|
|
|
|
|
|
|
|
Policy and Procedure ManualChapter 320, Records and Archives Responsible Department: Campus Counsel Exhibit A, Authorization to Disclose Personnel Record Information to Third Party This section describes UCD policy and procedures needed to comply with the California Information Practices Act (regarding information privacy) and the California Public Records Act (regarding public access to information). For information concerning the Federal Privacy Act and the use of Social Security numbers, see Section 320-22. This section does not apply to records pertaining to students in their capacity as students, but does apply to records maintained solely for purposes unrelated to their status as a student (see Section 320-21). A. California Information Practices Act (IPA)--The California Information Practices Act guarantees individuals access to personal files maintained on them, with certain limitations, and sets forth provisions to govern the collection, maintenance, accuracy, dissemination, and disclosure of information about them. Special procedures for providing access to and protecting the privacy of University records containing personal data are required by the Information Practices Act. B. California Public Records Act (PRA)--The California Public Records Act provides that access to information concerning the conduct of the people's business is a fundamental and necessary right of every person in this State; that upon request public records must be available to public inspection within a reasonable time; and that every citizen has the right to inspect any public records except as provided in the Act. C. Nonpersonal information--The law requires that the following types of information about employees shall be released to the public upon request. See the full definition in UC Business & Finance Bulletin (BFB) RMP-8 Section VII.B. These types of information might include: 1. Name 2. Date of hire or separation 3. Current position title 4. Current rate of pay 5. Organizational unit, office address and phone number 6. Current job description 7. Full-time or part-time 8. Appointment type 9. Prior non-University employment D. Personal information--Information about employees, the release of which would constitute an unwarranted invasion of personal privacy. See the full definition in BFB RMP-8 Section VII.B. These types of information might include: 1. Home telephone number 2. Home address 3. Name of spouse or other relatives 4. Birthdate 5. Social security number 6. Citizenship 7. Attendance records 8. Income tax withholding 9. Health care records 10. Performance evaluations E. Other terms--Other terms used in this section, such as "public record," are defined in BFB RMP-8 Sections VI and VII. A. Access. Access to information about the conduct of business in a public university is a right of every citizen. Requests for records should be in writing and must reasonably describe an identifiable record. B. Privacy. Individuals have a fundamental right of privacy. It is the policy of the University to interpret the Information Practices Act liberally to the benefit of the individual. Where discretion is allowed, the protection of privacy should override the option to disclose. See V below for more information. C. Responsibilities. Department heads are responsible for establishing procedures for maintaining records in accordance with this policy, and for appointing records custodians to perform the following functions: 1. Collect information in accordance with V.A below. 2. Identify information received in confidence that must be redacted before release in accordance with V.B.2.b(4) below. 3. Secure records and prevent unauthorized access. D. Authority. The department head has the authority, which may be redelegated, to disclose a record, except as noted below. 1. The Information Practices Coordinator is available to assist with responding to records requests. 2. Instead of responding directly to the request, the department head may refer the requestor to the Information Practices Coordinator. 3. If a record does not exist that contains the information requested, the University is not required to create such a record. 4. In disclosing information to an individual, no personal information relating to any other individual shall be disclosed. 5. Records of applicants and former employees can only be disclosed by the appropriate academic or staff personnel office. 6. Requests to release internal investigations (such as audits) shall be referred to the Executive Vice Chancellor. E. Records exempt from disclosure. Certain records or portions of records are exempt from disclosure under the Public Records Act. See BFB RMP-8 for more information. Consult the Information Practices Coordinator before withholding data based on these exemptions. The most common ones concern: 1. Preliminary drafts and notes, in limited circumstances. 2. Records pertaining to pending litigation. 3. Personnel, medical, or similar files, when disclosure would constitute an unwarranted invasion of personal privacy. 4. Privileged information (for example, trade secrets, or communication between physician and patient, or lawyer and client). F. Time limits. UC must state whether it will produce the requested records within 10 calendar days as described in BFB RMP-8 Section VI.B.2. The records must be produced within a reasonable time thereafter. G. Media requests. Requests for information by the media should be referred to the News Service Office, UCDHS Hospital Public Affairs Office, or School of Medicine Public Affairs Office, as appropriate. IV. Charges for Copies of Records A. Direct costs of duplication may be charged. Generally, 10 cents per page will be charged for routine photocopying. B. An estimate of costs shall be provided. The department may require payment before making the copies. C. Charges may not be made for: 1. Locating, reviewing, redacting, or assembling records, except for some types of data stored in electronic format. 2. The first copy of a current or former employee's central or departmental personnel file. V. Information about Individuals The Information Practices Act contains special rules that apply to any record that identifies or describes an individual. Note that the Information Practices Act is not confined to personnel records. A. Collection of information 1. The campus will collect information directly from the individual to whom it relates to the greatest extent possible. If information is collected from another source, a record of the source will be kept. Only information that is relevant and necessary for a business purpose shall be maintained. 