Protecting Your Privacy

Best Practices

We respect the privacy rights of individuals and strive to protect personal data in all aspects of university operations. We also encourage individuals to take reasonable steps to protect their personal information and know their privacy rights. We use the Fair Information Practice Principles (FIPPs) to guide our organization on properly handling individuals' personal data.

  1. Collection Limitation: limit the collection of personal data to only the information you need. Obtain the information lawfully and with the knowledge or consent of the data subject.

  2. Data Quality: personal data should be accurate, up-to-date, and relevant to the purpose for which it was collected.

  3. Purpose Specification: the purpose for which information is collected should be disclosed at the time it is being collected and only used for that purpose specified. Any change in purpose must be disclosed and consented to by the data subject.

  4. Use Limitation: personal data must only be used for the purpose for which it was collected with the consent of the data subject or by authority of law. It should not be disclosed or shared with third parties without consent or a contractual business purpose.

  5. Security Safeguards: reasonable physical, technical, and administrative security measures are required to protect against unauthorized access, use, modification, disclosure, or destruction of data.

  6. Openness: privacy practices should be transparent. An organization's privacy policy should be easy to access and understand, include collection and use practices, and provide contact information.

  7. Individual Participation: individuals should have a right to obtain their data in a reasonable time, manner, and format; and to request amendment, rectification, completion, or erasure of their data.

  8. Accountability: organizations are held accountable for following these principles.

Important Information

For Faculty/Staff

The Family Educational Rights and Privacy Act is a federal law that governs student records. It grants students the right to access their own educational records, as well as limits the release/sharing of those records to anyone other than the student or their designee. FERPA applies to all current and former students of the university. See the full Policy on the Confidentiality of Student Records. Generally:
  • Student information (grades, schedules, GPA, attendance, etc.) should not be shared with other students, parents, or third-parties without the explicit written consent of the student, with limited exceptions:
    • Some education records may be shared with "school officials" who have a "legitimate educational interest" without the student's consent (e.g. AU administrator).
    • Some education records may be shared with vendors of the university to fulfill a specific contractual business purpose requiring them to protect the information (e.g. a software that integrates with Canvas).
    • Some education records designated as "directory information" (name, Auburn e-mail, degree received, etc.) may be shared if for non-commercial purposes and with the consent of the SVP of Student Affairs (e.g. invitation to an honor society).
  • Contact the Registrar's Office if you have questions.
Specific types of data (SSNs, unpublished research data, student records, etc.) should only be stored in certain locations to adequately secure the data. Use the Data Storage Matrix to determine the correct location for storing your data.
  • Avoid using non-Auburn services and tools (Gmail, personal devices, Dropbox, etc.). Use Auburn e-mail, Auburn computers/laptops, and storage solutions such as One Drive, Box, and Xtender.
  • The Data Classification Policy identifies categories of data based on its sensitivity and criticality, and specifies appropriate protection standards for each category of data.
  • Contact the Cybersecurity Office if you have questions.
Software and technology related services require approval through the Vendor Vetting process. Review by the 1) Information Security Office, 2) Institutional Compliance & Privacy, 3) Office of Cash Management, and 4) Office of Accessibility to assess what information is being collected and/or shared with vendors to determine whether it meets standards required for data privacy, cybersecurity, PCI DSS, and accessibility.
  • This process provides guidance for implementation and, if needed, additional contractual obligations of the company to meet legal standards.
  • The Software & Information Technology Services Approval Policy requires this approval prior to the acquisition or renewal of any software or information technology services to ensure they meet or exceed regulatory statutes and industry best practices.
  • Contact the Office of Information Technology if you have questions.

If you suspect that data or information has been compromised, lost, stolen, or inappropriately accessed, used, or exposed, report it immediately to the Information Security Incident Response Team (ISIRT) by sending an email to abuse@auburn.edu or calling (334) 844-0888.

The Information Security Incident Reporting Policy requires that security incidents be reported to the proper departments to allow Auburn University to take appropriate action.

 

For Students

Phishing is a technique scammers use to "fish" for usernames, passwords, and other sensitive information by sending fraudulent emails to users that can install malware or viruses on your device, or trick you into providing your personal information or money.
  • Do not click on suspicious emails or links
  • Do not give out your username, password, or other sensitive information
  • Do not approve DUO requests that you did not initiate
Limit the amount of personal information you share publicly and with hundreds of "friends" on social media such as your birthdate, phone number, and current location. Unnecessarily sharing your preferences, favorites, and events attending creates a distinct user profile about you that others can use to direct certain content to you, sell to others, or even cause harm. 
College students are identity theft's most common victims because of the availability of personal information and a lack of adequate precautions. 
  • Social Media: be suspicious of messages from strangers and links from identity thieves posing as your friends. These can contain malware that can steal information from your smartphone or tablet.
  • Safeguard your personal information including your social security number, financial information, student ID, etc.
  • Check your credit report annually for any accounts or lines of credit you did not initiate.
Do not share your Tiger Card log in information with anyone else! You are not just giving them your football ticket, you are giving them access to your course schedule, e-mail account, dining dollars, and more. This is a huge risk if used inappropriately that could jeopardize your entire college career.

Tools

Software Approval

Vendor Vetting Portal

Approved Data Storage

Data Storage Matrix

Advisory Guidance

Generative AI Tool Guidance

Privacy Policies

Electronic Privacy Policy
Information Disclosure and Confidentiality Policy
Software and Info Tech Services Approval Policy

Related Security Policies

Information Security Incident Reporting Policy
Data Access Policy
Information Security Policy
Sensitive Personally Identifying Info Protection Policy
Vulnerability Management Policy

Identity Theft Prevention Program

Auburn University's Identity Theft Prevention Program was developed pursuant to the Federal Trade Commission's Red Flags Rule to help detect, Prevent, and mitigate identity theft. This program was developed with oversight and approval of the Auburn University Board of Trustees with consideration of the size, complexity, nature, and scope of the University's operations and activities.

Red Flags

Red Flags are warning signs which should alert an organization that a risk of identity theft exists. The regulation supplements other legislation aimed at preventing identity theft through tightened data security (e.g. Gramm-Leach-Bliley) by addressing situations where individuals attempt to use another person's identity to fraudulently obtain resources or services.

Identity Theft Prevention Program

Identify, Detect, Respond

Red Flag Rules apply to financial institutions and creditors that offer or mainatin accounts that provide for multiple transactions primarily for personal, family, or household purposes. Because Auburn maintains transaction accounts for financial aid and other programs, we must establish an Identity Theft Prevention Program to identify, detect, and respond to red flags, and update the Program as necessary.

Take the Training in ElevatED

Privacy Resources

FERPA Info

HIPAA Info

External Privacy Resources

Other Policies

Last updated: 04/09/2024