Skip to content

Rule 4-003F Privacy Statement

Effective date: July 1, 2019

  1. Purpose and Scope

    1. The University is committed to protecting the privacy of individuals visiting Institutional Web Sites and Pages. This rule applies where Institutional Web Sites seek to obtain personal information and require a reference to the University Privacy Statement.

    2. This Rule supports section F, Privacy, of the World Wide Web Policy 4-003.

  2. Definitions

    The definitions provided in Policy 4-003: World Wide Web Resources Policy apply for purposes of this Rule, including the following:

    1. "Data Classification” is a classification of data as restricted, sensitive and/or public data. Data the University owns or has custody of, wherever it may be stored, is assigned a Data Classification.

    2. “Restricted Data” includes, but is not limited to, personally identifiable information (PII), protected health information (PHI), Payment Card Industry (PCI), financial information, donor information. Protection of Restricted Data is required by federal or state law or regulation, contractual obligation, University Policy and may be subject to data breach notification requirements. Access is restricted.

    3. "EU General Data Protection Regulation (GDPR)” is legislation enacted by EU Parliament to protect information about a person that can be used to directly or indirectly identify the person, such as a name, a photo, an email address, bank details, posts on social networking web sites, medical information, or a computer IP address. The GDPR assesses significant fines for non-compliance, breaches, lack of documentation, etc. See The University’s GDPR privacy notice may be found at:

  3. Rule

    1. If a Web Site Owner or Publisher seeks to collect personal information from visitors to its Institutional Web Site, that Organizational Unit must receive permission from the University Information Security Office. This University Information Security Office may only grant a request to collect personal information if the request satisfies all of the following criteria:

      1. The personal information sought must be necessary to perform a legitimate business or educational purpose.

      2. The Institutional Web Page requesting the personal information contains a privacy statement, or link to a privacy statement, prominently displayed on the Web page. The University’s general privacy statement may be found at this link:

      3. The required privacy statement must be approved by the University Information Security Office and must describe how the collected information will be used (sample privacy policy statements are available from the University Webmaster Resources site).

      4. The collection and use of the information must comply with the University Institutional Data Management Policy (Policy 4-001), Information Resources Policy (Policy 4-002), Information Security Policy (Policy 4-004), the Student Records provisions of the Student Code of Rights and Responsibilities (Policy 6-400), and any applicable law or regulation, which may include the Family Educational Rights and Privacy Act (FERPA), the Health Insurance Portability and Accountability Act (HIPPA), the Children’s Online Privacy Protection Act (COPPA), and the EU General Data Protection Regulation (GDPR).

    2. A Web Site Owner or Publisher collecting personal information shall provide transaction and storage security for the information obtained. Such methods of security are subject to review or audit by the University Information Security Office.

    3. A Web Site Owner or Publisher collecting personal information shall not sell or otherwise provide any personal information obtained to private companies or other organizations.

      [Note: Parts IV-VII of this Regulation (and all other University Regulations) are Regulations Resource Information – the contents of which are not approved by the Academic Senate or Board of Trustees, and are to be updated from time to time as determined appropriate by the cognizant Policy Officer and the Institutional Policy Committee, as per Policy 1-001 and Rule 1-001.]

  4. Rules, Procedures, Guidelines, Forms and other Related Resources

    1. Rules [Reserved]

    2. Procedures [Reserved]

    3. Guidelines [Reserved]

    4. Forms [Reserved]

    5. Related Resources

      1. University’s Privacy Statement link

      2. University’s GDPR Privacy Notice

  5. References [Reserved]

    1. Policy 4-001, University Institutional Data Management Policy

    2. Policy 4-002, Information Resources Policy

    3. Policy 4-004, University of Utah Information Security Policy

    4. Policy 6-400, Code of Student Rights and Responsibilities. See student records provisions.

    5. Policy 6-316, Code of Faculty Rights and Responsibilities

    6. Family Educational Rights and Privacy Act of 1974 (“FERPA”, 20 U.S.C. § 1232g)

    7. EU General Data Protection Regulation (GDPR). See GDPR Portal.

    8. 45 C.F.R. 164: Health Insurance Portability and Accountability Act (HIPAA): Security and Privacy

  6. Contacts

    The designated contact officials for this Rule are

    1. Policy Owner (primary contact person for questions and advice): Deputy Chief Information Officer, 801-581-3100

    2. Policy Officer: Chief Information Officer, 801-581-3100

      These officials are designated by the University President or delegee, with assistance of the Institutional Policy Committee, to have the following roles and authority, as provide in University Rule 1-001:

      “A ‘Policy Officer’ will be assigned by the President for each University Policy, and will typically be someone at the executive level of the University (i.e., the President and his/her Cabinet Officers). The assigned Policy Officer is authorized to allow exceptions to the Policy in appropriate cases…”

      “The Policy Officer will identify an ‘Owner’ for each Policy. The Policy Owner is an expert on the Policy topic who may respond to questions about, and provide interpretation of the policy; and will typically be someone reporting to an executive level position (as defined above), but may be any other person to who the President or a Vice President has delegated such authority for a specified area of University operations. The Owner has primary responsibility for maintaining the relevant portions of the Regulations Library… [and] bears the responsibility for determining –requirements of particular Policies….” University Rule 1-001-III-B & E

  7. History

A. Current version: Revision 1, effective date July 1, 2019

1. Approved by Academic Senate April 1, 2019

2. Approved by Board of Trustees April 9, 2019

Rule: 4-003F
Date: July 1, 2019
Last Updated: 8/4/21