In keeping with New York State and United States federal legislation, ACUNS safeguards the privacy of its members by protecting electronic records classified as confidential information. Unauthorized accessing and/or disclosure of confidential information by ACUNS employees or members is prohibited and may result in legal penalties. This policy applies to records maintained in any type of electronic record: computer, voice, or video. It also applies to records created via the ACUNS website.

Definitions

Electronic Records: Electronic transmissions or messages created, sent, forwarded, replied to, transmitted, distributed, broadcast, stored, held, copied, downloaded, displayed, viewed, read, or printed by one or several electronic systems or services. This definition of electronic records applies equally to the contents of such records, attachments to such records, and transactional information associated with such records.

ACUNS Administrative Record: An ACUNS Record (see definition below) that is directly related to the conduct of ACUNS’s administrative business.

ACUNS Record: By law, ACUNS records are any papers, books, photographs, tapes, films, recordings, or other documentary materials, or any copies thereof, regardless of physical form or characteristics, made, produced, executed, or received by any employee or member of ACUNS or by any academic or administrative staff member or volunteer in connection with the transaction of ACUNS business, and retained by that agency or its successor as evidence of its activities or functions because of the information contained therein.

ACUNS Electronic Record: An ACUNS Record in the form of an electronic record, whether or not any of the electronic communications resources utilized to create, send, forward, reply to, transmit, store, hold, copy, download, display, view, read, or print the electronic communications record are owned by ACUNS. This implies that the location of the record, or the location of its creation or use, does not change its nature as an ACUNS electronic record for purposes of this or other ACUNS policy.

Until determined otherwise or unless it is clear from the context, any electronic record residing on ACUNS-owned or controlled telecommunications, video, audio, and computing facilities will be deemed to be an ACUNS electronic record for purposes of this Policy.

Principles

Notification: Users should be notified that information is being collected and they should be informed of their rights. (e.g., all Web pages that collect personally identifiable information should include a privacy notice that specifies how the information will be used.)

Minimization: The institution should gather as little information as possible for legitimate purposes and delete information when it is no longer needed or no longer required by law to be retained. (e.g., library records need not be kept for more than a certain limited period of time.)

Secondary Use: Information should be used only for the purposes for which it was collected unless the individual gives additional consent. (e.g., information should not be shared without the individual’s knowledge and consent.)

Nondisclosure and Consent: Information should not be released to third parties external to ACUNS without consent. (e.g., vendors, business, etc.)

Need to Know: Only those with legitimate, official needs should have access to information. (e.g., a person’s position of authority in ACUNS does not necessarily mean that they should be able to access information.)

Data Accuracy, Inspection, and Review: Information must be accurate, and individuals should have the right to examine information about themselves and request changes. (e.g., employees should be able to review their records and make changes or follow a standard process for any information that is disputed.)

Information Security, Integrity, and Accountability: Information should be secure and not vulnerable to unauthorized modification, and the handling of the data must be subject to accountability. (e.g., it should always be known who has access to information and changes to information should be documented.)

Education: ACUNS has the responsibility to educate its members and employees concerning privacy rights and the proper handling of information. (e.g., all relevant individuals should know whom to consult about these matters and all employees should understand their responsibilities for abiding by policies for information handling.)

Record Classification

The ACUNS Board, in consultation with Legal Counsel and 3rd party experts, determine the confidentiality of the data. The ACUNS Board will designate Data Stewards who are assigned responsibility to serve as stewards of ACUNS data. They are responsible for developing procedures for creating, maintaining, and using ACUNS data, based on ACUNS policy and applicable state and federal laws.

The classification “Confidential Information” covers sensitive information about individuals and/or sensitive information about ACUNS. Information receiving this classification requires a high level of protection against unauthorized disclosure, modification, destruction, and use. Specific categories of confidential information include information about:

  • Current and former members, including academic, disciplinary, and financial records submitted by members to ACUNS.
  • Current, former, and prospective employees, including employment, pay, health, and insurance data, and other personnel information.
  • Research, including information related to a forthcoming or pending patent application and information related to human subjects.
  • Certain ACUNS business operations, finances, legal matters, or other operations of a particularly sensitive nature.
  • Information security data, including passwords.

Determining Authorizations: Only those with legitimate, official need have the access to the classified electronic records of ACUNS. The ACUNS Board can determine who is authorized to have access to the information. They should make sure that those with access have a need to know the information and know the security requirements for that information. For “Confidential Information,” they should also make sure that those given access have a need to know and have, if deemed necessary, signed a confidentiality agreement that covers the information.