Privacy Policy

Introduction

This Privacy Policy sets the framework and guiding principles for the collection, management, use, storage, and destruction of personal data by employees of The University of Oklahoma (OU, University) and the University’s approach to protecting privacy. In keeping with applicable state, federal, and international regulation, the University safeguards the privacy of University constituents and University business, and other matters by protecting electronic, digital, and physical records considered confidential or sensitive data or records containing personally identifiable information and/or personal data. In addition, the University should comply with the laws and regulations regarding the protection of personal data in the countries where University staff, employees, and students travel and conduct business or to which the University sends or receives personal data, to the extent that they apply, and to the extent there is no conflict with applicable United States laws. The University is committed to protecting the privacy of personal data within its control consistent with all applicable laws, regulations, and University policies. Personal data need not be sensitive, confidential, or secret to require protection under this Policy. Because of the significant size of the University and the difficulty in providing a detailed picture of all the personal information it collects and uses as an institution, more detailed information is outlined in specific privacy statements/notices provided by University schools, departments, programs, units or groups. 

Definitions

Personally Identifiable Information (PII): Any information that either directly identifies you or makes it possible to identify you. This may include information related to you that can be identified, directly or indirectly, by reference to a collected piece of information such as an identification number; location data; an online label (often called an identifier); or to one or more factors specific to your physical, physiological, genetic, mental, economic, cultural, or social identity. 

For a comprehensive list of definitions, see Information Technology and Security Definitions.

Policy

Privacy Principles 

  1.  The University is committed to the privacy and security of the PII it maintains on behalf of the University community. The University will take reasonable precautions to maintain privacy and security within its operations and respond quickly to situations that may compromise that privacy and security.  

  1. The following principles form the basis for this Privacy Policy. These principles should be part of all PII management activities at the University. 

  • General Principle: University personnel should limit the collection, use, disclosure, access, or storage of information to that which reasonably serves or is necessary for the University's legitimate business purposes (e.g., academic/educational, research, or administrative functions that further OU’s mission) or is necessary to comply with applicable legal obligations or for legally required purposes.  

  • Minimization: The University should limit the retention of PII to the period necessary to fulfill the stated business purpose or as otherwise required by law. Disposal of University records containing PII must be performed in accordance with the General Records Disposition Schedule for State Colleges and Universities and any applicable University records‑management policies and may require authorization through the appropriate University office. 

  • Individual Access to Personal Data: University personnel (individual end users) who are allowed to access PII about data subjects must do so using their own individual OU credentials. Accessing PII with departmental credentials that are shared among multiple people is not allowed. 

Privacy Policies and Statements 

  1. Privacy Statements/Notices are University documents designed to instruct the internal campus on responsibilities and expectations related to privacy management. Areas, divisions, colleges, departments, or units that collect data beyond what is outlined in this policy may be required to generate a custom Privacy Statements/Notice in accordance with the Policy Development and Management Policy. Additional Statements/Notices must refer to this Privacy Policy, cannot be less restrictive than this Policy, and cannot contradict the information included in this Policy. These Statements/Notices will: 

  • Identify the categories of PII collected through the commercial portions of its website or through its online service. 

  • Identify the categories of third parties with whom OU may share the PII. 

  • Provide a description of how an individual may make a request pertaining to PII collected through the website or online service and retained by OU. 

  • Describe the process by which OU will notify users of the commercial portion of the applicable website or its online service of material changes to the Statements/Notice for that portion of the website or online service (it is sufficient to say that the policy will be updated online); and 

  • Identify the effective date of the notice and all updates. 

  1. Individual Program or System Privacy Notice/Statement: Users should be notified when their PII is being collected, and they should be informed of their related rights. All Web pages that collect PII should link to the Privacy Statement/Notice. Any sites or pages that collect additional PII beyond the categories covered in the Privacy Statement/Notice should include a custom privacy notice that specifies how the additional PII will be used. 

  1. Institutional Privacy Notices/Statements: Institutional Privacy Notices/Statements are intended to inform the public about how the University will maintain PII. 

