Data Use, Privacy, and Security
1. Purpose
Brigham Young University–Hawaii (“BYU–Hawaii” or “university”) strives to maintain standards and practices that accord with ethical, contractual, and legal requirements for data use, privacy, and security.
2. Policy
University employees may process Nonpublic Institutional Data only when doing so reasonably serves the university’s academic, administrative, or institutional purposes.
University employees must process Nonpublic Institutional Data in accordance with applicable university policies, the BYU–Hawaii Privacy Notice, and relevant laws and regulations.
3. Implementation
3.1 Definition
3.1.1 Data Sharing Agreement
Data Sharing Agreement means a formally recorded document created through campus data governance procedures that describes the use case and data resources needed to share university data with specific parties.
3.1.2 Data Steward
Data Steward means an employee with designated responsibility for processing a specific set of data.
3.1.3. Nonpublic Institutional Data
Nonpublic Institutional Data means any data created, owned, or processed by the university that is not publicly published or available.
3.1.4 Personal Information
Personal Information means any data or information that relates to, is associated with, describes, identifies, or reasonably can be used to identify a natural person.
3.1.5 Processing Data
Processing Data means the access, collection, classification, use, modification, sharing, storage, or destruction of data.
3.2 Accessing Nonpublic Institutional Data
The university allows access to Nonpublic Institutional Data only in accordance with the following table:
| Accessing Individual or Party | Accessible Data |
| An individual (e.g., student, alum, employee, donor, patient, patron) | The individual’s own Personal Information, subject to applicable laws and relevant BYU–Hawaii policies and procedures. |
| A university employee | Nonpublic Institutional Data as necessary for legitimate university purposes associated with his or her job, provided that the employee uses authorized university systems and processes, including approval by the assigned Data Stewards to ensure (i) appropriate use of the data to support university purposes, (ii) the confidentiality and privacy of those individuals whose records may be accessed, and (iii) compliance with applicable laws or policies with respect to access, use, and disclosure of the data. |
| A third party (e.g., consultant, contractor, vendor, CES school, Church department) | Nonpublic Institutional Data when the third party’s access and use of the data is (i) for legitimate university purposes, (ii) approved by the assigned Data Stewards, and (iii) subject to a Data Sharing Agreement between the third party and BYU–Hawaii requiring the third party to take measures to appropriately safeguard and use the information pursuant to BYU–Hawaii policy and applicable laws. |
| Legal authorities, government agencies, or parties engaged in or preparing for legal proceedings* | Nonpublic Institutional Data, only if authorized by the Office of the General Counsel. |
*Any employee who, on behalf of the university, receives a request, subpoena, warrant, or court order for Nonpublic Institutional Data from one of these entities or individuals immediately must refer that request, subpoena, warrant, or court order to the Office of the General Counsel.
3.3 Processing Personal Information
University employees must process Personal Information:
- purposefully—in compliance with pre-defined and legitimate purposes, such as performing a contract, pursuing a legitimate interest, complying with law, or based on consent;
- minimally—in a manner that is sufficient to properly fulfill the stated purpose, has a rational link to that purpose, is limited to what is necessary, and for no longer than necessary;
- transparently—only after providing individuals with clear and intelligible information, either through concise privacy notices or just-in-time statements, about who will process their Personal Information and for what purposes, and by giving individuals the opportunity to inspect and correct their Personal Information as required by law; and
- safely—subject to appropriate measures, including role-based access controls, data sharing agreements, and other controls to safeguard against anticipated risks, where applicable.
3.4 Transferring Nonpublic Institutional Data
University employees should contact the Office of Information Technology, who will work with the Office of General Counsel (OGC) and the CES Security Operations Center (CES SOC), before signing any agreement or entering into any arrangement with a third party to process or have access to any Nonpublic Institutional Data. The CES SOC provides an assessment of the proposed data transfer(s) and the third party’s security standards and mechanisms. The OGC provides legal review of the information security and data transfer terms and conditions. (See Contracts and Legal Documents)
3.5 Reporting Data-Related Issues
In the event of an incident or breach the chief information officer (CIO) will notify the university president and President’s Council as well as the CES Security Operations Center (SOC) following the Information Security Major Incident Response Process (IRP). Subsequent internal and external communications about the incident will be considered confidential and managed following the guide set out in the IRP. Breech notification and reporting to third parties will be determined by contract, law and policy, with input from the CIO, chief information security officer (CISO), Office of General Counsel (OGC) and others, as appointed.
In the event of a third-party breach notification, where another entity has lost BYU–Hawaii data, the department who notified, normally the department that manages the contract, is responsible for notifying the President’s Council, as well as the chief information officer. The chief information officer will notify the SOC.