- NMU Policies and Requirements

Confidentiality Policy

Policy class (level): Administrative Policy
Workflow stage: published

Purpose:
To clarify the University’s confidentiality requirements and acknowledge that confidentiality extends beyond the scope of information technology media as defined in the Northern Michigan University Data Classification Policy and the Northern Michigan University Acceptable Use Policy.

Applicability:
This Policy applies to all current faculty, staff, and student employees, as well as former employees. 

Acronyms:
HIPAA  Health Insurance Portability and Accountability Act
FERPA Family Educational Rights and Privacy Act
FOIA Freedom of Information Act

Policy:
Federal and state laws generally protect the confidentiality of communications and the release of sensitive information, particularly in areas of financial information, employment records, education records, medical, mental health, and counseling records. These protections are emphasized in University handbooks, departmental bylaws, and other University guidance. Most protections continue even after employment is terminated. Some exceptions exist, though, including information subject to the FOIA, state and federal laws, consent, court orders, and other legal proceedings.

Unless required by FOIA or other federal and/or state laws or regulations, faculty and staff may not use or share University records for purposes that do not directly relate to their position. All FOIA requests must be managed by the NMU FOIA Coordinator, who will provide information as required by Michigan law and in compliance with federal laws such as FERPA and HIPAA.  

Most information received by NMU faculty and staff is received in a digital media format that can be categorized according to the definitions in the Northern Michigan University Data Classification Policy. That Policy defines three categories of media data: confidential, private, and public. However, University employees also receive information in other ways that must still be treated as confidential or private. Employees will apply the definitions of confidential, private, and public as shown in the Data Classification Policy to information received in any form, including but not limited to information received on NMU media, on paper documents, by electronic communication, and via verbal exchanges. 

NMU acknowledges that students and employees have the right to access their own private and confidential records and request corrections. Unless required by law or regulation, though, employees will not disclose other information that meets the definition of confidential or private to third parties or other employees, except to other employees who need the information in connection with their duties. 

If an employee is approached to inappropriately release information, the employee must refuse the request and refer the requester to their immediate supervisor.  If the employee is unsure if the request is appropriate, they will consult with their immediate supervisor. If further clarification is needed after consulting with the supervisor, they will contact the Internal Auditor for guidance.  

It is a serious offense for an employee to release or use confidential or private information for personal or other unauthorized purposes. Any employee who inappropriately releases such information, or uses this information for personal purposes will be subject to appropriate disciplinary action, up to and including dismissal.

References:
NMU Acceptable Use Policy at nmu.edu/policies/719
NMU Vendor Privacy Policy at nmu.edu/policies/1300
NMU Data Classification Policy at nmu.edu/policies/1299
NMU Freedom of Information Act (FOIA) Policy at nmu.edu/policies/700
NMU FERPA Policy at nmu.edu/policies/898