2. UC shall provide a privacy notice on or with any form used to collect personal information from individuals. See BFB RMP-8 Section VII.D and exhibits containing sample notices. 3. Every UCD record system shall be maintained in accordance with the requirements in BFB RMP-8 Section VII.C. Some of the important provisions include: a. Safeguards to ensure the security and confidentiality of the records and to control access to the records. b. Rules of conduct for employees who have access to the records. c. Processes for maintaining accurate, relevant, timely, and complete records. d. Processes for ensuring that the use of information for mailing lists is in accordance with BFB RMP-8 VII.C.5. e. Processes for ensuring that no information is modified or destroyed in order to avoid any disclosure required by law. B. Access to records 1. Access by individual subject of the record a. An individual shall have the right to inquire and be notified as to whether the University maintains a record about him or her. b. Records containing personal information shall be made available to the individual subject of the record upon written or oral request and with proper identification, except for confidential information. 1) All disclosable information shall be made available within 30 calendar days of the request (for dispersed or remote locations, 60 calendar days). 2) When an individual inspects disclosable information the University shall provide, upon the individual's written request, copies of such information within 15 days of the inspection, at a cost not to exceed $0.10 per page. 3) The law restricts the release of certain confidential parts of a record to the person who is the subject of the record, or to the public (for example, a criminal investigation, and physical or psychological records). However, the individual must be notified that the record exists. For more information, see BFB RMP-8 Section VII.B. 4) In rare circumstances, the source of certain information that was received in confidence must be redacted prior to disclosure. See BFB RMP-8 Section VII.H and Academic Personnel Manual Section 160 for more information. 5) Upon written consent of the individual, information may be released to persons designated by the individual, if the request is made within the time limits specified in the consent, or within 30 days if no time limits are specified. Exhibit A may be used as a format for the consent. 2. Access by University employees and officials UC officers, employees, attorneys, agents, and volunteers may receive personal information if it is relevant and necessary in the ordinary course of the performance of their official duties and is related to the purpose for which the information was acquired. 3. Access by public a. UC shall disclose nonpersonal information about individuals, as defined by the California Public Records Act, upon request. b. UC shall not disclose personal information, except in the circumstances described in BFB RMP-8 Section VII.G.4. Examples of common exceptions are: consent of the individual or a guardian, conservator, or representative; requirement of law or a governmental agency; subpoena, court order, or search warrant; request of a law enforcement agency; or request of a member of the legislature, when acting on behalf of the individual. 4. Subpoenas Personnel information must be released pursuant to a subpoena or in other cases where the University is required by law to release the information. Before the disclosure, UC must reasonably attempt to notify the individual. Record the disclosures as described below. Contact Risk Management Services immediately when such a request is received. For more information about subpoenas, see Section 320-30. 5. Amendments and corrections Individuals have a right to correct or amend information about themselves. See Academic Personnel Manual Section 160 or Personnel Policies for Staff Members, Policy and UCD Procedure 80. C. Recording disclosures of personal information 1. The campus shall maintain records of certain types of disclosure of personal information: a. Pursuant to a determination by the University that compelling circumstances exist that affect the health or safety of an individual. b. Pursuant to any subpoena, court order, search warrant, or other compulsory legal process; or to a law enforcement agency when required for an investigation of criminal activity. c. To a governmental agency as required by law or to fulfill a constitutional or statutory duty, unless a notice of the type of disclosure has already been provided at the time of collection (see V.A.2, above). 2. Exhibit B shall be used to record these disclosures. 3. The department shall retain the record of disclosure, and information about unresolved disputes about the accuracy of the record, as described in BFB RMP-8 Section VII.I. If a record is corrected within three years of disclosure, the department must follow the procedures in BFB RMP-8. A. A University employee may not use University records for purposes other than those that are relevant and necessary to the performance of his or her duties. Any other use of such records must be requested by the employee as a member of the public, as described above. B. The Rules of Conduct with respect to records concerning individuals are contained in Exhibit C. Failure to comply with these rules, or with any provision of the Information Practices Act, may result in disciplinary action in accordance with the applicable personnel policy or collective bargaining agreement. C. A person who obtains personal information from the University under false pretenses may be subject to criminal or civil penalties. D. If the University refuses to comply with an individual's lawful request to inspect their own information, that individual may bring a civil action against the University. Questions regarding this section or the appropriateness of disclosing information should be referred to the Information Practices Coordinator, Office of Campus Counsel, (530) 752-3949. VIII. References and Related Policy A. General 1. UC Business & Finance Bulletins, RMP Series. 2. Section 320-22, Collection of Social Security Numbers. 3. Office of the Provost, UCD Directive 97-165, Applicant Requests for Access to Records, 12/15/97. B. Student records Section 320-21, Disclosure of Information from Student Records. C. Personnel records 1. Academic Personnel Manual Section 140, Non-Senate Academic Appointees/Appeals. 4. Academic Personnel Manual Section 220, Professor Series. 5. Personnel Policies for Staff Members, Policy and UCD Procedure 80, Staff Personnel Records. D. Medical records Copyright © 2006 The Regents of the
University of California, Davis Campus. All Rights Reserved. |
|
