Skip to main content
The University of Chicago
Inside UChicago
Main content

University Privacy Policy

Policy Statement

The University of Chicago (“University”) respects individuals’ personal privacy. The University collects, accesses, uses, discloses, stores, transfers, and disposes of personal data in accordance with all applicable laws, regulations, and relevant ethical standards. The policy sets forth guidelines to ensure compliance with applicable laws, regulations, and ethical standards.

Purpose

This Policy establishes guidelines for the collection, access, use, disclosure, storage, transfer, and disposal of personal data by the University in the conduct of the University’s administrative functions. This Policy is intended to:

  • Protect privacy of individuals and the integrity and confidentiality of personal data.

  • Promote ethical data management practices aligned with the University's values and legal obligations.

  • Assist University faculty, other academic appointees, staff, postdoctoral researchers, students, and others in complying with laws and regulations when collecting, accessing, using, disclosing, storing, transferring, or disposing of personal data.

  • Promote transparency in data handling practices relating to personal data.

  • Minimize risks associated with unauthorized access, disclosure, or misuse of personal data.

  • Provide guidance to University faculty, other academic appointees, students, post-doctoral researchers, staff, associates, volunteers and contractors when handling personal data using University resources.

Applicability

This Policy applies to the Processing of Covered Information (as defined below) by Covered Persons (as defined below) for Administrative Purposes. This includes Covered Information Processed (as defined below) by Covered Persons in print or electronic form and whether such Processing is undertaken on site, in hosted environments, or in any other location or environment.

This policy also applies to personal computers and other devices to the extent that they store or process Covered Data. All Covered Persons must comply with this policy.

This Policy applies only to Covered Information Processed for Administrative Purposes. This Policy does not apply to the processing of Covered Information for research purposes.

This policy is in addition to and not in lieu of other University policies that affect the Covered Information.

In addition to this Policy, Covered Persons must comply with all other University policies relating to the Processing of Covered Information, including:

Definitions

  • Administrative Purposes: The purposes of managing and conducting the administrative activities of the University, including general administration, admissions, alumni relations and development, student records, human resources, information technology, research administration, and all other administrative functions of the University. Administrative Purposes does not include the design, conduct, or reporting of research.

  • Covered Information: All Personally Identifiable Information processed by Covered Persons for University Administrative Purposes. It applies to information regardless of whether the information is in print, electronic, or other format.

  • Covered Persons: All University faculty, other academic appointees, students, post-doctoral researchers, staff, associates, volunteers, and contractors who Process or have access to Covered Information.

  • Data Privacy Incident: An event involving the actual or suspected unauthorized or inappropriate access, disclosure, use, or loss of Covered Information, which directly affects individuals' privacy rights or confidentiality. There is a direct privacy risk or harm to the individuals involved.

  • Data Steward: A Covered Person responsible for the management and oversight of specific Covered Information.

  • Data Subject: An identifiable person to whom Covered Information relates.

  • Employment Information: Covered Information relating to current and former University faculty, other academic appointees, post-doctoral researchers, staff and other employees, personnel and job applicants Processed by the University for employment and human resources management purposes, including payroll records, salary, individual benefits information, individual criminal background check information, individual conflict of interest information, faculty records, and personnel records, including but not limited to information regarding an employee's work history, credentials, salary and salary grade, benefits, length of service, performance, and discipline.

  • Financial Information: Covered Information relating to an individual’s financial activity or status that the University may collect, use, or maintain. This includes, but is not limited to, credit or debit card numbers, bank account details, payment records, financial aid information, transaction histories, scholarship or grant records, and donations or contributions.

  • Health Information: Covered Information that relates to the past, present, or future physical or mental health or condition of an individual, the provision of healthcare to an individual, or the past, present, or future payment for the provision of healthcare to an individual.

  • Instructional Information: Covered Information related to teaching and learning activities, such as course materials, student assignments, grades, attendance records, and communications between instructors and students.

