As an institution where “a commitment to excellence is expected” (BYU Mission Statement), Brigham Young University strives to maintain standards and practices that accord with ethical, contractual, and legal requirements for data use, privacy, and security.

Data Sharing Agreement means a formally recorded document created through campus data governance procedures that describes the use case and data resources needed to share university data with specific parties.

Data Steward means an employee with designated responsibility for processing a specific set of data.

Nonpublic Institutional Data means any data created, owned, or processed by the university that is not publicly published or available.

Personal Information means any data or information that relates to, is associated with, describes, identifies, or reasonably can be used to identify a natural person.

Processing Data means the access, collection, classification, use, modification, sharing, storage, or destruction of data.

University employees may process Nonpublic Institutional Data only when doing so reasonably serves the university’s academic, administrative, or institutional purposes.

University employees must process Nonpublic Institutional Data in accordance with applicable university policies, the BYU Privacy Notice, and relevant laws and regulations.

Accessing Nonpublic Institutional Data

The university allows access to Nonpublic Institutional Data only in accordance with the following table:

*Any employee who, on behalf of the university, receives a request, subpoena, warrant, or court order for Nonpublic Institutional Data from one of these entities or individuals immediately must refer that request, subpoena, warrant, or court order to the Office of the General Counsel.

Processing Personal Information

University employees must process Personal Information

• purposefully—in compliance with pre-defined and legitimate purposes, such as performing a contract, pursuing a legitimate interest, complying with law, or based on consent;
• minimally—in a manner that is sufficient to properly fulfill the stated purpose, has a rational link to that purpose, is limited to what is necessary, and for no longer than necessary;
• transparently—only after providing individuals with clear and intelligible information, either through concise privacy notices or just-in-time statements, about who will process their Personal Information and for what purposes, and by giving individuals the opportunity to inspect and correct their Personal Information as required by law; and
• safely—subject to appropriate measures, including role-based access controls, data sharing agreements, and other controls to safeguard against anticipated risks, where applicable.

Transferring Nonpublic Institutional Data

University employees should contact the Office of the General Counsel (OGC) and the CES Security Operations Center (CES SOC) before signing any agreement or entering into any arrangement with a third party to process or have access to any Nonpublic Institutional Data. The CES SOC provides an assessment of the proposed data transfer(s) and the third party’s security standards and mechanisms. (See Vendor Security Risk Assessment Process.) The OGC provides legal review of the information security and data transfer terms and conditions. (See Legal Documents Policy.)

See the Reporting section of the Appropriate Use of Information Technology Resources Policy.