PURPOSE:
This Data Privacy Policy outlines the principles and procedures for the responsible and lawful processing of Personal Data by Idaho College of Osteopathic Medicine (ICOM). The purpose of this policy is to protect the privacy rights of individuals, ensure compliance with applicable data protection laws and regulations, and foster trust in the Institution's handling of personal information. ICOM is committed to maintaining the confidentiality, integrity, and security of Personal Data entrusted to it in support of its mission of osteopathic medical education, research, and service.
SCOPE:
This policy applies to all Personal Data processed by ICOM, regardless of its format (electronic, paper, verbal), storage location (on-premises systems, cloud-based services including SaaS applications, personal devices used for ICOM business), or the individuals to whom it pertains. This policy applies to all members of the ICOM community, including but not limited to:
- Faculty
- Staff
- Administrators
- Students
- Alumni
- Researchers
- Patients (if applicable in ICOM-operated clinics or programs)
- Applicants
- Affiliates
- Volunteers
- Contractors
- Vendors
- Website visitors and other individuals whose Personal Data ICOM may process
DEFINITIONS:
- Personal Data: Any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. This includes, but is not limited to, student records, patient information (if applicable), employee records, contact information, and online identifiers.
- Data Subject: The individual to whom Personal Data relates.
- Processing: Any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- Data Controller: The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data (in this context, primarily ICOM).
- Data Processor: A natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the controller (e.g., SaaS vendors, cloud service providers).
- FERPA: The Family Educational Rights and Privacy Act, a federal law that protects the privacy of student education records.
- HIPAA: The Health Insurance Portability and Accountability Act of 1996, a federal law that provides data privacy and security provisions for safeguarding medical information.
- SaaS Application (Software as a Service): A software delivery model in which software is hosted by a vendor and made available to customers over a network, typically the internet, usually on a subscription basis.
POLICY:
Lawfulness, Fairness, and Transparency:
ICOM will process Personal Data lawfully, fairly, and transparently, ensuring that there is a legal basis for processing and that individuals are provided with clear and accessible information about how their data is handled.
Purpose Limitation:
Personal Data will be collected and processed only for specified, explicit, and legitimate purposes related to the Institution's mission and operations. Data will not be further processed in a manner that is incompatible with those original purposes.
Data Minimization:
ICOM will collect and retain only Personal Data that is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.
Accuracy:
ICOM will take reasonable steps to ensure that Personal Data is accurate and, where necessary, kept up to date. Inaccurate or incomplete data will be rectified or erased in a timely manner.
Storage Limitation:
Personal Data will be kept in a form which permits identification of individuals for no longer than is necessary for the purposes for which the Personal Data is processed, consistent with the Data Retention and Destruction Policy and applicable legal requirements.
Integrity and Confidentiality:
ICOM will implement appropriate technical and organizational measures to ensure the security of Personal Data, protecting it against unauthorized or unlawful processing, accidental loss, destruction, or damage.
Rights of Individuals (Data Subjects):
- ICOM will respect the rights of individuals regarding their Personal Data, including:
- Right to Access: Individuals may have the right to request access to their Personal Data held by ICOM.
- Right to Rectification: Individuals may have the right to request the correction of inaccurate or incomplete Personal Data.
- Right to Erasure (Right to be Forgotten): Individuals may have the right to request the deletion of their Personal Data under certain circumstances, consistent with legal and institutional obligations (e.g., FERPA regulations regarding student records).
- Right to Restriction of Processing: Individuals may have the right to request the restriction of processing of their Personal Data under certain circumstances.
Right to Object: Individuals may have the right to object to the processing of their Personal Data in certain situations.
Requests to exercise these rights will be handled in accordance with applicable laws and institutional procedures. For student records, rights are primarily governed by FERPA. For patient data (if applicable), rights are governed by HIPAA.
Data Sharing with Third Parties:
ICOM will only share Personal Data with third-party vendors or service providers when there is a legitimate business need and when appropriate contractual safeguards are in place to ensure the data is processed securely and in compliance with this policy and applicable laws, as outlined in the Third-Party Vendor Management Policy.
Data Transfers:
ICOM will comply with all applicable legal requirements regarding the transfer of Personal Data across jurisdictional boundaries.
Data Breach Notification:
In the event of a security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data, ICOM will follow the procedures outlined in the Incident Response Policy, including timely notification to affected individuals and relevant regulatory authorities as required by law (e.g., HIPAA Breach Notification Rule, state data breach notification laws).
Compliance with Laws and Regulations:
ICOM is committed to complying with all applicable federal and state laws and regulations governing the privacy and security of Personal Data, including but not limited to the Family Educational Rights and Privacy Act (FERPA), the Health Insurance Portability and Accountability Act (HIPAA) if applicable, and relevant Idaho state privacy laws.
Privacy by Design and Default:
ICOM will strive to incorporate data privacy principles into the design and operation of its information systems and processes from the outset and will implement default settings that are privacy-protective.
RESPONSIBILITIES:
- Data Owner: The President or appropriate designee is responsible for specific categories of Personal Data and for ensuring that the data is processed in accordance with this policy and applicable laws.
- Data Stewards: Individuals with operational responsibility for managing Personal Data are responsible for implementing data privacy practices within their areas.
- Information Technology Office: Responsible for developing and implementing technical and organizational security measures to protect Personal Data, for providing guidance on data privacy best practices, and for maintaining the security of ICOM's IT infrastructure and systems that process Personal Data.
- All Users: All members of the ICOM community are responsible for handling Personal Data in accordance with this policy, the Acceptable Use Policy, and other relevant institutional guidelines.
ENFORCEMENT:
Violations of this Data Privacy Policy may result in disciplinary actions, up to and including warnings, suspension of access privileges, and termination of employment or student status, consistent with other ICOM policies and procedures, and may also result in legal penalties.
POLICY REVIEW AND UPDATES:
This Data Privacy Policy will be reviewed and updated at least annually, or as needed to reflect changes in laws, regulations, best practices, or institutional needs. The Chief Information Officer is responsible for coordinating policy reviews and updates.
PRIMARY POLICY OWNER:
Chief Information Officer
APPROVAL:
Effective: 7/8/25
Last Reviewed: 7/8/25
Review Requirement: Annual