I. Purpose
A. Anne Arundel Community College (the “College”) is committed to protecting the privacy rights and the personally identifiable information (“PII”) of all students, employees, visitors, vendors, and any other individual whose PII is collected by the College in carrying out its mission.
B. The purpose of the Privacy and Protection of Personally Identifiable Information Policy (“Policy”) is to: (1) establish a framework for compliance, responsibility, and accountability as it relates to an individual’s Privacy Rights, regarding the collection, use, and protection of PII; and (2) establish a remedy for individuals whose personally identifiable information has been affected by a breach.
II. Scope and Applicability
A. This Policy applies to all members of the College community, visitors to the College, and users of College information systems with access to PII, including but not limited to students, faculty, staff, and third parties. All members of the College community who have access to PII must adhere to this Policy and related Information Technology Requirements (“ITRs”).
B. This Policy applies to all PII, regardless of the relationship an individual may have with the College, including but not limited to current, past, and prospective students, parents, employees, and human research data subjects.
C. This Policy applies regardless of the origin of the PII, including but not limited to existing data sets, newly collected data, and data sets received from or created by third parties.
D. This Policy also applies to all locations and operations of the College including but not limited to applications, projects, systems, or services that seek to access, collect, store, and/or use PII.
III. Definitions
A. Breach of Information Security is any unauthorized disclosure, alteration, or destruction of data maintained by the College. A breach can be either intentional or accidental and the source may be either internal or external. A breach does not include (1) good faith acquisition, access, or use of private data by an employee, contractor, or agent of the College; (2) incidents involving confidential data that has been rendered unusable, unreadable, or undecipherable (e.g., through valid encryption or redaction) to unauthorized persons; or (3) incidents involving aggregate data.
B. Confidential Data includes College-owned electronic or physical information that is sensitive in nature and or protected under applicable state or federal laws (e.g., FERPA or HIPAA). This data cannot be disclosed externally except in a few specific and highly regulated instances. It may not be shared internally (with other faculty/staff) unless access is required for the completion of official job duties and such sharing should comply with college policies and best practices.
C. Data refers to information collected, stored, transferred or reported for any purpose, whether in electronic or physical form.
D. Individual(s) refers to a person from whom the College collects PII.
E. Personally Identifiable Information (PII) is a category of Data linked to a specific individual that would allow a person who does not have personal knowledge or the relevant circumstance, to identify the individual with reasonable certainty. This includes any information that is created, received, processed, stored, or transmitted by or on behalf of the College that, alone or in combination with other information, enables the identification of an individual.
PII includes but is not limited to:
• an individual’s username or email address, in combination with a password or security question and answer, that permits access to an individual’s email account; OR
• an individual's first and last name in combination with:
o A Social Security number, an Individual Taxpayer Identification number, a passport number, or other identification number issued by the federal government;
o A driver's license number, state identification card number, or other individual identification number;
o An account number, a credit card number, or a debit card number, in combination with any required security code, access code, or password, which permits access to an individual's financial account;
o Geolocation data;
o Internet or network activity, including browsing history, search history, and information regarding an identifiable individual’s interaction with an internet website, application, or advertisement;
o Identifiable health information, including disability status, related to the past, present, or future physical or mental health or condition of an individual;
o A health insurance policy or certificate number or health insurance subscriber identification number, in combination with a unique identifier used by an insurer or an employer that is self-insured, that permits access to an individual's health information; or
o Biometric data of an individual generated by automatic measurements of an individual's biological characteristics such as a fingerprint, voice print, genetic print, retina or iris image, or other unique biological characteristics, which can be used to uniquely authenticate the individual's identity when the individual accesses a system or account.
F. Unauthorized Acquisition means that a person has obtained confidential College data without statutory authority, authorization from the data owner, or authorization of the data subject.
IV. Expectation of Privacy
A. It is the College’s intent to use proportionate and effective measures to ensure that the College and the campus community protect and respect an individual’s Privacy Rights within the framework and limitations of applicable law and applicable policies.
B. The College recognizes a reasonable expectation for the privacy of the data collected from its employees, affiliates, and students, in the interest of promoting academic freedom and an open, collegial atmosphere. This expectation of privacy is subject to applicable state and federal laws in addition to College policies, ITR’s, and all associated standards and guidelines.
