Information Technology

Employee Code of Responsibility for Security and Confidentiality of Information

Policy:  Employee Code of Responsibility for Security and Confidentiality of Information
Dept. Responsible: Human Resources
Effective Date: March 1, 2010
Revised Date: June 1, 2009

Overview

Butler University, both as an educational institution of higher learning and an employer, requires the strict confidentiality and security of the institution's records, in compliance with the Family Educational Rights and Privacy Act of 1974 (FERPA), the Health Insurance Portability and Accountability Act (HIPAA), Indiana code and other federal, state, and local laws as applicable that affect the dissemination and use of confidential or protected information and records.  Administrators, faculty, staff, and student workers (Employees) who have access to such information and/or records shall safeguard the privacy and confidentiality of such information and/or records and shall not disclose or disseminate such information and/or records (in whatever form maintained) to any unauthorized person or entity.

Scope

This policy applies to faculty, staff, and all others performing tasks on behalf of Butler University, including but not limited to contractors, affiliates, guest instructors, student workers, and third party providers, as it is through the diligent efforts of everyone that information is protected.

Policy Statement

  1. Without limiting the generality of the foregoing, activities which are prohibited in all cases include, but are not limited to:
    1. Engaging in any unauthorized or inappropriate use of information and/or records, or permitting such unauthorized or inappropriate use;
    2. Obtaining or attempting to obtain personal benefit or permitting others to obtain or attempt to obtain personal benefit by the use or disclosure of any confidential information and/or records that an Employee accesses in the course of his/her work assignment or otherwise;
    3. Exhibiting or divulging contents of any record or report to any person or entity, except in the conduct of the Employee's work assignment and/or responsibilities in accordance with Butler University policies;
    4. Knowingly including or causing to be included in any record or report a false, inaccurate, or misleading entry;
    5. Removing any official record or report (or copy thereof) from the office where it is kept, except in the performance of the Employee's work assignment and/or responsibilities in accordance with Butler University policies; and
    6. Aiding, abetting, or acting in conspiracy with any other person to violate or compromise the confidentiality  of  protected  information  or  records,  or  to  violate  this  Employee  Code  of Responsibility.
  2. Compliance -- Employees are expected to immediately report any threatened or actual violation of this Employee Code of Responsibility to their immediate supervisor or the Human Resources Department.
  3. Breach -- Any violation of this Employee Code of Responsibility will subject the offending Employee to disciplinary action consistent with the policies of Butler University, which may include termination of employment and possible legal action.  Where the Employee is a student, disciplinary action may also include suspension or expulsion from the University, or such other academic or other sanctions as the University deems appropriate.

Administration

Operational responsibility of this policy is delegated to the Executive Director of Human Resources. Periodically or as required, this policy will be reviewed by the Sr. Administrative Group to ensure the policy is up to date and applicable in the current environment.  Periodic reports will be made to the Sr. Administrative Group in the event of material breaches.

Related Policies

Revision History

Approved by the Board of Trustees, February 26, 2010
Became formal campus wide policy March 1, 2010; previously Human Resources and Registration and Records form signed prior to granting PeopleSoft access and/or at new hire
Approved by Sr. Administrative Group: January 19, 2010
Statement revised June 2009
Originally created April 2001