  • Personally Identifiable Information (PII): Any information that can be used to identify an individual, including but not limited to names, addresses, social security numbers, student or employee identification numbers, and biometric records.

  • Processing: Collection, access, use, disclosure, storage, transfer, and disposal of information in electronic and non-electronic formats.

    Policy

    General

    Data Stewards

    Responsibility for Covered Information: Data Stewards are responsible for understanding and complying with any applicable laws, policies, contracts, consents, privacy notices, and other obligations applicable to the Covered Information under their stewardship and communicating the same to Covered Persons who Process such Covered Information.

    Obtaining Covered Information

    Compliance with Laws and Ethical Norms: Covered Persons must obtain Covered Information lawfully and ethically. When collecting Covered Information from a Data Subject, Covered Persons should be transparent about the purpose of collection and the use of the Covered Information.

    Consent: Covered Persons must obtain informed consent from Data Subjects when required by applicable laws, regulations, contracts and policies.

    Minimization: Covered Persons must collect or obtain only the Covered Information reasonably necessary to fulfill the purpose for which such Covered Information is collected or obtained.

    Use of Covered Information

    Authorized Use: Covered Persons must follow all applicable laws, contractual obligations, privacy notices, and permissions given by individuals when they handle and Process Covered Information.

    Access Control: Covered Persons should limit access to Covered Information to individuals who require it for legitimate purposes.

    Data Quality: Covered Persons must maintain accurate, complete, and up-to-date Covered Information, to the extent reasonable for the Administrative Purposes for which it is Processed.

    Disclosure and Sharing of Covered Information

    Internal Sharing: Covered Persons must share Covered Information within the University only with authorized personnel for legitimate University purposes and only in accordance with applicable laws and any consents, privacy notices, or contracts applicable to such Covered Information.

    External Disclosure: Covered Persons may not share Covered Information with anyone outside the University unless they have proper authorization to do so. Any external sharing must follow all applicable laws, relevant contracts, privacy notices, and any permissions (consents) given by the individuals whose information is being shared.

    Third-Party Agreements: When Covered Persons engage third parties to handle or Process Covered Information, they must ensure the contracts with these third parties include all required privacy and security safeguards mandated by law, regulation, or policy.

    Storage and Security of Covered Information

    Data Protection Measures: Covered Persons must implement appropriate administrative, technical, and physical safeguards to protect Covered Information against unauthorized access, alteration, disclosure, or destruction.

    Encryption: Covered Persons must use encryption that is compliant with the University Encryption Standards to protect Covered Information during transmission (in-transit) over networks and at rest. During processing, encryption is required where technologically feasible. Where not feasible, approved alternative controls must be implemented and documented.

    Secure Storage and Transmission: Covered Persons must store and transmit Covered Information using University approved services and systems that meet the University's security standards. Covered Persons must avoid sharing sensitive Covered Information via unsecured platforms or public networks.

    Retention and Disposal of Covered Information

    Retention Schedules: Covered Persons must comply with the University's data retention schedules and policy, maintaining Covered Information as required by such policy.

    Secure Disposal: Covered Persons must dispose of Covered Information securely to prevent unauthorized access or recovery, following University-approved procedures.

    Record keeping: When required by applicable law, regulations, University policy, or contract, Covered Persons must obtain a compliant, written certification of destruction.

    Data Subject Access and Covered Information

    Access and Correction: When required by applicable law or regulation, Data Stewards must give Data Subjects access to their Covered Information and correct any errors or inaccuracies in that information.

    Privacy Notices: When required by applicable law or when otherwise practicable, Data Stewards should endeavor to inform individuals about data collection practices through clear and accessible privacy notices.

    Request for Deletion: If a Data Subject asks for their Covered Information to be removed, the responsible Data Steward must promptly coordinate the deletion of such Covered Information from all University IT systems, to the extent required by law or otherwise reasonable under the circumstances.

