Privacy and Confidentiality

• IT Service Provider Responsibilities
• Privacy Statement for Websites
• User Awareness
• Related Links

IT Service Provider Responsibilities

Berkeley campus departments or units who provide online services ("service providers") must comply with all applicable University regulations and laws governing personal privacy and the confidentiality of information. See Privacy Regulations.

Records that do not fall under established legal protections are subject to public disclosure under law. Some specific guidelines include the following:

• Existing privacy and confidentiality regulations that were created with paper records in mind continue to apply to the same categories of information existing in electronic form.
• Privacy and confidentiality regulations protect not only individuals and groups affiliated with the campus, but also non-University users of campus online resources.
• Service agreements that outsource data processing activities to third-party vendors must ensure compliance with the same privacy and confidentiality regulations as in-house activities.

Service providers must take a broad view of their privacy and confidentiality responsibilities, such as minimizing invasion into private lives and avoiding risks to health and safety. For example, the online publisher of a class roster who wishes to include student pictures and contact information must get permission from each student, and also must limit access to class members only, using password protection or other technologies.

Privacy Statement for Websites

Service providers who collect data via website interfaces must adhere to the provisions of the Privacy Statement for UC Berkeley Websites and must post a privacy statement to notify users regarding the types and uses of data that is gathered. Online service providers may further refine the standard campus privacy statement to include additional privacy provisions, but may not reduce the level of their activities' compliance.

User Awareness

Users of campus online resources should familiarize themselves with associated rights and risks regarding privacy and confidentiality. A good source for such information is the University of California Electronic Communications Policy, Attachment 1: User Advisories. Some factors that should limit users' expectation of privacy include:

• laws that guarantee public access to certain types of information,
• subpoenas or other legal instruments that authorize access to information,
• legitimate business needs that necessitate the University's access to workplace records
• computer system administration duties that sometimes result in unavoidable inspection of information, and
• technical vulnerabilities inherent in electronic communications systems.

Related Links

• Protection of Personal Information, University of California
• What To Do If You're a Victim of Identity Theft,California Office of Privacy Protection
• RMP-8, Legal Requirements on Privacy of and Access to Information, University of California
• Berkeley Campus Plan Implementing the UC Requirements for Protection of Computerized Personal Information under SB 1386
• Morrison & Foerster Privacy Resources Library
• Guidelines for Use of Campus Network Data Reports
• How to Respond to Requests for Electronic Evidence