Responsible Administrator(s):
Responsible Office(s):
Originally Issued: May 2007
Revision Date: April 2015

Statement of Purpose

The purpose of this policy is to ensure that the university meets its disclosure obligation in the event of an inappropriate release of sensitive, personal information.

Entities Affected by this Policy

Entities affected by this policy include UNLV students and employees and anyone interacting with UNLV.

Who Should Read this Policy

UNLV students and employees and anyone engaging in business with UNLV should read this policy.

Policy

The university shall disclose any breach of its data to any person whose sensitive, personal information was, or is reasonably believed to have been, acquired by an unauthorized person. This disclosure shall be made in the most expedient time possible. It is the university’s sole discretion to determine the scope of the breach.

The disclosure may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation.

The university shall make every reasonable effort to contact individuals impacted. Contact may be made in person, by mail, and/or by e-mail.

If the university does not have sufficient contact information, a general disclosure will be posted on a UNLV web site and appropriate news media outlets will be notified.

The university will provide information about data breaches as required by federal and state laws, and NSHE regulations and/or policies.

For additional information, including how to request an exception to this policy, refer to the Office of Information Technology’s Policies and Procedures web page at https://www.it.unlv.edu/policies.

Definitions

Breach

Unauthorized acquisition of data that compromises the security, confidentiality, or integrity of sensitive, personal information maintained by the university or its employees. Good faith, but unauthorized, acquisition of such sensitive, personal information by an employee or agent of UNLV for university business is not a breach for purposes of this policy, provided that the information is not subject to further unauthorized disclosure.

Disclosure

Notification using one of the following methods:

  1. Notice in writing either hand delivered or mailed to the address on file with, or last known to, the university
  2. Notice by e-mail if the individual has an e-mail address on file with the university 
Every Reasonable Effort

Use all contact information available in university records to notify individuals who may have been impacted.

Sensitive, Personal Information

Any information about the individual maintained by the university, including the following: (a) Education, financial transactions, medical history, and criminal or employment history; and, (b) Information that can be used to distinguish or trace the individual’s identity, including name, social security number, date and place of birth, mother’s maiden name, or biometric records. [38 USCS § 5727(19)]

Sensitive, personal information does not include publicly available directory information that may be lawfully disclosed.