UC Davis | Administration | Office of the Chancellor

UCD Directives

UC DAVIS: Office of the Vice Provost  Information & Educational Technology

June 4, 2001

TO:  DEANS, DIRECTORS, DEPARTMENT CHAIRS, AND CAMPUS/UCDMC ADMINISTRATORS 

SUBJECT:  Internet E-Commerce Privacy Statement

The campus was formally notified last week that Visa International has
imposed a new requirement of all organizations accepting Visa credit card
payments over the Internet.  As of June 1, 2001, Visa International
requires all Internet merchants to post a consumer data privacy and
security statement on e-commerce Web sites.  

Prior to the campus becoming aware of this privacy and security statement
requirement, Information and Educational Technology, Public Communications,
and Campus Counsel developed a draft data privacy and security statement
for Internet Web sites.  The intention was to incorporate this statement
into a future UC Davis policy for Internet Web publications.  The new Visa
requirement introduces the need for modification of this schedule.

To comply with the new Visa requirement, UC Davis is issuing interim
privacy and security guidelines.  Units hosting Internet credit card
transactions are required to post the guidelines on their e-commerce Web
site, review their Internet service offerings for compliance with the
guidelines; as determined by each unit, implement any remedial action.
This approach permits UC Davis to continue with plans to develop a formal
Internet Web publication policy that addresses consumer privacy and
security issues while also demonstrating a “good faith” effort to meet
existing credit card program requirements.

The Interim Privacy and Security Guidelines are attached below.  Please
distribute the interim guidelines as appropriate. If you have any
questions, please contact Robert Ono, UC Davis Information Technology
Security Guidelines Coordinator, at 530-754-6484.

Sincerely,

John Bruno, Vice Provost
Information and Educational Technology
			
01-088

Interim Privacy and Security Guidelines
for UC Davis Units Hosting Credit Card Payments over the Internet

UC Davis is in the process of developing a policy statement regarding the
privacy of Internet collected information.  In response to a recent privacy
disclosure requirement by credit card issuers, UC Davis has developed
interim privacy and security guidelines for UC Davis Web sites hosting
credit card payments over the Internet.  Individual Web sites hosting
credit card payments over the Internet are required to review the
guidelines, post the guidelines on their e-commerce Web site, and take
appropriate action to be consistent with the interim guidelines.

Privacy expectation:  UC Davis is committed to protecting personal privacy
and the personal information collected via its Web sites. 

Information collected: UC Davis Web sites may collect personal information
such as name, address, e-mail address, telephone number(s), and/or
educational interests. Such personal information may be requested for
research, public service, or teaching programs, or for administrative
purposes. Additional personal information, such as credit card account
information, may be requested for purchases or enrollment purposes.


UC Davis identifies your Internet Protocol (IP) address when you visit a
campus Web site. UC Davis may also collect Web site usage statistics by IP
address.

Use of information: UC Davis uses Web-site-collected personal information
for the purpose of future communication back to you. Examples of this use
include University-affiliated hosting organizations that need to keep Web
enrollees informed of campus programs, symposia, and/or special events.

UC Davis may use browser-IP-address information and anonymous-browser
history for reporting aggregate Web-site accesses and for profiling
purposes. This information is generally used to improve Web presentation
and utilization. UC Davis also may use IP addresses for troubleshooting
purposes. Some UC Davis Web sites may use “cookies.” Cookies are used for
delivering Web content specific to users’ interests and to keep track of
online purchasing transactions. Sensitive personal information is not
stored within cookies.

Distribution of information: UC Davis will not disclose personal
information or IP addresses to other parties, unless required by law. UC
Davis will not sell personal information to third-party organizations such
as telemarketers or direct mailers.

Individual choice: Individuals have the option to decline any online
enrollment and may submit requests to use other enrollment methods by
e-mail or U.S. mail addressed to the UC Davis organization seeking the
personal information. Users may review, modify, or delete their previously
provided personal information by contacting the campus organization to
which they provided the personal information. If you choose not to
participate in these activities, your choice will in no way affect your
ability to use any other feature of the Web site.

Campus commitment to data security: UC Davis takes reasonable steps to
protect the security, integrity and privacy of information submitted via
campus Web sites. Nonetheless, Web users should be aware of the difficulty
of maintaining data confidentiality over the public Internet. UC Davis
encourages producers of its Web sites, when seeking personal information,
to use the industry standard security protocol known as Secured Sockets
Layer (SSL). We strongly recommend the use of a Web browser capable of
supporting SSL. The latest versions of Microsoft Internet Explorer and
Netscape Communicator, for example, support SSL and also avoid known
browser security vulnerabilities.
 
While using a UC Davis Web site, you may encounter hypertext links to the
Web pages of organizations not directly affiliated with UC Davis. UC Davis
does not control the content or information practices of external
organizations. We recommend you review the privacy statements of these
organizations.

Individual privacy rights and public disclosure of information: In the
state of California, laws exist to ensure that government is open and that
the public has a right to access appropriate records and information
possessed by state government. At the same time, there are exceptions to
the public's right to access public records. These exceptions serve various
needs including maintaining the privacy of individuals. Both state and
federal laws provide such exceptions to public access rights.


UC Davis respects both the right of public access to information and the
right of privacy of individuals. All information collected at this site
becomes public record that may be subject to inspection and copying by the
public, unless an exemption in law exists. If any type of personal
information is requested on the Web site or volunteered by the user, state
law, including the Information Practices Act of 1977 and the California
Public Records Act, and federal law, including the Privacy Act of 1974 and
the Family Educational Rights and Privacy Act of 1974, may protect it from
disclosure to third parties.  

In the event of a conflict between this privacy expectation and the Public
Records Act, the Information Practices Act, or other law governing the
disclosure of records, the Public Records Act, the Information Practices
Act, or other applicable law will control.

Personal information: “Personal information” is information about a natural
person that identifies or describes an individual, including, but not
limited to, his or her name, social security number, physical description,
home address, home telephone number, education, financial matters, and
medical or employment history, readily identifiable to that specific
individual. A domain name or IP address is not considered personal
information; however it is considered “electronically collected personal
information.” 

According to the California Government Code Section 11015.5, “

‘electronically collected personal information’ means any information that
is maintained by an agency that identifies or describes an individual user,
including, but not limited to, his or her name, social security number,
physical description, home address, home telephone number, education,
financial matters, medical or employment history, password, electronic mail
address, and information that reveals any network location or identity, but
excludes any information manually submitted to a state agency by a user,
whether electronically or in written form, and information on or relating
to individuals who are users, serving in a business capacity, including,
but not limited to, business owners, officers, or principals of that
business.”

Electronically collected personal information that is automatically
collected by Web sites administered by UC Davis includes your domain name
or Internet Protocol address, and statistical information about which Web
pages you visit. If you voluntarily participate in an activity that asks
for specific information (e.g., completing a request for assistance,
personalizing the content of the Web site, sending an e-mail, or
participating in a survey), more detailed data will be collected.

Contact: For further information regarding this privacy expectation, please
contact Information & Educational Technology at the address below:

UC Davis Information Technology Security Guidelines Coordinator
Office of Information and Educational Technology
University of California, Davis
One Shields Avenue
Davis, CA 95616
USA
Security@ucdavis.edu

Office of the Chancellor | Contact Information | Current Issues | Speaking Out | Staff and Organization | Philosophy of Purpose | Principles of Community | Administrative Resources Modified: 12/14/2006 12:22:52 PM Comments: