Revisions Issued to the UC policy on the Protection of Administrative Records Containing PII

To: UC Santa Cruz Community

From: The offices of Administrative Policy, Information Practices, Privacy, and Records & Information Management

Revisions Issued to the UC policy on the Protection of Administrative Records Containing Personally Identifiable Information (PII).

The policy clarifies the roles of Privacy Officials, Records Management Coordinators, and Information Practices Coordinators, aligns with the UC Statement of Privacy Values, and requires those who steward university information relating to individuals to adhere to rules of conduct including, but not limited to:

  • personal or confidential information relating to individuals must not be disclosed to unauthorizedpersons or entities, including campus colleagues (both written and verbally). 
  • each employee with control over personal information shall limit access and use to both of the following important conditions:
    • a. a legitimate business need; ​combined​ with 
    • b. access directly relates to the purpose for which the information was collected.
  •  not seeking out or using personal information relating to others for their own interest or advantage.
  • maintaining records containing personal information with all necessary precautions to assure that proper administrative, technical, and physical safeguards are established and followed in order to protect the records from unauthorized access, use, and disclosure.
  • timely disposition in accordance with the UC Records Retention Scheduleand BFB-RMP-2, Records Retention and Disposition: Principles, Processes, and Guidelines.

The revised policy consolidates three existing policies into one: BFB-RMP-7, Privacy of and Access to Information Responsibilities. As such, two policies, BFB-RMP-11, Student Applicant Records,and BFB-RMP-12, Guidelines for Assuring Privacy of Personal Information in Mailing Lists and Telephone Directories,are now rescinded.

The revision also aligns BFB-RMP-7 with the newly revised BFB-IS-3, Electronic Information SecurityPolicy.BFB-IS-3 establishes a framework that ensures cyber risk is reduced and managed, protects information, and supports the proper functioning of IT resources; while BFB-RMP-7 outlines requirements and processes for ensuring UC protects information by meeting its legal obligations, as well as balancing information and autonomy privacy with competing institutional obligations, values, and interests, regardless of whether the personal information is paper, electronic, or other media.

For questions related to privacy or administrative records, the primary campus contacts are:

Denise Dolezal

Privacy and Information Practices Director


Diane Lallemand

Director, Administrative Policy and Records