Privacy

We help to enable, facilitate, and advise university stakeholders on privacy principles and data engineering practices that create and foster greater transparency of data practices and enhanced trust with the university community. We collaborate with data stewards and users, as well as application and service owners, to create awareness of privacy considerations, mitigate privacy risks, and develop a privacy-conscious community.

Privacy Everywhere Conference

Technology Service hosts an annual one-day privacy conference. Attendees learn from experts in the field and gain valuable insights into timely privacy topics.

The next conference will take place in January 2027.

Privacy consulting and assessments

Contact us at privacy@illinois.edu for more information about any of these consultative services.

We can consult on any matter that involves personal information. This can include new or revised processes, application settings and setup, or research projects. There are a few assessments to help you start a conversation:

  • Privacy Threshold Assessment: This assessment asks a few basic questions that will help determine next steps. 
  • Privacy Impact Assessment: This assessment asks in-depth questions to probe how personal information is processed. The answers provided here are very important and aid us with understanding how privacy is impacted.
  • Privacy Impact Assessment (Research): This assessment is a research-focused version of the Privacy Impact Assessment with questions specific towards the privacy impacts typically faced in research.

Privacy regulations and contracts

When contracting with a vendor, it is important to consider the privacy protections that should be in place. This can be situationally dependent based on the type and volume of data involved, how it will be processed, who will have access to it, how it is stored or transmitted, and other things. Below is a list of some contractual addendums that should be considered when processing certain data:

When student data will be involved:
A FERPA Addendum is typically recommended when student data will be impacted by a contract.  This addendum designates a vendor as a “school official” which assigns them responsibilities for the student data. Not all student data requires protection from a FERPA Addendum, so it is important you speak with your Business Office or the Purchasing and Contract Management Office.

When health data will be involved:
Working with health data at the University of Illinois Urbana-Champaign can be a little confusing.  The university is considered a hybrid entity under HIPAA, meaning some units may be covered by HIPAA while others that handle health data may not be.  When it comes to student health data, FERPA covers the health data that isn’t covered by HIPAA.

For units that are covered by HIPAA, also known as Health Care Components (HCCs), a contract with a vendor that will process health data (in these situations, health data is referred to as Protected Health Information, or PHI) should have a Business Associate Agreement (BAA) added to the agreement.

For units that process health information under FERPA protections, sometimes additional contractual language not already included in the standard templates should be added to the agreement

In either case, the PCMO can help navigate these scenarios to help determine the best course of action for the contracts, including consultation with privacy.

When data collected in Europe will be involved:
Countries in Europe, specifically the European Economic Area (EEA) have a comprehensive privacy law called the General Data Protection Regulation (GDPR).  When the United Kingdom left the European Union, they enacted a similar law referred to as the UK GDPR. The university’s compliance program is the same for both laws, so we refer to both collectively as GDPR when talking about data sourced from Europe. 

GDPR and other European laws have strict requirements for data being sent from European countries to other non-EEA countries.  One of these requirements is to have a Data Protection Addendum (DPA) added to the contract.  In simple terms, the DPA is a promise to protect data to the level of GDPR standards

There are nuances and specifics that need to be explored prior to making the decision to add a DPA to a contract.  When starting a contract process, you will be asked if data from Europe will be involved.  If “Yes”, a parallel process will be triggered to engage in the GDPR review and that will determine if a DPA is necessary.

When data collected in China will be involved:
Compliance with China’s Personal Information Protection Law (PIPL) is complex, confusing, and time consuming. If your contract will involve data collected or sourced from China, start conversations with PCMO as early as possible. Many groups, including the Office of the CIO, the Office of University Counsel, the University Ethics and Compliance Office, and others, may need to be involved. The University System is considered one entity under PIPL, so compliance with the law could have impacts system-wide.

When starting off the contract process, you will be asked if data from China will be involved.  If you answer “Yes”, a parallel process will be triggered for us to engage in a PIPL review and that will ultimately determine what next steps are necessary.

General privacy guidance

We offer the following privacy-based recommendations that are applicable to most situations. To set up a consultation for a specific use case (e.g., research project, a new/renewed contract with a vendor, new processing activity, etc.), to request a complete privacy review or to ask questions, contact privacy@illinois.edu.   

  • Data processing should always be restricted to the “need to know” principle – only process the data that is absolutely necessary to get the job done.  We recommend that units:  Consult the Privacy Team to ensure no additional obligations are created from any processing changes.
  • Review proposed use cases and determine the specific purpose and the specific data required. Best practice is to restrict data collection/processing to the minimum required to complete the required processing of the use case (e.g., Collect age ranges or birth year rather than a full birth date.) 
  • Be consistent with notices provided to data subjects. If the data processing changes, updated notices should be provided.

University privacy policies

Campus/University Policies: More information about University of Illinois policies. 

Cookie Policy: Describes the University of Illinois System’s use of Cookies and related data sharing and tracking technologies.

Social Security Number Policy: Information on the University’s commitment to protecting the privacy of members of the university community. 

Information Security Policy: University-wide policy on the use of data, applications, networks and computer systems. 

Technology Services
1211 Digital Computer Lab
1304 W. Springfield Ave.
Urbana, IL 61801
Email: consult@illinois.edu
Office of the Chief Information Officer
Office of the Chief Information Officer