Employee Privacy, Responsibilities and Training
The Privacy Program is grounded in our privacy principles and rooted in regulation. Each faculty and staff member has a crucial role to play in protecting the privacy of our university community members.
Follow Policies and Laws
A key aspect of working at Ohio State is reading, understanding and incorporating the Ohio State privacy principles into your work. The privacy principles are important because they summarize Ohio State’s commitment to key areas of privacy such as notice, choice and access. Ohio State also has several guidelines related to data privacy. For example, if part of your work has you thinking about texting faculty, staff or students, be sure to follow Ohio State’s texting guidelines and be familiar with our SMS terms and conditions.
You may also work in an area of the university where your job requires your knowledge and commitment to following laws and Ohio State policies related to data privacy such as FERPA, HIPAA and the TCPA. If your job requires it, you will receive training about various laws, regulations and university policies such as FERPA, HIPAA and the Institutional Data Policy. Make sure to complete these trainings carefully and incorporate what you learn into you daily work.
Understand Your Activities May Be Monitored
As an employee at Ohio State, your activities may be monitored as part of Ohio State’s overall work in data and physical security. Ohio State has data security and physical security policies and practices consistent with industry standards.
Industry standards in information security include monitoring Ohio State information systems to detect potential threats affecting the security of Ohio State’s information. This monitoring may include collecting and reviewing logs of user activity as well as keeping logs of wireless activity to detect high risk behaviors.
Industry standards in physical security involves the use of cameras across campus and in some public spaces in the hospital. These cameras are in place for the greater good of protecting the physical safety of our faculty staff and students. Use of such cameras follow Ohio State’s privacy principles while balancing the need for public safety throughout the university.
University policies and privacy statements explain how your personal information is collected, used and shared.
Know What is Considered Public Records
As a state-supported institution, Ohio State is subject to Ohio’s Public Records Act also known as Ohio Sunshine Laws. These laws are in place to promote transparency by providing public access to records that document public businesses. The overall idea is that Ohio State holds public records in trust for the people we serve. Ohio State has a Public Records Policy to help facilitate our compliance with public records laws.
As an employee of Ohio State, information about you may be subject to release under Ohio’s Public Records act. Some information that you may expect to be private is not necessarily private due to public records laws in place to promote transparency in government. For example, your job application and annual reviews are considered public records and may be released in whole or in part subject to a public records request. There are exceptions to Ohio’s Public Records act. One exception for example, is Ohio State removing social security numbers from a record before it is released to protect constitutional privacy rights.
Another example of public records is what you put in your email. Email sent related to Ohio State business are also subject to public records requests. Therefore, you should be careful to be professional in your emails knowing that these may be made public at some point in the future. Again, there are exceptions where Ohio State may redact limited information from emails in compliance with the public records laws, but be aware how these laws may affect your privacy while working at OSU.
Ohio State has a process for releasing public records that balances employee privacy with the legal requirements of public records laws. If you have any questions about public records requests and how it relates to working at Ohio State, contact the Public Records Office.
Understand the Confidentiality of Your Medical Information
As a faculty or staff member, you may be required to give information to your employer about your health conditions if you need to take advantage of Family Medical Leave Act (FMLA). Under the FMLA, confidentiality of medical information is a right and information may be shared for limited purposes. To learn more about medical documentation and employment, check out the Family and Medical Leave FAQ (PDF) document.
Many employees have questions about the Health Plan’s wellness program. You can read more about privacy and your participation in Your Plan for Health on the wellness program website. Overall, identifying medical information that you provide to participate in the wellness program is not provided to your supervisors or managers and will never be used to make decisions about your employment.
Understand What Ohio State Considers Personally Identifiable Information (PII)
As defined in Ohio State's Institutional Data Data Element Classification Assignments, Personally Identifiable Information (PII) is defined as information which can be used to distinguish or trace an individual’s identity such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual.
PII includes the data below as it is used to associate the identity of an individual:
- Names
- Full name
- Maiden name
- Mother’s maiden name
- Alias
- Personal identification number
- Social Security number
- Passport number
- Driver’s license number
- Taxpayer identification number
- Financial account or credit card number
- Address
- Physical street address
- Email address
- Personal characteristics
- Photographic image (especially of face or other identifying characteristics like tattoos, birth marks, etc.)
- Fingerprints
- Handwriting
- Biometric data (e.g. retina scan, voice signature, facial geometry)
- Ethnicity
- Miscellaneous
- Birthdate
- Library Circulation Records
- Alien Registration
- Birth Location
- Emergency Contacts
- Family Addresses
- Alumni and Donor Information
Source: IDP Data Elements Classification Assignments (osu.edu)
Data Usage Scenarios
Sharing Employee Informaiton With A Third-Party
Scenario: My VP/Dean/Manager wants to upload everyone's name and home addresses to a third-party vendor so the vendor can send the employees thank you gifts.
Solution: There is already a process and tool to text students, faculty and staff for emergencies and other important messages.
Contact Information Disclosure
{Name of college or unit} leadership may request your personal contact information including your home address, mobile number, or birthday from HR to mail or send you items pertaining to business and personal life events. To ensure that we are mindful of everyone’s privacy, we are asking that you give us permission to use and share your personal contact information with third parties.
Please respond accordingly to this Qualtrics survey on how you would like your personal contact information used for these purposes.
- I give permission for the Contact Information Disclosure as stated above, including receiving text messages.
- I do not give permission for the Contact Information Disclosure as stated above.