90 Institution Privacy Policies PENNSYLVANIA STATE UNIVERSITY AD53 Privacy Policy https://policy.psu.edu/policies/ad53 regulations”), the following guidelines apply: Necessary Action – Exceptions to the privacy policy may be authorized only when reasonably necessary to protect the security and interests, legal or otherwise, of the University, its communications system, and the academic process, or when there is reason to believe that the individual has violated or may have violated law or University regulations. 1. Consultation – The exception clause may be invoked only by persons with responsibility and authority for administering the law or regulations within the University (e.g., computer security officer, University police) and, except for civil or criminal matters or proceedings, compliance with any other legal requirement, matters of public safety, or when conditions or circumstances exist that necessitate immediate access, only after consultation with an appropriate University Official, as defined in AD83, or the Privacy Governance Board. The Privacy Governance Board’s deliberations, when consulted, shall be kept confidential. 2. Notification – Where practicable (and subject to the University’s legal obligations, the circumstances described in this and all other University policies, or conditions or circumstances exist that necessitate immediate access), the University shall provide advance notification to an individual prior to all other University access, for cause, to the content of an individual’s user files / systems / activity (and, if necessary, physical locations in order to access said files / systems / activity). In certain instances where an individual is, for any reason, unavailable to receive such advance notification and his or her individual data is to be accessed to accomplish legitimate University business, access may also be permitted without prior notification. 3. f. Responsibility Executive guidance for the Privacy interests addressed by this policy and related guidelines of both the University and those individuals whose private data has been entrusted to its care shall be vested in the Executive Vice President and Provost. II. Specific Categories of Information The below are data use constraints related to certain types of data collected, processed, stored, or published by the University. EMAIL ADDRESSES - E-mail addresses appearing on University web sites are published for the sole purpose of facilitating private, individual communication between University personnel and readers. The University will not distribute, sell, or otherwise transfer addresses on its website or online services to non-affiliated parties or individuals. The University reserves the right to use internal search functions to obtain specific email addresses for normal business operations. Information such as email addresses may also be displayed in online directories accessible by the general public, unless requested otherwise (see AD11 (/policies/ad11), University Policy on Confidentiality of Student Records and HR58 (/policies/hr58), Employee Office Address and Telephone Number Information). INFORMATION COLLECTED FOR SERVICE PROVISION – On occasion, the University may collect information from and about users to synchronize systems or update the experience between the user and Penn State. Penn State will not sell, trade, or share the information collected per the University’s Web Privacy Statement (http://www.psu.edu/web-privacy-statement). Information collected will be used solely for the purpose for which it was intended. SOCIAL SECURITY NUMBER (SSN) AND PENN STATE IDENTIFICATION NUMBER (PSU ID) – A Penn State Identification Number (PSU ID) will be assigned to all students and employees of the University as the primary identification number for University purposes. The PSU ID shall be unique to the individual and is a lifetime assignment used for multiple and changing relationships with the University. For more information on the PSU ID, refer to University Policy AD97 (/policies/ad97). As a matter of University policy, and except as may be required by applicable federal, state or local laws or regulations, it is prohibited that, and in no case shall, any SSN be used as an identifier in a University hosted or developed system or applications, or transmitted electronically, unencrypted. SSNs and/or PII must only be used to accomplish legitimate University business needs or requirements. SSNs will only be requested and required in