C. Some PII may be subject to disclosure under the Maryland Public Information Act.
D. The College reserves the right to access and use PII at its discretion to investigate actual or suspected misconduct or risks to the College, its students, faculty, staff, and third parties. Additionally, all College policies, regulations, ITRs, and related standards and guidelines are subject to applicable laws.
V. Regulatory Obligations and Interpretations
A. The College must comply with Federal, State, and/or local laws and regulations related to privacy.
B. This Policy and its associated ITRs establish a framework for the College’s compliance with privacy-related regulations. This framework governs the College’s implementation of regulation-specific policies and standards, to address the collection and use of PII in compliance with structures including, but not limited to the Health Information Portability & Accountability Act (HIPAA), Gramm- Leach-Bliley Act (GLBA), Family Educational Rights and Privacy Act (FERPA), General Data Protection Regulation (GDPR), and Maryland’s Protection of Personally Identifiable Information by Public Institutions of Higher Education law.
VI. Reporting Obligations
A. All individuals must promptly report any known or suspected breaches of information security involving confidential data to the Technical Service Desk through the MyAACC portal. The Technical Service Desk will create a ticket to escalate the concern to the IIT Information Security and Infrastructure Team, as well as the Vice President for Information and Instructional Technology (VPIIT).
B. If a computer or mobile device is stolen, the Department of Public Safety and Police (“DPSP”) must be notified. In the case of unauthorized physical access, contact DPSP to report the incident.
C. The VPIIT will decide, in consultation with appropriate College stakeholders, General Counsel, and the Registrar (if student data is included), if notification to those affected is required, and determine the responsible departments in complying with notification obligations.
D. The General Counsel will provide legal advice to the VPITT and other College staff to ensure compliance with notification obligations under the law.
E. The department of Strategic Communication may provide guidance during the notification process.
VII. Remedy to Individuals Affected by an Information Security Breach
A. If the College experiences an Information Security Breach where PII that, if combined, may pose a threat to an Individual if misused, the College shall notify any affected Individual(s).
B. Anyone who becomes aware that a computer, laptop, mobile device, or other equipment, paper, or hard copies containing PII has been breached, lost, stolen, or misplaced, or anyone who suspects that PII may have been accessed by unauthorized individuals, must immediately notify the Information and Instructional Technology (“IIT”) Technical Service Desk via the MyAACC portal. The breach or potential breach will be handled in accordance with the College’s data breach protocols.
C. Once an Information Security Breach is detected, the College must conduct in good faith a reasonable and prompt investigation to determine whether the information that has been compromised has been or is likely to be misused, i.e., for identity theft. If the investigation shows that there is a reasonable chance that the Data will be misused, the College shall notify the affected Individual(s) within forty-five (45) days of discovering or being notified of the data breach.
D. The College may delay notification if requested by a law enforcement agency or to determine the scope of the breach, identify all the affected Individuals, or restore the integrity of the affected system(s).
E. Notice to the affected Individual(s) must be given in writing and sent to the most recent address of the Individual(s), or by telephone to the most recent phone number. Notice may be sent via email if an Individual(s) has already consented to receive electronic notice.
F. The College may provide substitute notice of an Information Security Breach by email, posting on its website, and notice to statewide media if the cost of notice would exceed $100,000 or the number of Individuals to be notified exceeds 175,000 Individuals.
G. Notice to the affected Individual shall include:
1. Description of the information compromised.
2. Contact information for the College.
3. Toll-free numbers and addresses for each of the three credit reporting agencies: Equifax, Experian, and TransUnion
4. Toll-free numbers, addresses, and websites for the Federal Trade Commission (FTC) and the Maryland Office of the Attorney General (OAG)
5. A statement that the individual can obtain information from these sources about steps to avoid identity theft.
H. When appropriate, the College may impose remedies to Individual(s) impacted by an Information Security Breach. Such remedies may include, but are not limited to:
1. Password resets and account security enhancements;
2. Credit monitoring and/or identity theft protection services;
3. Fraud alerts and credit freezes; and/or
4. Counseling and support services.
VIII. Implementation
A. This Policy, the associated ITR’s, and the implementation of those instruments are overseen by the VPIIT.
B. The Division of IIT is responsible for supporting the College with the implementation of this Policy by providing effective tools, appropriate resources, and training to meet the guidelines and standards of this Policy while minimizing potential costs and workload burdens.
