HOw to identify and report a privacy violation
Incidental violations are unintended uses or disclosures of private data that occur during normal business activities involving an otherwise permitted use or disclosure of the information.
For example, if an employee is taking reasonable precautions in working with, but another individual happens to see or overhear private data that the workforce member is using through no fault of the employee, then the workforce member unintended disclosure of such information will be treated as an incidental violation.
Reasonable precautions include:
- Keeping one’s voice low while discussing information
- Moving to as private a location as possible while using information
- Keeping private data in paper and electronic formats covered or otherwise inaccessible to unauthorized individuals.
Incidental disclosures are usually not considered reportable Privacy Incidents. However, members of the workforce should use professional judgment and assess the potential outcome(s) of an incidental disclosure: report any disclosures that may result in a fraudulent or criminal misuse of the information or have a negative impact on the Colorado School of Mines.
Accidental Disclosures are unintended exposures of private data that occur through human error or when circumstances beyond the control of the individual cause an unwanted outcome, even though proper procedures were followed.
Accidental disclosures are Privacy Incidents and must be reported immediately to the Privacy Office. Examples of accidental disclosures include, but are not limited to:
- Sending sensitive personal data to the incorrect recipient.
- Providing more information than is necessary to an internal or external client.
- Sending sensitive personal data through unsecured channels (e.g., without proper encryption or data protection).
- Over-collection of data beyond what has been communicated to the data subjects.
- Verbally disclosing private data to the wrong person or to a person who falsely identifies himself.
- Printing a document containing private data on a publicly-accessible printer.
Employees should assist in correcting a disclosure ONLY if instructed to do so by the Privacy Office.
Intentional Disclosures are disclosures of private data with deliberate disregard of established policies and procedures.
All members of the workforce are obligated to report any known or suspected intentional disclosures of private data immediately. Examples of intentional disclosures include, but are not limited to:
- Gaining access to private data by deliberately circumventing security measures, by using someone else’s password, or by other fraudulent means;
- Negligently disclosing private data to unauthorized persons (i.e., without verifying the person’s identity or authority to receive the data);
- Disclosing private data with intent to harm others by, or to personally profit from the disclosure;
- Purposefully compiling and saving unencrypted private data on portable computers or computer media.
Intentional disclosures are Privacy Incidents and may result in disciplinary action by the University. Depending upon the incident, the individual responsible for an intentional disclosure may also face civil and criminal penalties.