Indiana University must balance individual freedom and privacy with the need to serve or protect other core values and operations within the university.
How can you strive to ensure a business process, service, or project is implemented in a way that reduces or avoids causing privacy harms, as much as feasible?
Consider and apply the following privacy principles, particularly related to interactions with individuals whose information is collected, used, disclosed and retained by Indiana University:
- Notice Principle
- Informs the individual about privacy policies and procedures and identifies the purposes for which the individual's information is collected, used, disclosed and retained (sometimes referred to as the Purpose Specification or the Openness Principle).
- Choice & Consent Principle
- Obtains implicit or explicit consent from the individual with respect to the collection, use, disclosure and retention of the individual's information, particularly if that information is to be used for a secondary purpose or disclosed to a third party (sometimes referred to as the Objection Principle).
- Collection Limitation Principle
- Collects only the information needed to achieve the purposes identified by the business unit in support of the university's mission, and as outlined in the notice.
- Use & Retention Principle
- Uses the individual's information only as outlined in the notice, and keeps the information only as long as necessary to fulfill the stated purposes.
- Disclosure Limitation Principle
- Discloses the information to third parties only as outlined in the notice and as consented to by the individual either implicitly or explicitly.
- Access Principle
- Provides access to the individual to review and update or correct his or her information (sometimes referred to as the Participation Principle).
- Monitoring & Enforcement Principle
- Monitors compliance and has procedures to address complaints and disputes (sometimes referred to as the Recourse or the Redress Principle).
These privacy principles are adapted for IU from:
- American Institute of Certified Public Accountants, Inc. (AICPA) and Canadian Institute of Chartered Accountants (CICA). Generally Accepted Privacy Principles. August, 2009. Web.
- Federal Trade Commission. Fair Information Practice Principles. Web.
- Organisation for Economic Co-operation and Development (OECD). OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. 1980. Web.