C. ITRs and Guidelines
1. This Policy is supplemented by ITRs and Guidelines that address the operationalization of the College’s privacy governance program, including but not limited to access to specified data types, vendor engagement, incident response, and the exceptions process.
2. The VPIIT or designee may issue, amend, or rescind such ITRs and Guidelines as required to comply with legal obligations and College policy.
IX. Protection of PII
A. Protection of PII As part of the Colleges commitment to safeguarding personal information and ensuring compliance with regulations, the College employs a documented approach to the management, processing, and security of PII.
B. Administrative, Physical, and Technical Safeguards: The College employs a blend of safeguards to protect PII across different environments. Technical safeguards include the development of comprehensive ITR’s and guidelines, tools to monitor and control access to PII, and strategies to retain and back up critical PII data.
The College leverages controls that serve as the foundation of our PII protection framework. Those controls include, but are not limited to the following:
1. Data Minimization: The College only collects PII necessary for specific, legitimate purposes. This reduces the risk of unnecessary data exposure.
2. Storage Limitation: The College only retains PII as long as needed to fulfill the intended business continuity needs and/or comply with legal requirements. Audits and Data Mapping reviews ensure that obsolete information is deleted or destroyed.
3. Data Accuracy: The College implements processes to maintain accurate, up-to-date information.
4. Purpose Limitation: PII is collected and processed exclusively for specified, legitimate purposes, with defined access protocols to prevent misuse.
5. Classification of PII: PII is categorized based on sensitivity and risk to enable appropriate handling, storage, and security standards.
6. Data Mapping and Inventory: The College conducts data mapping and inventory reviews to understand data flows and locations.
7. Privacy Impact Assessments: Perform periodic Privacy Impact Assessments to identify and mitigate privacy risks associated with processing activities.
8. Third-Party Requirements: The College applies requirements for vendors and partners that handle PII, ensuring they adhere to our data protection standards.
9. Awareness and Training: Provide regular privacy and security training for staff, increasing awareness of best practices and obligations for PII protection.
10. Identity and Access Management (“IAM”): Utilize robust IAM protocols to ensure only authorized personnel have access to PII, bolstered by authentication and access controls.
11. Administrative, Physical, and Technical Safeguards: Implement and maintain a combination of safeguards, including administrative policies, physical protections, and technical controls, to protect PII at all levels.
X. Exceptions
A. Where a legitimate need has been demonstrated, such as a novel use of an existing data set for health and safety purposes, the VPIIT or designee, in consultation with appropriate stakeholders, may grant exceptions to this Policy and its related ITRs.
B. When considering requests for exceptions, the VPIIT or designee, in consultation with appropriate College stakeholders, will evaluate the documented purpose for the exception and the privacy risks to the Individuals affected.
C. Subject to the College’s legal obligations or circumstances that necessitate immediate access, the College may provide advance notification to an Individual prior to the use of the Individual’s PII pursuant to an exception request. In certain instances, Individuals may be unavailable to receive such advance notification, or such notification may not be reasonably practicable. In such cases use may occur without notification, consistent with applicable law.
XI. Policy Violations
A. Suspected violations of this Policy will undergo a standard College review in accordance with relevant College policies to determine responsibility.
B. College employees or students who are found responsible for violating this Policy and/or the associated ITRs may be subject to disciplinary action in accordance with relevant College policies. Furthermore, certain violations may result in civil penalties and/or criminal prosecution.
Policy Title: Interim Privacy and Protection of Personally Identifiable Information Policy
Policy Category: Information Technology
Policy Owner: Vice President for Informational and Instructional Technology
Policy Administrator: Vice President for Informational and Instructional Technology
Contact Information: rckralevich@aacc.edu; 410-777-2195
Approval Date: November 25, 2024
Effective Date: November 26, 2024
History: N/A
Applies to: Students, Employees, Visitors, Vendors
Related Policies:
Related Procedures: Acceptable Use of Information Technology Resources Procedures
Forms/Guidelines:
Relevant Laws: