 |
|||||||||||||||
 |
|||||||||||||||
 |
|||||||||||||||
RMP-7, Privacy of and Access to Information ResponsibilitiesNovember 1, 1985
I. REFERENCE
Business and Finance Bulletin RMP-8, "Privacy of and Access to
Information, Legal Requirements," November 1, 1985.
II. SCOPE
This Bulletin establishes responsibilities for privacy of and access to
all information maintained by any segment of the University, except for
those records pertaining to students. (See "Policies Applying to Campus
Activities, Organizations, and Students-Part B, University of California
Policies Applying to the Disclosure of Information from Student Records.
October 31, 1983.")
III. INTRODUCTION
On June 12, 1978, the Vice President-Academic and Staff Personnel
Relations issued guidelines for implementing recently enacted
legislation related to privacy of and access to University records. As
stated in those guidelines it was necessary to implement a series of
information practices requirements, including the following:
-restrict the use of Social Security numbers; (Federal Privacy Act of
1974);
-provide for access by the public to all University records, other than
litigation, law enforcement, examination, property, library and museum,
and certain personnel and medical records, or records whose disclosure
is prohibited by law (California Public Records Act);
-withhold from public access those records for which it can be
demonstrated that the public interest served by not making the record
public clearly outweighs the public interest served by disclosure of
the record (California Public Records Act);
-assure that personal information will not be disclosed unless the
disclosure meets one or more of fourteen specific exceptions
(Information Practices Act of 1977/IPA/);
-establish procedures which ensure that individuals may inquire and be
notified whether the University maintains records about them and may
inspect those records (with certain exceptions); such procedures to be
consistent with eleven criteria (IPA);
-maintain only that information which is pertinent and necessary to
accomplish a purpose of the University or is authorized by law (IPA);
-provide with any form used to collect personal information eight
specific items of information, such as the principal purpose for which
the information is to be used and whether submission of information
requested is voluntary or mandatory (IPA);
-assure that mailing lists meet certain standards for protecting the
privacy of individuals (IPA);
-establish procedures for recording certain types of disclosures, and
correcting such disclosed information (IPA); and
-provide the State Office of Information Practices with a detailed
inventory of University records containing personal information (IPA).
These requirements are still valid. However, records management
procedures and responsibilities have evolved through the practical
application within the University of the referenced privacy and access
laws. This Bulletin incorporates and therefore supersedes the June 12,
1978 guidelines, and sets forth applicable procedures and
responsibilities.
IV. RESPONSIBILITIES
A. University-wide Responsibility
The Senior Vice President-Administration has major responsibility for
University-wide compliance with legal requirements on privacy of and
access to University records. Within that organization, the
Coordinator of Information Practices and Special Projects, in
consultation with General Counsel as appropriate, provides overall
records privacy and access policy and procedural guidance to
campuses, Laboratories, and offices of the President, as well as
liaison with the State Office of Information Practices.
B. Campus, Laboratory, and Office of the President Responsibilities
1. Chancellors, Laboratory Directors*, the Vice
President-Agriculture and Natural Resources, and the Senior
Vice President-Administration responsible for ensuring that
departments and other units under their respective
jurisdictions comply with all records privacy and access
requirements. To facilitate this responsibility, and because
of the complexity of the task of implementing access and
privacy requirements and the likelihood of lawsuits if
requirements are not met, each of these officers appoints a
senior officer as Coordinator of Information Practices.
2. The local Coordinators of Information Practices are responsible
for developing privacy and access guidelines, as well as
providing technical and practical assistance to all offices at
their locations. To assure that local records procedures and
practices are consistent with University policies and Federal
and State laws, the Coordinators are responsible for liaison
with the Office of the President Coordinator of Information
Practices and Special Projects. In fulfilling these
responsibilities, local Coordinators shall:
-understand legal requirements, including the differences
between confidential, personal, and non-personal
information;
-prepare a yearly inventory of personal and confidential
records systems for ultimate transmittal to the State; and
-periodically review record systems to ensure that files are
maintained with accuracy, relevance, timeliness, and
completeness.
The local Coordinators should provide guidance to their
constituencies which:
-ensures that local forms requesting or providing personal
or confidential information have privacy notices
incorporated in them or attached to them;
-ensures that individuals have access to information about
themselves unless the information has been determined to be
confidential;
-ensures that individuals may amend a record about themselves
and that appropriate action is taken within specified time
periods and in accordance with University and legal
requirements;
-establishes charges, if any, for copies of any records to
which individuals are entitled to have access, and ensure
that such charges are in accordance with University and
legal requirements;
-establishes records of disclosure of information if required
by an existing State statute;
-assure the security of files;
-allows disclosure of personally identifiable information to
a non-profit educational institution conducting scientific
research providing there is satisfactory determination of
the need for personal or confidential information, a
procedure for protecting the confidentiality of the
information, and assurance that the personal identity of
the subject shall not be further disclosed in individually
identifiable form; and
-ensures that no information in a file is transferred inside
or outside the University unless the transfer is consistent
with legal requirements.
*Los Alamos National Scientific Laboratory is expected to comply with
all policy and procedural requirements for privacy of and access to
information, although it should be understood that the Civil Remedies
and Penalties section of the State of California Information Practices
Act and Public Records Act may not be applicable in New Mexico.
|
|||||||||||||||
|
|||||||||||||||
|
Send comments or questions about this website to Connie
Williams. |
|||||||||||||||
