University Privacy Policy

Policy Statement

The University of Chicago (“University”) respects individuals’ personal privacy. The University collects, accesses, uses, discloses, stores, transfers, and disposes of personal data in accordance with all applicable laws, regulations, and relevant ethical standards. The policy sets forth guidelines to ensure compliance with applicable laws, regulations, and ethical standards.

Purpose

This Policy establishes guidelines for the collection, access, use, disclosure, storage, transfer, and disposal of personal data by the University in the conduct of the University’s administrative functions. This Policy is intended to:

• Protect privacy of individuals and the integrity and confidentiality of personal data.

• Promote ethical data management practices aligned with the University's values and legal obligations.

• Assist University faculty, other academic appointees, staff, postdoctoral researchers, students, and others in complying with laws and regulations when collecting, accessing, using, disclosing, storing, transferring, or disposing of personal data.

• Promote transparency in data handling practices relating to personal data.

• Minimize risks associated with unauthorized access, disclosure, or misuse of personal data.

• Provide guidance to University faculty, other academic appointees, students, post-doctoral researchers, staff, associates, volunteers and contractors when handling personal data using University resources.

Applicability

This Policy applies to the Processing of Covered Information (as defined below) by Covered Persons (as defined below) for Administrative Purposes. This includes Covered Information Processed (as defined below) by Covered Persons in print or electronic form and whether such Processing is undertaken on site, in hosted environments, or in any other location or environment.

This policy also applies to personal computers and other devices to the extent that they store or process Covered Data. All Covered Persons must comply with this policy.

This Policy applies only to Covered Information Processed for Administrative Purposes. This Policy does not apply to the processing of Covered Information for research purposes.

This policy is in addition to and not in lieu of other University policies that affect the Covered Information.
In addition to this Policy, Covered Persons must comply with all other University policies relating to the Processing of Covered Information, including:

• Policy 601 Treatment of Confidential Information

• Policy 2708: Managing University Records

• Policy 705 - Employee Access to Personnel Records

• Information Technology Resources and Account Privacy Policy

Definitions

• Administrative Purposes: The purposes of managing and conducting the administrative activities of the University, including general administration, admissions, alumni relations and development, student records, human resources, information technology, research administration, and all other administrative functions of the University. Administrative Purposes does not include the design, conduct, or reporting of research.

• Covered Information: All Personally Identifiable Information processed by Covered Persons for University Administrative Purposes. It applies to information regardless of whether the information is in print, electronic, or other format.

• Covered Persons: All University faculty, other academic appointees, students, post-doctoral researchers, staff, associates, volunteers, and contractors who Process or have access to Covered Information.

• Data Privacy Incident: An event involving the actual or suspected unauthorized or inappropriate access, disclosure, use, or loss of Covered Information, which directly affects individuals' privacy rights or confidentiality. There is a direct privacy risk or harm to the individuals involved.

• Data Steward: A Covered Person responsible for the management and oversight of specific Covered Information.

• Data Subject: An identifiable person to whom Covered Information relates.

• Employment Information: Covered Information relating to current and former University faculty, other academic appointees, post-doctoral researchers, staff and other employees, personnel and job applicants Processed by the University for employment and human resources management purposes, including payroll records, salary, individual benefits information, individual criminal background check information, individual conflict of interest information, faculty records, and personnel records, including but not limited to information regarding an employee's work history, credentials, salary and salary grade, benefits, length of service, performance, and discipline.

• Financial Information: Covered Information relating to an individual’s financial activity or status that the University may collect, use, or maintain. This includes, but is not limited to, credit or debit card numbers, bank account details, payment records, financial aid information, transaction histories, scholarship or grant records, and donations or contributions.

• Health Information: Covered Information that relates to the past, present, or future physical or mental health or condition of an individual, the provision of healthcare to an individual, or the past, present, or future payment for the provision of healthcare to an individual.

• Instructional Information: Covered Information related to teaching and learning activities, such as course materials, student assignments, grades, attendance records, and communications between instructors and students.

Policy

Consequences of Non-Compliance

Compliance with this Policy is mandatory, and violations of the policy may result in disciplinary action, up to and including the suspension of network privileges, suspension or expulsion from further study, and termination of employment.

Policy Ownership

Responsible University Officer(s): Chief Information Officer
Responsible Office: Privacy Office

The Chief Privacy Officer is responsible for:

• Overseeing the implementation and enforcement of this Policy

• Coordinating with University units regarding compliance

• Reviewing and updating the Policy periodically to reflect changes in laws, regulations, or University practices

Effective Date: 11-03-2025
Last Updated: 11-03-2025

Contacts

For questions, and concerns including filing a complaint, or obtaining further information regarding this Privacy Policy or data privacy practices at the University, please contact:

The University of Chicago
Attn: Privacy Office
6045 S. Kenwood Ave #321
Chicago, IL 60637

Chief Privacy Officer
privacy@uchicago.edu
773.702.4093