2,003: Personally Identifiable Information - Acceptable Use Policy

Revised: March 2019

Definition

Employee data is governed by national and international rules and regulating bodies including the Department of Labor, Electronic Code of Federal Regulations, and General Data Protection Regulation (GDPR). These rules define what is Protected Personally Identifiable Information or PII and must be stewarded by an employer and/or Federal contract recipient.

Based on these rules and regulations, the University considers data or information that permits the identity of an employee to be reasonably determined based on some combination of data elements to be PII. The Department of Labor definition of PII is as follows:

Any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means. Further, PII is defined as information: (i) that directly identifies an individual (e.g., name, address, social security number or other identifying number or code, telephone number, email address, etc.) or (ii) by which an agency intends to identify specific individuals in conjunction with other data elements, i.e., indirect identification. (These data elements may include a combination of gender, race, birth date, geographic indicator, and other descriptors). Additionally, information permitting the physical or online contacting of a specific individual is the same as personally identifiable information. This information can be maintained in either paper, electronic or other media.

Furthermore, the university considers personal information related to benefit plans and medical information associated with employment for the purposes of leave, workers' compensation and fitness for service to be confidential.

The above definition prohibits the university from sharing employee information deemed as PII except as specifically defined in the Board of Regent's Handbook.

The following information in these personnel files is public information and must be disclosed to the public upon request: the employee's name, title, job description, compensation and perquisites, business address and business telephone numbers, beginning date of employment and ending date of employment, educational background and work history. (Title 2, Chapter 5, Section 6.2(b))

Data Usage

The following data is collected and stored in the University's Workday system:

Employee legal name, preferred name, title, work phone, mail stop, email, job family group, unit and cost center is considered directory information and is available to the general public.

Data collected for purposes of Federal and State reporting requirements such as gender, ethnicity, disability and veteran status information is used in developing, monitoring and tracking progress on Affirmative Action goals required by the Office of Federal Contracts and Compliance Programs (OFCCP). This information is shared within the institution in aggregate by percentages and counts versus total population for a job group.

Social security number and birthdate are collected to create an initial record for an employee and matched against a variety of University systems. Once the record is established and the reconciliation for duplicates is complete, the active use of this data is discontinued and replaced with an employee identification number.

An employee may mark data as "Private" in Workday like home email, home phone and home address. Further, an employee is required to enter emergency contact information. The manager of the employee, integration writers, and human resources can view this data for the purposes of use in an emergency situation. It would be used to contact an employee when they are not available via work contact information or to contact their designee in the event of a medical or other emergency.

The U.S. Federal government and several other organizations widely recognized in higher education, such as accrediting bodies, request or require information from the University on a regular basis. These requests compile some data elements that are considered PII. To prepare these reports, employee data is shared on an as needed basis with the offices responsible for reporting to an external agency. These offices include Human Resources, Equal Opportunity and Title IX, Institutional Research, Nevada System of Higher Education, College Dean's Offices, Provost's Office, and President's Office. Aggregate data, which includes no PII, on gender, race/ethnicity, tenure status, disability, veteran, etc. may be shared more broadly.

PII data elements are not used internally for invitation lists, presentations or other non-essential purposes. PII data is not communicated externally beyond the use cases which are regulatory or essential to the University, such as accreditation.

Employees with access to this data become data custodians and should adhere to the UNR Security Awareness and Acceptable Use Policy and take precautions to protect unauthorized access to the data.

General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) approved in April 2016, confers numerous rights upon data subjects located in the European Union (EU). If a subject located in the EU has concerns with data requested in the recruitment or hiring process, they may contact the Recruitment Help Desk at (775) 784-1495 to explore whether an alternate process is available that offers the protections of GDPR while maintaining compliance with United States Federal and State regulations.