Including a Privacy Statement on U Web Pages

• Updated: December 2003
• Primary Contact : Brian Dahlin

The policy of the University is to respect the privacy of all web site visitors to the extent permitted by law. Although all University web sites are encouraged to do so, the following web sites must select, adhere to and notify visitors of their information collection policy by including a "Privacy Statement" on their website.

• Official University sites
• All sites that collect online information from visitors
• All sites that track user actions

Units and individuals responsible for web sites may select the standard or customized "Privacy Statements" included within this policy, or they may create one of their own. Any such statement must be written to assure web site users that the University will:

• Inform visitors about information collected, its intended use, and options for using the site without providing such information.
• Follow laws governing the collection of online information.
• Notify visitors of their options concerning accessing information collected.
• Establish appropriate security measures for any personally identifiable information collected.

Notification of visitors requires that each page of the web site display a link to a "Privacy Statement", display the statement itself, or cause the statement to be displayed the first time a user visits the site, and each time the statement changes thereafter. The privacy statement should include a reference and link to this University policy and contact information for visitors with questions about the specific site policy, data collection, or data security.

Official University web sites, sites that collect information from visitors online, and those that track user actions must post an online privacy statement by September 2001. Use by other University web pages not included in the three subcategories above is encouraged.

Sites conducting web-based research are subject to review by the Institutional Review Board (IRB). The IRB will develop its own guidelines for the use of web sites in research and will apply those guidelines to research projects requiring IRB review.

Exclusions

This policy does not address issues related to internal security measures of electronic communication or those related to conducting research activities on the WWW.

Special Situations

If private information (Defined by the Minnesota Data Practices Act) is requested from individuals, they must be informed of certain information that is collected. (Minn. Stat. 13.04 subd. 2)

As an ever-increasing number of users interact with the University and its units through web sites, technology provides increasing opportunities to gather information about these individuals. While much information-gathering is consensual and for specific purposes, web users are discovering that some web sites gather information without the users' knowledge or consent. This information may be used for purposes contrary to the users' interests, and over time this process may erode users' confidence in using the web.

The University is committed to informing online users of the data collection and storage policies of its sites as it fulfills its primary mission of teaching, research and outreach. This policy establishes standards for informing users whether and when the University collects information electronically via the WWW.

The Minnesota Government Data Practices Act - Minn. Stat. 13.01 et seq. governs the classification and distribution of public and private information collected by public organizations. By amendment in 2003, the Data Practices Act also requires that websites maintained by public entities display privacy notices to visitors, and establishes specific language that must be included in the notices.

Customized versions of privacy statements may be necessary to meet the specialized needs of groups within the University such as students, health sciences or business units.

• Selecting an Online Privacy Policy

There are no forms associated with this policy.

Authentication

A verification that substantiates that a person is who the person says he or she is. For purposes of this policy, people are considered authenticated members of the University community if they have an Internet ID, and that they are able to prove that they know the password associated with that Internet ID listing.

Cookies

Cookies are data that a web site transfers to an individual's browser where they are stored and later returned to the site upon request. They allow sites to identify users within and across visits, to track usage patterns, and to more easily compile data on transactional information for individuals visiting web sites.

Identification

Any means of identifying an individual, manual or automated. A process that enables recognition of an entity by an automated information system is usually accomplished through the use of unique machine-readable user names.

Official University Web Site

Web sites representing themselves as presenting information from a department or unit of the University. Often these are pages directly linked to the main web page for the campus, listed in the directory of departments and units, or displaying the University of Minnesota wordmark. This includes sites used primarily by the University for administrative purposes.

Online Information Collected From Visitors

Any data typed into a web page by a visitor and collected and stored by the web site. For example the web page may have prompts for this information such as "enter your name" or input boxes. This definition does not include routine e-mail links to send comments for site improvement to the webmaster.

Personally Identifiable

Data or information that include (1) the name of the person or other family members; (2) the person's address; (3) a personal identifier such as a Social Security number, student ID number, e-mail address, telephone number, or other user number (4) a list of personal characteristics, or (5) other information that would make the person's identity easily traceable.

