91 SPEC Kit 360: Learning Analytics PENNSYLVANIA STATE UNIVERSITY AD53 Privacy Policy https://policy.psu.edu/policies/ad53 certain cases, such as when required by law or for business purposes with certain third party providers. All records containing PII will be classified, at a minimum, as “High” pursuant to AD95 (/policies/ad95) and must be secured appropriately. Other data elements not specifically classified as PII but that can otherwise be used to distinguish or trace an individual’s identity (e.g. Date of Birth) must be classified, at a minimum, as “Moderate” pursuant to AD95 (/policies/ad95), unless an exception (https://psu.app.box.com/v/exception) is approved by the Chief Privacy Officer, privacy@psu.edu (mailto:privacy@psu.edu) and/or the Chief Information Security Officer, security@psu.edu (mailto:security@psu.edu). (See Policy AD95 (/policies/ad95), Information Assurance and IT Security and corresponding standards). Disposal of the records must be done securely, and in accordance with Policy AD35 (/policies/ad35), University Archives and Records Management. HEALTH INFORMATION - Individuals have rights with respect to the privacy and security of their health information under Federal and state laws and regulations, including the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). These rights are outlined in University Policy AD22 (/policies/ad22), Health Insurance Portability and Accountability Act (HIPAA). INFORMATION COLLECTED FROM UNIVERSITY'S WEBSITE – Information collected on the University's website is governed by the University's Web Privacy Statement (http://www.psu.edu/web-privacy-statement). ELECTRONIC SECURITY SYSTEM INFORMATION - Access by University units and individuals to information gathered, processed, and archived through electronic security systems (e.g., card or other facility access systems, alarm systems, video surveillance systems) shall occur only in accordance with Policy AD65 (/policies/ad65), Electronic Security and Access Systems. III. Data Protection and Data Loss Prevention In order to protect "High" or "Restricted" data entrusted to its care (See Policy AD95 (/policies/ad95), Information Assurance and IT Security and its corresponding standards), the University reserves the right to monitor its networks to detect and respond to externally or internally generated attacks upon its systems, subject to the constraints of this Policy. PROTECTION OF PERSONALLY IDENTIFIABLE INFORMATION (PII) – All systems that house certain types of information classified as "High," such as PII, are subject to the Pennsylvania Data Security Breach Notification Laws, (PA Statutes, Title 73, Ch. 43, §2301 -2308, 2329) and/or other applicable data breach notification laws. University systems classified as High and Restricted must be scanned appropriately to identify PII using University approved scanning procedures. Users of University systems shall utilize the results of required scanning to facilitate proper handling of any and all PII identified. University approved scanning procedures will be developed to identify stored PII to facilitate proper handling. Users are responsible for remediating (i.e., securely removing, redacting) unauthorized instances of PII on their systems. If, however, the scanning identifies PII that also is subject to a litigation hold, please contact the Office of General Counsel before remediating. Subject to the constraints of this Policy regarding authorization, the University also reserves the right to perform automated checks to detect and respond to the possible exfiltration of PII over its computer networks. Periodic security scans for PII will be administered to detect unauthorized instances of PII, when necessary. Deliberate failure to remediate unauthorized instances of PII may result in disciplinary action. Please see the following resource (https://security.psu.edu/spirion/) for specific guidance and direction as to current University approved scanning procedures. Specific details on the permitted use, storage, and transmission of PII, as defined in this Policy, can be located in the below Standard: PII Standard (https://psu.box.com/v/pii-standard) This Standard will be enforced in the same manner as this Policy. VENDOR CONTRACTS – In the event that a unit, department, or individual seeks to enter into a contract that