Data Use

  1. No Secondary Use: PII should be used only for the purposes for which it was collected unless the potential usage of the PII was disclosed to the individual at the time of data collection or the individual gives consent for the additional purposes. 
  2. Nondisclosure and Consent: PII should not be released to third parties external to the University without consent of the data subjects and/or appropriate University contract agreements (e.g., vendors, business, etc.), unless allowed by law.  When consent is used as a justification for collecting or processing PII, this consent must always be documented and tracked, and individuals should be informed who to contact or the process to follow to revoke their consent. 
  3. Need to Know: Only those with legitimate, official University business needs should have access to PII. Each system storing PII should have a documented process for requesting, approving, and granting access to the information. This process should identify the person responsible for approving access, verifying completion of any training or orientation obligations prior to access, and documenting the justification for all decisions allowing or denying access. These procedures should be consistent with this Policy and the Identity and Access Management Policy according to the type of data involved. 
  4. De-Identification: When sharing PII, OU personnel must use these practices: 
    1. Do not share personally identifiable information with an internal or external party unless explicitly authorized via a formal access request process involving the appropriate data steward. 
    2. An acceptable way to share data while respecting the privacy of individuals and businesses is to remove PII that would allow someone to be identified before sharing the data. 
    3. Proper guidelines and methods for data de-identification must be implemented, where appropriate, and be comparable to OU’s De-Identification/Re-Identification of PHI policy.   
  5. Prohibited Information, including Social Security Number (SSN) and Driver's License Number (DLN): OU departments should not use an individual's SSN or DLN as a personal identifier unless required by law. Data Accuracy, Inspection, and Review: PII should be accurate, and discrepancies should be corrected when they are discovered.  University personnel shall take reasonable steps to ensure the PII the University manages is accurate and up-to-date. The University shall provide opportunities to individuals to control their PII, as permitted by applicable United States and other laws. Individuals should, with limited exceptions, have the right to examine information about themselves and request changes.  

Information Security, Integrity, and Accountability

  1. The University endeavors to protect PII through appropriate physical and technical security measures tailored to the sensitivity of the personal data it holds. Clinical records and Protected Health Information (PHI) maintained in connection with University health care operations are governed by applicable HIPAA privacy and security requirements and related University HIPAA compliance policies. 

Training and Education

  1. The University complies with applicable laws, regulations and guidelines by providing training and education to its constituents concerning their own privacy rights as well as the proper handling of PII entrusted to them in order to carry out their required job functions. The Data Governance Committee (DGC) will communicate with OU students, faculty, employees, suppliers, partners and others about how the University uses PII in our day-to-day operations. 

Legal and University Process

  1. The University may disclose PII in the course of investigations and lawsuits, in response to subpoenas, in response to requests made under the Oklahoma Open Records Act, to the extent disclosure is required or permitted by law for the proper functioning of the University, to protect the safety and well-being of individuals or the community, and as permitted by law. 

Confidentiality

  1. Members of the OU community may be subject to confidentiality requirements placed on them as a result of the information they access. Students, trainees, faculty, and staff participating in clinical education or patient care activities must also comply with applicable privacy and confidentiality requirements governing patient information. 

Software and AI

  1. In accordance with federal guidance and University policies, OU departments, faculty, staff, or contracted vendors should not use software platforms not assessed for privacy by OU Information Technology (OUIT), including ephemeral communications, for University business.  All users of software should ensure they comply with OUIT policies, standards, and guidelines. All use of artificial intelligence tools must comply with the University’s AI Acceptable Use Guidance issued by the Chief Artificial Intelligence (AI) Officer. 

Categories of PII Collected 

  1. The University collects and uses the following categories of information at the institutional level: 

  • Prospective students: personal and family information related to the application and financial aid process, including supporting documentation, identification and contact information.  

  • Students: the information submitted as prospective students, information related to their academic record, their academic performance, video images on campus.  

  • Faculty and staff: identification, contact information, biographic information, information related to remuneration, to benefits, to family members, information related to performance at work.  

  • Visiting scholars and exchange students: identification, contact information, biographic information, possibly data related to health.  

  • Subjects of our research projects: as needed, identification and contact information, together with all information that is produced and observed in relation to the subject as part of the research project. Research involving human subjects is conducted in accordance with applicable federal regulations, Institutional Review Board (IRB) requirements, and University research compliance policies. 