Profiling

The process of gathering information about a particular individual or class of individuals for purposes of outlining/highlighting data such as their potential product interests or ability/desire to participate in certain activities.

Security Measures

Processes, software, and/or hardware used by system and network administrators to assure confidentiality, integrity, and availability of computers, networks, and data belonging to the University and users of University computer and network resources. Security measures include monitoring of network traffic to detect security attacks, the automated or manual review of files for potential or actual security or policy violations, and the investigation of security-related issues.

Transactional Information

Information gathered as part of identifying, processing, and billing electronic communication including, but not limited to: electronic mail headers, summaries, and addresses; records of telephone calls; IP addresses; and URLs.

University Community

University faculty, staff, and students, as well as any others (e.g., alumni) are considered a part of the University community. The General Counsel may designate other members of the University Community.

University Web Sites

All sites on University networks, or using University resources, or residing within the University's "umn.edu" domain.

Visitor

Any authorized user of a web site. This may include members of the University community as well as the general public.

Web Sites Tracking Visitor Actions

Any web sites that use "cookies" or other technical means to store information about the visitors or visitors actions. This definition includes either the routine information stored in server security logs (date and time of visit, internet address of the referring site, domain name and IP address) by almost all web sites.

Chief Information Officer

Maintain the versions of the online privacy statements within this policy.

Department Head

Select or create an information collection policy and online privacy policy statement that fits the unit's web site. Determine which web pages are Official University pages.

General Counsel

Provide advice to Units on legal requirements for maintaining, securing, and releasing information collected from web visitors.

Individual Web Site Operator

Modify the web site to display or link to the online privacy policy statement chosen and to this University policy. Bring to the attention of the Department Head any web sites that should display the privacy statement.

Web Site Visitor

Be informed of your rights and responsibilities related to any personally identifiable information you provide.

• Suggested Language for Customized Privacy Statements
• University Online Privacy Statement

1. Do all web sites on University networks have to display an online privacy statement?

   If unofficial University web sites don't collect data online from visitors and don't track user actions, there is no requirement but privacy statements are encouraged for all web sites. All official University websites that track user actions (and most do) must display a privacy statement. In addition, if the website collects information from visitors, the site must have a privacy statement and you should consider whether a customized statement is more appropriate.

2. For commercial reasons, our unit operates a web site with a .com address. Is this site subject to this policy?

   Yes. Any site operated on the University network or by a University unit or using University resources must adhere to the policy, whether or not it is accessed through a umn.edu address. You may find it useful to create a custom policy statement for this site, however.

3. Does this policy apply to web sites that are limited to only internal University use?

   It applies to any web site that meets the three criteria described in the policy statement.

Related Policies

• Board of Regents Policy: Student Records
• Administrative Policy: Internal Access to University Information
• Administrative Policy: Acceptable Use of Information Technology Resources

Other Related Information

• University of Minnesota's Internet Studies Center
• Georgetown Internet Privacy Policy Study
• Information on Privacy in Research
  • Office for Human Research Protections
  • Privacy and Confidentiality in Research
  • Informed Consent in Research
• Electronic Communications Privacy Act (ECPA)
• Minnesota Government Data Practices Act - MS. 13.01 et. seq.
• MS. 13.15
• Health Insurance Portability and Accountability Act

Amended:

December 2003 - Updated Statement and Reason for Policy, Definitions, FAQ, and online privacy statement because of new provisions in Minn. Stat. 13.15. Title changed from Collecting Information From Visitors To U Web Sites (Online Privacy) to Including a Privacy Statement on U Web Pages.

Amended:

August 2001 - Deleted the word "Proposed" from Policy Title. Clarified Policy Statement.

Amended:

February 2001 - Updated Policy Statement, Contacts, Who Should Know, Definitions, Procedure, FAQ and appendices in response to feedback from the University Community.

Effective:

September 2001