Privacy
The Press Release
This document was prepared to assist school officials working in consideration of COVID-19 and protecting the privacy of students’ education records.
"Understanding FERPA helps enable school officials to act quickly and with certainty when confronting challenges that affect the health or safety of students or other individuals.”
VCU is committed to preserving an environment that encourages academic and research collaboration through the responsible use of information technology resources. With the integration of technology into our everyday lives, we are faced with new threats against the security and privacy of our information. To prevent the loss and theft of our information, we must realize a shared responsibility, and collectively protect sensitive information. Protection may be governed by regulation, law, legal contracts, policies or other university considerations. Questions or comments related to university privacy can be directed to privacy@vcu.edu and misuse of information or information breaches can be reported through the VCU Helpline.
General Privacy Considerations:
To assess how to keep your information secure and private based on the information type, use VCU's Data Management System tool and the following additional guidance:
- Sensitive information is generally health-related; social security numbers; financial (account numbers, etc); and information included in student records.
- Electronic communications and data on a university-owned computer, or on VCU’s network resources, may be disclosed under the Freedom of Information Act and university, state and federal laws and regulations as necessary.
Handling Personal Information [PDF] (Click to view/print):
How to Protect Information:
Being observant and reporting privacy breaches assist with maintaining privacy. A privacy breach may be a result of the following, which include, but are not limited to:
- Sharing of personal passwords
- Possible theft of electronic or paper data
- Theft or loss of devices
- Phishing emails and scams
- Severe malicious software infections that lead to possible data theft
- Unauthorized access to email or files
- Unauthorized access to physical space or computing resources
Learn more about:
The Family Educational Rights and Privacy Act (FERPA) governs the privacy of educational records of our students. It grants specific rights to students and sets restrictions on how schools may handle educational records. FERPA requires that schools obtain written permission from students before releasing educational records; however, in certain well-defined circumstances, some information may be released without written permission from the student. The parent request form [PDF] and student consent forms [PDF], as well as training materials [PDF], are available through the Registrar’s Office.
Also, see this FERPA Guidance Released by the Department of Education [PDF], which includes responses to 37 FAQs regarding schools’ and responsibilities under the Family Educational Rights and Privacy Act (FERPA).
The General Data Protection Regulation (GDPR) applies to VCU activities in very limited circumstances. Generally, if VCU collects or processes personally identifiable information from individuals located in the European Union or the United Kingdom, GDPR applies. Often the risk analysis is conducted when agreements or contracts are signed with vendors or other third parties. There are exceptions to GDPR's application for some research-related activities. If you are unsure if GDPR applies to your university-related activities or you have questions, just ask privacy@vcu.edu!
If you are uncertain of what type of information you may be working with, requesting, using, publishing, reporting on or about, publishing, documenting, using for quality assessments or other initiatives, etc... then ask! privacy@vcu.edu or the www.vcuhelpline.com. You are the steward of the information entrusted to you and are responsible for it.
University Student Health, Employee Health Services and Equity and Access Services keep the personal health information of individuals utilizing their services strictly confidential in accordance with all privacy regulations.
Research or patient care information is both sensitive and private. The university protects all personally identifiable information (also called Category I data) at the most stringent level.
The information used in research and patient care is highly regulated. The information may be patient protected health information (PHI), governed by the Health Information Portability and Accountability Act (HIPAA), or it may be deemed research health information (RHI) once IRB and Privacy Board approvals are properly obtained. Whatever the legal or regulatory requirements, understanding the authorized uses and disclosures of this information can get complex in our VCU and VCU Health worlds; therefore, it is critical to ask questions.
Generally speaking, the information the university has properly obtained after approvals and through authorized channels is not considered patient health information. There are exceptions though! That's why during requests for information, reviews by experts within risk assessment, privacy and security compliance pathways are conducted. This is most common in the research setting. The School of Dentistry is an exception. For patients seen in Dentistry, associate dean for risk and compliance, Kim Isringhausen (ktisring@vcu.edu), is available for all privacy-related concerns. Additionally, www.vcuhelpline.com is also an option.
Otherwise, all other patient health information is controlled by the Health System Authority and all questions related to patient health information should be directed to the Health System’s Audit and Compliance Services Division, Compliance Services.
VCU discloses the information gathering and dissemination practices of official Virginia Commonwealth University Web pages in its Web Privacy Statement.