    The applicable Data Steward may deny a Data Subject’s request if:

    • The Covered Information is necessary for compliance with legal obligations.

    • The Covered Information is required for the establishment, exercise, or defense of legal claims.

    • Or if the Covered Information continues to be necessary for the original purpose for which it was collected.

    Data Privacy Incident Response

    Prompt Reporting: Covered Persons must promptly report any Data Privacy Incidents to the University’s Privacy Office.

    Investigation and Mitigation: Covered Persons must assist in the investigation and take steps to mitigate harm from Data Privacy Incidents.

    Notification: Covered Persons must assist the Chief Privacy Officer in notifying affected Data Subjects and others when the University determines that such notification is appropriate.

    Compliance and Training

    Training: All Covered Persons must participate in privacy, security, and data protection training as required by the University.

    Audits and Monitoring: All Covered Persons must cooperate with audits, assessments, and investigations to ensure University compliance with its data privacy obligations.

    Special Considerations for Student Records

    Student Privacy: Covered Persons must comply with the Family Educational Rights and Privacy Act (FERPA) and other federal, state, and international laws relating to student records.

    Special Considerations for Employment Information

    Purpose of Data Use: Covered Persons must Process Employment Information only for employment-related purposes, such as payroll and benefits administration and in accordance with applicable law.

    Access and Security Measures: Covered Persons must strictly limit access to Employment Information to authorized personnel who require it to perform their job responsibilities.

    Updating Information: To the extent required by applicable law, Covered Persons must provide employees with the ability to access, correct, or update their Employment Information.

    Storage of Employment Information: Covered Persons must store Employment Information in secure, University-approved systems.

    Special Considerations for Health Information

    Purpose of Processing: Covered Persons must Process Health Information for the purposes of facilitating patient care, health care operations and billing, benefits administration, complying with legal and regulatory obligations, or enhancing the education and training of students in health-related fields. This must be done in accordance with applicable laws, regulations, contracts, and applicable privacy and security policies and notices.

    Access: Covered Persons must not access Health Information without authorization and only to the extent necessary to perform their job or educational responsibilities.

    Data Security: All Covered Persons must use University-approved secure systems for Processing Health Information.

    Network Security: Covered Persons may only transmit Health Information electronically through secure, University-approved channels. Health Information may not be communicated via public or unsecured communication channels.

    Training: To the extent required by University or University of Chicago Medical Center policies, Covered Persons must complete HIPAA training on patient privacy and data protection before accessing Health Information.

    International Data Sharing Obligations

    Awareness of International Laws: Covered Persons who Process Covered Information outside the of the United States or transmit Covered Information to or from jurisdictions outside the United States, or who process Covered Information about data subjects outside the United States, must be aware of the relevant international data privacy laws and regulations and comply with them, if applicable. These include, for example, the European General Data Protection Regulation (GDPR), the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), and the Hong Kong Personal Data Privacy Ordinance (PDPO).

    Consequences of Non-Compliance

    Compliance with this Policy is mandatory, and violations of the policy may result in disciplinary action, up to and including the suspension of network privileges, suspension or expulsion from further study, and termination of employment.

    Policy Ownership

    Responsible University Officer(s): Chief Information Officer
    Responsible Office: Privacy Office

    The Chief Privacy Officer is responsible for:

    • Overseeing the implementation and enforcement of this Policy

    • Coordinating with University units regarding compliance

    • Reviewing and updating the Policy periodically to reflect changes in laws, regulations, or University practices

    Effective Date: 11-03-2025
    Last Updated: 11-03-2025

    Contacts

    For questions, and concerns including filing a complaint, or obtaining further information regarding this Privacy Policy or data privacy practices at the University, please contact:

    The University of Chicago
    Attn: Privacy Office
    6045 S. Kenwood Ave #321
    Chicago, IL 60637

    Chief Privacy Officer
    privacy@uchicago.edu
    773.702.4093

     

    Related Information