Privacy Policy
Protection Restricted Information
USC receives and collects Restricted Information, as defined below, from and about students, faculty and staff employees, patients, and business partners, among others, in order to provide academic and clinical services and/or to conduct business operations. USC will use, store and transmit “Restricted Information” responsibly and in compliance with federal and state laws and regulations.
For purposes of this policy, “Restricted Information” is defined as in USC’s Information Security Policy as: “Information or data in this classification is typically regulated or would cause a significant business impact if it were disclosed. Data protected by Health Insurance Portability and Protection Act (HIPAA), Gramm-Leach Bliley Act (GLBA), Payment Card Industry Data Security Standard (PCI DSS), the Family Education Rights Privacy Act (FERPA), California Financial Information Privacy Act (CFIPA), personal information and personally identifiable information . . . Other data and information may be classified as restricted if it is in the best interest of the university.”
This policy applies to Restricted Information collected by any means and in any medium. It applies to all university faculty members (including part-time and visiting faculty), staff and other employees (such as postdoctoral scholars), students (including postdoctoral fellows and graduate students) and iVIP (guests with electronic access). In addition, all third parties, including vendors, consultants, and contractors who have access to or control of Restricted Information, described in this policy, must agree in writing to maintain such information in accordance with the policies of the university and in accordance with federal and state laws.
Reduce collection and storage of Restricted Information
The university only should collect or store Restricted Information as necessary to (a) to meet legal and regulatory requirements; or (b) to provide services or conduct business that require Restricted Information, such as for provision of clinical care, administration of financial aid, tax purposes, and collections, among other things.
Limit access to Restricted Information
Only the minimum amount of Restricted Information necessary to fulfill a particular function or purpose should be shared or released. In particular, access to Restricted Information is limited to:
the individual whose information is produced or displayed, upon verification,
a university official or agent of the university with authorized access,
a legitimate academic or business interest and a need to know,
an organization or person authorized in writing by the individual to receive the information,
a legally authorized government entity or representative, or other circumstances in which the university is legally compelled to provide access to personal information, or
other individuals or entities, as permitted or required by law or regulation.
Secure Restricted Information
Appropriate administrative, physical and technical safeguards must be implemented and maintained to secure Restricted Information, which include the following:
Restricted Information involving personally identifiable information maintained in electronic format should be encrypted at rest and in transit, as feasible.
Restricted Information involving personally identifiable information may not be stored on mobile devices unless proper access controls and encryption are maintained on the mobile devices.
All systems storing Restricted Information must comply with the university’s Network Infrastructure Use Policy and the Information Security policy.
Dual-factor authentication must be implemented, as technically feasible, on servers, systems and/or applications that contain Restricted Information.
Restricted Information maintained in paper records must be stored with appropriate physical safeguards, such as in locked cabinets and/or in restricted areas limited only to those who need access to that information.
Restricted Information must be destroyed (e.g., shredded) as soon as no longer needed for the legal or business purposes described above and/or in compliance with the university’s record management policy.
All servers and workstations with access to Restricted Information must be scanned regularly, as determined by ITS Security, and findings must be fully remediated.
All servers and third party systems that generate, store or transmit Restricted Information must meet the USC hardening checklist requirements, as applicable.
Employees with access to Restricted Information are not permitted to directly access their workstations or laptops remotely unless they use VPN or the Keckcare Portal.
Third parties may not access Restricted Information except as required by law or as necessary to carry out a business function and only if the third party has signed the university’s Business Associate Agreement or Data Security Addendum or other appropriate agreement as approved by Purchasing.
Restricted Information must be secured in compliance with any other legal or regulatory requirements.
Approval
Any additional uses of Restricted Information or exceptions to the security safeguards described above must be reviewed and approved in writing by the Information Risk Committee.
Notify school IT administrator if using Restricted Information
Faculty, staff and other employees will advise their school’s IT administrator if they are collecting, generating, transmitting or storing Restricted Information so that the information can be properly secured. The IT Administrator should consult with ITS Security and the Office of Compliance for assistance with requirements to secure the Restricted Information.
Online collection of personally identifiable information
University departments that collect personally identifiable information on their webpages must post a link to this privacy policy and inform consumers about any persons or entities outside the university with whom they may share personal information collected online. If the department has a process for the consumer to change such information, that process must be described and available to the consumer on the department webpages. Complaints about online collection of personally identifiable information or compliance with the California Online Privacy Protection Act should be referred to the Information Security office at (213) 740-5555.
Special privacy rights of students relating to personal social media
Pursuant to state law, USC is prohibited from requiring or requesting students, prospective students or student groups to disclose, access or divulge personal social media. Social media is defined as an electronic service or account, or electronic content, including but not limited to, video or still photographs, blogs, video blogs, podcasts, instant and text messages, email, online services or accounts or internet website profiles or locations.
Office of Compliance
ooc.usc.edu
complian@usc.edu
(213) 740-8258