̽̽

Key Privacy Laws and Regulations

The world of privacy regulation continues to be in a state of change. Certain information is covered under specific regulations yet, as of this writing, the United States has no overarching federal privacy law. Absent a federal law, states have turned to developing their own privacy regulations which are all slightly different and have varying compliance requirements. Further impacting ̽̽ are new international regulations, both enacted and soon to be enacted. In other words, the privacy regulatory landscape is difficult to navigate.

Due in large part to the diverse operations within higher education, an array of privacy and information security laws impact our work. One goal of our Privacy Program is to design it in such a way that we are not developing different programs for different regulations. Rather, we have designed our Privacy Program to be flexible enough to cover as many of the compliance elements of these various regulations that we can and deal with the “outliers” as the arise. Ultimately, our goal is to treat all private, personally identifiable, and confidential information as if there is a regulatory requirement… because, there most likely is.

Depending on where you work at ̽̽ and what information you have access to, one or more of these regulations may apply to your work.

Laws and Regulations

FERPA

Body

The Family Educational Rights and Privacy Act of 1974 (FERPA) provides certain rights to students with respect to their education records. The University has the responsibility to make sure that student record data is safeguarded from inappropriate access, use and disclosure, to notify students of their rights and to honor those rights. Student rights include:

  • The right to inspect and review their student records;
  • Seek amendment of their student records that they believe to be inaccurate, misleading, or otherwise in violation of their rights;
  • Consent to disclosures of personally identifiable information contained in their student records (with exceptions); and
  • File a complaint with the Department of education concerning alleged failures by the University to comply with the requirements of FERPA.

What is ղ’s Policy?

Where can I find more information?

HIPAA

Body

HIPAA stands for the Health Insurance Portability and Accountability Act. This act passed by Congress in 1996 is an expansive set of rules that includes establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, an employers.

Who can I contact regarding the HIPAA privacy rule?

You may contact the relevant  Coordinator at the provider of service:

  • HIPAA Coordinator - ̽̽ Benefit Plans (802) 656-3150
  • HIPAA Coordinator - ̽̽ Luse Center (802) 656-3861

Or, you can contact ղ’s Chief Privacy Officer at privacy@uvm.edu.

GLBA

Body

GLBA stands for the Gramm-Leach-Bliley Act. GLBA requires that financial institutions explain their information-sharing practices to their customers and to safeguard sensitive data.

Where can I find more information?

GDPR

Body

GDPR (European Union General Data Protection Regulations) was enacted by the European Union to provide greater protections and rights to EU data subjects. This regulation also applies to Iceland, Liechtenstein, and Norway. Collectively, the EU countries plus Iceland, Liechtenstein and Norway make up the European Economic Area, or EEA.

How is my personal data collected, used, processed and shared?

Where can I find more information?

  • from the European Union 

Vermont Data Breach: 9 V.S.A. § 2435

Body

, more commonly known as the Vermont Data Breach Notification Law, requires businesses and state agencies to notify the Attorney General and impacted consumers in the event it suffers a “security breach”. The law requires that businesses notify the Attorney General within 14-days (unless they have obtained a waiver of this requirement) and that they notify individuals as soon as possible and without unreasonable delay, and no later than 45 days after discovery or notice of the breach.

Where can I find more information?

 

Vermont Library Patron Records 22 V.S.A. § 171-173

Body

requires that libraries keep user registration and transaction records confidential. Under this law, a library cannot disclose records about someone's use of library resources and services to anyone outside the library unless an exception applies.

Where can I find more information?