394: Mental Health
  • Chapter 395: Hospitals
  • Chapter 397: Substance Abuse
  • Chapter 400: Nursing Homes, Hospices
  • Chapter 405: Medical Research
  • Chapter 440: Workers’ Compensation
  • Chapter 456-468: Health Professions
scope national international
Scope – National & International
  • National Industry Standards
    • Payment Credit Industry Data Security Standards
  • International Privacy Laws
    • US: Department of Commerce’s Safe Harbor Privacy Principles
    • Europe: Council of Europe Convention for the Protection of Human Rights and Fundamental Freedom, EU Data Protection Directive, Art.1-33
    • Canada: Personal Information Protection & Electronic Documents Act
    • Additional Regulations: Argentina, Australia, Hungary, Iceland, Ireland, Japan, the Netherlands, Korea, India, and elsewhere
  • Regulatory Changes
    • American Reinvestment and Recovery Act/HITECH
    • State Attorney General prosecutions under HIPAA HITECH
    • State Attorney General prosecutions or penalties, i.e. California, Massachusetts, and Texas
five privacy protection principles
Five Privacy Protection Principles
  • Controls: Limited, Role–based Access to Data
    • Define individuals and roles permitted to access Restricted Data
    • Appoint Data Custodians to manage systems used with Restricted Data
  • Boundaries: Authorization Required to Use or Disclose Data
    • Authorized by the person who is the subject of the data
    • Authorized by law
    • Authorized by a policy based on law
  • Safeguards:Measures to protect Restricted Data
    • Administrative: Staffing, Policies & Procedures, Training
    • Physical: Locks, Barriers, Screens, etc.
    • Technical: Computer Accounts, Passwords, Audits
  • Accountability: Uniformly enforce UF policies to protect Restricted Data
    • Immediately report exposures of Restricted Data to the UF Privacy Office
    • Consistently apply Sanctions and Penalties
  • Balance: Individual Privacy and University Interests
top three danger zones
Top Three Danger Zones
  • Family Educational Rights and Privacy Act (FERPA): Student Records
    • Authorizes Secretary of Education to end all federal funding if a university fails to comply with federal statute
  • Health Insurance Portability & Accountability Act (HIPAA): Protected Health Information
    • Civil penalties and DOJ criminal prosecutions, which may result in significant fines, penalties, and up to ten years of jail time
  • Payment Credit Industry Data Security Standard (PCIDSS): Credit Card Information
    • Noncompliant entities may be fined $500,000 per incident if cardholder information is compromised, and processing privileges may be revoked
taking a closer look ferpa
Taking a Closer Look: FERPA
  • Pub.L.No. 93-380, Buckley Amendment
    • Applies to Institutions receiving US Dept of Education Funds
    • Prohibits release of Student Records without authorization by student or parent
  • Education Records Relate Directly to Student:
    • Grades, transcripts, recommendations, financing
    • Excludes law enforcement, health, and psychological records
  • Provide Notice of Student Rights
    • Access and Ability to Correct Errors
    • Limits on Disclosure, With Violent Crime Exception
    • Enforcement
  • No Private Right of Action
ferpa gonzaga university
FERPA : Gonzaga University
  • Student at GU, attempting to become elementary school teacher after graduation, applies for teaching position
  • Candidacy reference check concurrent with GU ongoing investigation for sexual misconduct
  • GU notifies state agency for teacher certification about misconduct allegations
  • Victim of misconduct recants, stating GU exaggerated issues
  • Student sues GU for unauthorized disclosures under FERPA
  • Jury awards student $1.155 M for compensatory and punitive damages
  • What happened next?
ferpa university of florida
FERPA: University of Florida
  • Undergraduate advisor researched over 300 student records to assess likelihood of cheating in class. The advisor did not have permission from his chair or an IRB allowance.
  • Same advisor reviewed coworker’s graduate student record without authorization.
  • Result: No longer researching; no longer advising; no longer here.
taking a closer look hipaa
Taking a Closer Look: HIPAA
  • 45 CFR, Parts 160 – 164; aka Healthcare Privacy & Security Rules, which protect individually identifiable health information
    • Privacy:Freedom from intrusion, maintaining control over PHI, expecting providers to respect individual’s rights
    • Security:Controlling access and protecting data so that it is complete and accurate
  • Applies to covered entities that provide healthcare services and bill electronically
  • Universities with health care centers are usually “hybrid entities”, meaning only certain functions of the school are subject to HIPAA
    • i.e. HSC Colleges, Student Health Center, Faculty Group Practices
taking a closer look hipaa1
Taking a Closer Look: HIPAA
  • Establishes Patients’ Rights
    • Notice of Privacy Practices
    • View or obtain MR copies
    • Request MR corrections or amendments
    • Request confidential communications
    • Request restrictions of PHI
  • Governs PHI Use and Disclosures
  • Enforced by civil and criminal sanctions, including penalties and possible jail time
  • Requires administrative activities like policies and procedures, training, tracking-reporting, and auditing
  • No Private Right of Action
  • Florida ranks first in number of HIPAA prosecutions
hipaa university of florida
HIPAA: University of Florida
  • Two HSCstudents who were Gator football fans visited a hospitalized Gator player; neither student was assigned direct care responsibilities for the team player.
  • To justify their visit, the students provided unnecessary medical counseling and also shared the player’s medical information with their church congregation to pray for his rapid recovery.
    • Despite multiple HIPAA trainings, the students did not believe they had violated the privacy regulations because they did not ask the player for his autograph!
  • Each student was suspended for a semester and given additional assignments about the importance of medical privacy and patient trust.
hipaa university of florida1
HIPAA: University of Florida
  • HSC Student took unauthorized patient photographs, after being denied that privilege, during a Surgery rotation
  • The student posted the photos on along with derogatory comments about the patient and the patient’s disability
  • Privacy Office and Dean recommend expulsion, but Student Affairs disagreed with recommendations
  • The student was suspended for a year from the University and was assigned community service, special research projects, and mandatory counseling sessions before being permitted to reapply to UF to resume studies.
taking a closer look pcidss
Taking a Closer Look: PCIDSS
  • Payment Credit Industry Data Security Standards, initiated by American Express, Discover, MasterCard, and Visa
  • Requires Merchants and Payment Processors to Secure Networks, Protection of Cardholder Data, and Auditing of Security Systems Regularly
    • 12 Standards, with 179 specific security requirements
    • Merchants At UF: Bookstore, Phillips Center, UAA, Student Health Center, etc .
  • Uses Penalties to Enforce Compliance
    • Based on Transaction Volumes
    • $500K per Incident
    • Restitution to Cardholder
    • Revocation of Transaction Privilege
  • Escalating Sanctions with No Appeal
pcidss georgia institute of technology
PCIDSS: Georgia Institute of Technology
  • GT Performing Arts Center sold tickets to events, accepting credit card payments
  • Performing Arts Center created an unencrypted database with credit card information to return funds when events were cancelled
  • Hacker accessed Performing Arts Center database obtaining over 61,000 names and credit card numbers
  • Assessed $2.2 M penalty with enhanced data security safeguards and audits required
another looming regulatory risk
Another Looming Regulatory Risk
  • FTC Red Flag Rules, effective December 31, 2010
    • Requires written ID Theft Prevention Program for any ‘covered account’ for individuals or households.
      • Regularly extending, renewing, or continuing credit
      • Regularly arranging (acting as go-between) for credit
      • Acting as an assignee of an original creditor
    • The BOT approved UF’s Identify Theft Prevention Policy in early 2009
      • Requires Business Unit or Affiliate to implement procedures and train employees.
      • * Available on privacy website at
        • Protecting Social Security Numbers*
        • The Red Flag Rules*
        • Business Unit Procedures
number one privacy crisis
Number One Privacy Crisis
  • Privacy Breach, which may result in Identity Theft*
  • Experience at US Colleges and Universities
    • 2010
      • 72 incidents
      • 1,849,241 records exposed
    • 2011
      • 50 incidents
      • 510,907 records exposed
    • 2012
      • 223 incidents
      • 932,544 records exposed

