Privacy Policy | Site | | #itsecurity | #infosec

 Data Privacy Policy (Policy Number)


  1. Purpose

The University of Oklahoma (OU) is dedicated to protecting the privacy rights of those providing it with personally identifiable information (PII), whether student, faculty, staff, patient, or visitor. OU will collect only those data needed to conduct or improve its services, operations, or educational experiences or for which it has a clear purpose. OU is committed to making sure any PII you entrust to OU will be used only to conduct its official business and will not be distributed to any unaffiliated third party, except as described in the policy. OU closely monitors the storage of PII to ensure it is in as few locations as possible and that those locations are equipped with appropriate protection from unauthorized access.


OU patient information is Protected Health Information (PHI) protected by the Public Law 104-191, the Health Insurance Portability and Accountability Act of 1996, as amended (HIPAA), and the applicable provisions of the Health Information Technology for Economic and Clinical Health (HITECH). In collecting PII, our Services may also collect PHI. Just as OU strives to protect PII, it is committed to protecting PHI.  PHI will remain confidential and will only be used or disclosed as detailed in the OU Notices of Privacy Practices. Additional details can be found below in the HIPAA section.


  1. Scope

This Policy applies to all websites, apps, electronic forms, communications, and the like (together, “Websites”) owned, leased, or provided by OU, encompassing the Norman, Health Sciences Center, and Tulsa Campuses as well as their remote sites (together, “OU”).


  1. Accountability

The Data Protection Officer with assistance/support from the Health Insurance Portability and Accountability Act (HIPAA) Privacy Official is responsible for administering this policy and ensuring compliance.


  1. Policy

It is the policy of OU that PII and PHI may be collected through information provided on any OU website.


Policy Level: 3

Approval Authority: President

Date of Approval:

Subject Matter Expert Department: Data Protection Officer

Date of Last Review:

Date of Next Review:








  1. Collection and Use of Personally Identifiable Information
  2. What is personally identifiable information (PII)?

Personally identifiable information (PII) is any information that either directly identifies you or makes it possible to identify you. OU may obtain, hold, and process PII gathered through its Websites. This may include information related to you that can be identified, directly or indirectly, by reference to a collected piece of information such as an identification number; location data; an online label (often called an identifier); or to one or more factors specific to your physical, physiological, genetic, mental, economic, cultural, or social identity.

  1. How does OU collect PII?

In general, OU collects and processes two types of information through its Websites: (1) information voluntarily provided by you in order to receive requested information and/or services, and (2) information automatically collected upon your navigation to one of its Websites (usually through web browser cookies and web beacons). By using an OU Website or filling out an OU electronic form, you consent to OU’s collection and use of the included PII.

  1. Why does OU collect PII?

The PII collected is used only for administrative, educational, and/or research purposes and in furtherance of OU’s mission. Such use is necessary for the legitimate interests of OU, including carrying out its educational and research mission; performing its business; complying with legal and contractual obligations; protecting your or someone else’s vital interests; and/or for the public interest. 

  1. OU does not sell any PII gathered from its websites.

OU may disclose your information to third parties in accordance with applicable law or under specific circumstances:

  1. Consent/Authorization: OU may disclose your information to third parties if it has your written permission to do so.
  2. Service Providers: OU may share your information with third parties for the third parties to provide services and/or products, support its operations, help fulfill its obligations, or as provided under contract. 
  3. Required by Law: OU may share your information with third parties if it is required to do so by law, court order, subpoena, or other legal processes.
  4. Anonymized and aggregate: OU may use and disclose your information in a non-identifiable or summary form without limitation.


  1. Security, Retention, and Disposition of Your Information

OU recognizes and respects the importance of confidentiality and security of personal information in this increasingly open electronic age. While OU makes reasonable efforts to protect information provided to us, OU cannot guarantee that this information will remain secure and is not responsible for any loss or theft. OU uses technical, physical, and organizational security measures designed to protect PII it processes and to mitigate risks in ways appropriate to the nature of the data and in accordance with applicable legal requirements. OU retains or disposes of PII in accordance with applicable policies, as well as with applicable state, federal, and international requirements.


If you share personal information, including photographs, on any OU Website, social network, blog, or other forum, the information you submit can be read, viewed, collected, or used by other users who could use it to contact you or send you unsolicited messages. OU does not have control over these actions. OU is not responsible for the PII you choose to provide in these forums.


III. Third-Party Sites and Third-Party Hosting

Sites owned or hosted by OU may contain links to external sites that are hosted outside of the OU domain. When you use such links, you leave OU-controlled Websites. OU is not responsible for the privacy practices or the content of websites outside of its domain.


OU may contract with one or more third parties to maintain and host its Website(s). As a result, any information you submit, including PII, may be placed and stored on a computer server maintained by this third party. Your use of the Website constitutes your acknowledgement that such information or content could pass through and may be stored in servers outside of OU’s control. OU has no liability or responsibility for any such pass- through or storage of same.


IV. Family Educational Rights and Privacy Act (FERPA)

OU complies with all aspects of Public Law 93-380, the Family Educational Rights and Privacy Act. Please click here for more information.


  1. Children’s Online Privacy Protection Act (COPPA)

OU does not knowingly collect or use any PII from children (defined by COPPA as minors younger than 13) on its websites. OU does not knowingly allow children to communicate with it or use any of its online platforms. If you are a parent and become aware that your child has provided OU with PII, please use one of the contact methods specified in this document to communicate any concerns.


VI. Health Insurance Portability and Accountability Act (HIPAA)

OU’s designated health care components will share protected health information, as that term is defined in the Act, of patients, research participants, and health care enrollees only in compliance with the Health Insurance Portability and Accountability Act (HIPAA) and other state, federal, and international laws. See


  1. Equal Opportunity

OU is in compliance with all applicable federal and state laws and regulations. OU does not discriminate on the basis of race, color, national origin, sex, sexual orientation, genetic information, gender expression, age, religion, disability, political beliefs, or status as a veteran in any of its policies, practices, or procedures. This includes but is not limited to admission, employment, financial aid, housing, services in education programs or activities, or health care services that OU provides.






  1. European Union General Data Protection Regulation (GDPR)

Subject to certain limitations and conditions, if you are considered a data subject under the European Union’s General Data Protection Regulation, you have certain rights regarding the processing of your personal information, including the right to request access, correct, delete, restrict, or object to our processing of, or receive a portable copy of, your personal information. A data subject may exercise these rights by contacting Please note, however, that the right to erasure of personal data may occur only in those very rare circumstances where OU has no legitimate reason to continue to hold/process those data, including legitimate reasons such as the defense of legal claims. OU generally must maintain basic student records and employment records in accordance with its record retention policy and legal requirements. A data subject has the right to lodge a complaint with a local data protection or privacy regulator. 


A data subject’s personal information may be transferred to, stored, and processed in a country that is not regarded as providing the same level of protection for personal information as the laws of the European Union. OU has put in place appropriate safeguards (such as contractual commitments) in accordance with applicable legal requirements to provide adequate protections for your personal information protected by the GDPR. For more information about the safeguards that OU has in place in connection with a data transfer, contact


















Original Source link

Posted in Uncategorized

Leave a Reply

Your email address will not be published. Required fields are marked *

fifty five − fifty one =