Electronic Privacy Policy

Effective Date:
May 7, 2019
Last Revised Date:
January 1, 2020
Last Reviewed Date:
December 9, 2025
Applies To:
Classified Staff, Appointed Personnel, University Staff, Students
Responsible Unit(s):
University Privacy
Responsible Unit Email(s):
privacy@arizona.edu
Status:
Active

Purpose and Summary

The University of Arizona (University) provides information and services to students, employees, and the public through its Information Technologies. 

This Policy establishes the obligations of the University to inform University-Related Persons and the public about the University privacy practices and the collection, use, and dissemination of information through electronic means.

Scope

This policy applies to all University-Related Persons.

Definitions

CISO means the senior-level University employee with the title of Chief Information Security Officer.

ISO means the University Information Security Office, responsible for coordinating the development and dissemination of information security policies, standards, and guidelines for the University.

Unit means any University college, school, department, program, or other operating unit.

Unit Privacy Notice means a Unit-specific privacy notice that is provided by a Unit that maintains their own webpages, applications, or other electronic services that collect, use, or disseminate personal information.  

University Information Technologies means all electronic information systems, devices, networks, and other technologies owned or controlled by or on behalf of the University that collect, transmit, display, process, store, or otherwise handle personal information of individuals.

University Privacy Statement means a published privacy statement that is generally applicable to the collection and submission of personal information and data through the University Information Technologies. 

University-Related Persons means University students and applicants for admission, University employees and applicants for employment, Designated Campus Colleagues (DCCs), retirees, alumni, temporary employees of agencies who are assigned to work for the University, and third-party contractors engaged by the University and their agents and employees.

Policy

A.  All Classifications of University Information

  1. University Privacy Statement
    1. The University must publish a privacy statement (the “University Privacy Statement”) that is generally applicable to the collection and submission of personal information and data through the University Information Technologies.
    2. University Information Technologies includes, but is not limited to, websites owned or controlled by the University (e.g., domains ending in arizona.edu), applications (including mobile applications) published by the University, email and messaging systems maintained by the University, electronic payment processing performed by the University, and other electronic services offered by the University.
    3. The University Privacy Statement must contain the information required by Arizona law (A.R.S. § 18-202) about privacy, confidentiality, and related policies for individuals who use University official websites and other aspects of University Information Technologies.
    4. University Privacy, in collaboration with ISO (or other unit subsequently designated by the Provost and Chief Academic Officer) is responsible for publishing and updating the University Privacy Statement.
    5. University Privacy should consult with ISO and other relevant stakeholders on a periodic basis to ensure that the University Privacy Statement is an accurate reflection of the University privacy practices and policies, as well as contains all information required by applicable laws and regulations. Where appropriate or necessary to comply with law, the University Privacy Statement may be supplemented by additional provisions that apply in a more limited manner.
    6. Each Unit will provide a visible and accessible link to the University Privacy Statement on any electronic or digital user interface that collects user information, including but not limited to all websites, intranet sites, and mobile applications. This includes websites with a top-level domain ending in “arizona.edu,” as well as all other websites owned and/or controlled by the University.
    7. In addition to the public display of the University Privacy Statement, each student, employee, designated campus colleague, and other individual who accesses University Information Technologies through a University-provided NetID is required to read and acknowledge the University Privacy Statement both as a condition of obtaining a NetID and again annually, at a minimum.
  2. College-, Department-, and Unit-Level Privacy Notices
    1. Units that maintain their own webpages, applications, or other electronic services that collect, use, or disseminate personal information are encouraged to provide additional information on their privacy practices and policies through unit-specific privacy notices (“Unit Privacy Notices”).
    2. Unit Privacy Notices should be posted on the relevant webpages and other electronic or digital user interfaces (such as mobile applications) of the Unit and include a link to the University Privacy Statement alongside the Unit Privacy Notice.
    3. Unit Privacy Notices should contain information that is additional to, and that does not conflict with, the University Privacy Statement. Where a Unit develops their own privacy practices, the Unit must seek advance approval for its Unit Privacy Notice from University Privacy and the ISO.
  3. External Connections and Links
    1. University websites may contain links to external websites. Through the existence of these links, the University does not intend to, and does not, endorse or take any responsibility for the privacy practices or policies of external websites.

B. Tracking, Measuring, and Reporting

  1. University Privacy is authorized to track compliance of this policy and produce reports representing these measures to support University decision making.

C. Recourse for Noncompliance

  1. ISO is authorized to limit network access for individuals or Units not in compliance with this Policy, the University Privacy Statement, or any supplemental provisions.
  2. In cases where University resources are actively threatened, the CISO should act in the best interest of the University by securing the resources in a manner consistent with the Information Security Incident Response Plan.
    1. In an urgent situation requiring immediate action, the CISO is authorized to disconnect affected individuals or Units from the network.
  3. In cases of noncompliance with this policy, the University may apply appropriate employee sanctions or administrative actions, in accordance with relevant administrative, academic, and employment policies.
  4. In cases where University-Related Persons violate this policy, the University Privacy Statement, or any supplemental provisions, the University may apply appropriate employee sanctions or administrative actions, in accordance with relevant administrative, academic, and employment policies.

D. Exceptions

  1. Any requests for exceptions must be submitted to University Privacy for review and approval pursuant to the exception procedures published by University Privacy, ISO (or other unit subsequently designated by the Provost and Chief Academic Officer).

Compliance

University Privacy is responsible for overseeing compliance with this Policy.

Policy Feedback

For questions or comments regarding a particular policy or to notify us of broken links or typographical errors, please provide this information below.

To report violations of a policy, please notify the Responsible Unit.

Please Note: Policy feedback is available to the Policy Office, Policy Sponsor, and elected shared governance representatives, upon request, for policies impacting the populations they represent.

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.