Indiana University must balance individual freedom and privacy with the need to serve or protect other core values and operations within the university.
How can you strive to ensure a business process, service, or project is implemented in a way that reduces or avoids causing privacy harms, as much as feasible?
Consider and apply the following privacy principles, particularly related to interactions with individuals whose information is collected, used, disclosed, and retained by Indiana University:
- Notice Principle
Informs the individual about privacy policies and procedures and identifies the purposes for which the individual's information is collected, used, disclosed, and retained (sometimes referred to as the Purpose Specification or the Openness Principle).
- Choice and Consent Principle
Obtains implicit or explicit consent from the individual with respect to the collection, use, disclosure, and retention of the individual's information, particularly if that information is to be used for a secondary purpose or disclosed to a third party (sometimes referred to as the Objection Principle).
- Collection Limitation Principle
Collects only the information needed to achieve the purposes identified by the business unit in support of the university's mission, and as outlined in the notice.
- Use and Retention Principle
Uses the individual's information only as outlined in the notice, and keeps the information only as long as necessary to fulfill the stated purposes.
- Disclosure Limitation Principle
Discloses the information to third parties only as outlined in the notice and as consented to by the individual either implicitly or explicitly.
- Access Principle
Provides access to the individual to review and update or correct his or her information (sometimes referred to as the Participation Principle).
- Monitoring and Enforcement Principle
Monitors compliance and has procedures to address complaints and disputes (sometimes referred to as the Recourse or the Redress Principle).