*Florida ranks first nationally; average loss identity theft = $75,000.

why do privacy breaches occur
Why Do Privacy Breaches Occur?
  • Data Rich Information Systems
  • Outdated or inadequate data security safeguards
    • Lack of administrative engagement
    • Poor and inconsistent physical barriers
    • Technology failures – authentication / authorization
  • Sophisticated intruders, with potential criminal intent
  • Unsophisticated intruders with easily accessible tools
  • Careless or inattentive data systems management
  • Negligent hiring and training practices
  • Demonstrated opportunities for repeat access
  • Business partners fail to protect information
effects of privacy breaches on uf
Effects of Privacy Breaches on UF
  • Public Relations Damage: Loss of Institution’s Reputation
    • Reduced Enrollment
    • Reduced Grant Funding
    • Reduced Donations or Contributions
  • Financial Expenses:
    • Legal, administrative, and investigative costs
    • Notification costs, including:
      • Letters and multimedia notices
      • Consumer response support
    • Restitution payments
    • Subsequent law enforcement investigations
  • Sanctions: Civil and/or Criminal Prosecutions, Penalties, Industry Reactions, Research May Be Curtailed
  • Fallout: Increased or Enhanced Regulations and Regulatory Surveillance
  • Lawsuits: Civil or Consumer Class Actions
how we manage a privacy breach
How We Manage a Privacy Breach
  • Investigate and confirm intrusion
  • Implement business recovery process
  • Evaluate legal requirements (i.e. Florida Chapter 817)
  • Oversee notification process (affected individuals/federal agencies)
  • Customer Support
  • Facilitate development of enhanced safeguards and publicize improved processes
  • Risk Mitigation, including audits of data systems
  • Revise business contracts
how you manage a privacy breach
How You Manage a Privacy Breach
  • Discover, report, and contain - immediately
    • Complete an incident report with whatever information you have and send to the Privacy Office
    • If theft is involved, call the University Police Department
    • If computers are involved, call IT Security / CNS
    • Assist with investigation process only as requested – do not try to investigate on your own
  • Notification Process – overseen by Privacy Office, paid for by you
    • Letter to Affected Individuals
    • Website Postings
    • Media Response
  • Improve – change processes, enhance safeguards, and educate staff affected by the changes
  • Assist with post-improvement audits of data systems
it s not alphabet soup
It’s Not Alphabet Soup …









The Privacy Act







when in doubt call first
When in Doubt … Call First
  • Susan Blair, CPO

Room G24, Tigert Hall

(352) 273-1212

  • Hotline: 866-876-4472
  • Website:
  • Emails: or