  • Alumni: identification and contact information, donor information.  

  • Website visitors: the internet domain from which a visitor accesses the website, the IP address assigned to the visitor’s computer, the type of browser the visitor is using, the date and time of visit.  

  • Patients of OU: identification and contact information, data related to health and billing.  (PHI) is used, maintained, and disclosed in accordance with the Health Insurance Portability and Accountability Act (HIPAA), applicable Oklahoma statutes, and University HIPAA compliance policies. 

How PII is Used 

  1. The University shall only use your PII for legitimate and specific purposes and to facilitate the various operations of the University. 

  1. In general, the University uses PII in the following ways: 

  • To facilitate admission and provide higher education services for OU undergraduate and graduate students and prospective students. 

  • To manage the employment of OU faculty members and staff. 

  • To facilitate visits to OU campuses by visiting scholars and exchange students. 

  • To deliver the course material, facilitate engagement, and track attendance and completion for subscribers of OU online courses. 

  • To facilitate the attendance of persons who register for conferences, symposia, and other events. 

  • To keep alumni engaged in the OU community. 

  • For the purposes of delivering healthcare to OU patients. 

  • To enable participation of individuals who take part in our research projects. Certain research data may also be subject to additional protections under IRB protocols, data use agreements, or sponsor requirements. 

  • To support website performance and enhance user experience for visitors of OU websites. 

  • Video images recorded by our video security system to ensure OU community members’ physical security and to protect OU property. 

  • The University may occasionally process other PII for various legitimate and specific purposes. When these situations occur, the University will endeavor to inform you. 

Who Has Access to PII 

  1. The University does not sell PII to third parties and does not share it with third parties for purposes other than supporting the legitimate interests and operations of the University.  

  1. The University uses a variety of third-party services to help fulfill its business operations. The University strives to be diligent with confidentiality, privacy and security standards that the University requires from all its service providers, and strives to require that the service providers use PII only for the purposes of providing those services. Where required by law, including for services involving PHI, the University enters into appropriate contractual agreements governing the use and protection of such information. 

How PII is Secured 

  1. The University recognizes the importance of maintaining the confidentiality and security of the information it collects and maintains and endeavors to protect PII from unauthorized access and damage. The University strives to ensure reasonable security measures are in place, including physical, administrative, organizational and technical safeguards, to protect PII and processes and mitigate risks in ways appropriate to the nature of the data and applicable legal requirements.  

Review and Changes to this Privacy Policy 

  1. This Privacy Policy should be reviewed, cataloged for version maintenance and entry into the policy portal, and approved by the Chief Information Officer prior to posting.  

  1. This Privacy Policy may be updated from time to time. The date of the last update will be indicated at the bottom of the page. 

Contact Information  

  1. If you have any concerns or questions about how your personal data is used, please contact dataprotection@ou.edu.  

Special Notices 

COPPA 

  • COPPA imposes legal and regulatory requirements on certain operators of websites or online services directed to children under 13 years of age, and on certain operators of other websites or online services that have actual knowledge that they are collecting PII online from a child under 13 years of age. The Federal Trade Commission, United States’ consumer protection agency, enforces COPPA, which spells out what operators of websites and online services that are subject to COPPA must do to protect the privacy and safety of children under the age of 13 online when COPPA applies. The University of Oklahoma, and the vendors with whom it works, sometimes collect data from children under the age of 13, or share such information with one another. The sharing and collection of such information is done in accordance with all applicable law, including COPPA to the extent it applies under the circumstances. 

GDPR  

  • If you are located in the EU, then our processing of your PII may fall under Regulation 2016/679 (the General Data Protection Regulation, or the “GDPR”)

  • In addition to the privacy information provided above, there is additional information specific to the EU legal framework below. Please also see our GDPR resources webpage for more information. 

  • Legal basis for processing 

    • Our processing activities of your PII will rely on different lawful grounds depending on the circumstances. Generally speaking, we typically rely on the following lawful bases in order to process your PII under the GDPR: 

    • Necessity to enter or for the performance of a contract (ex: for online applications you submit; for the information provided when enrolling; for the payment information we process for tuition); 

    • Necessity for our legitimate interests or those of third parties (our legitimate interest to maintain a community for alumni); 

  • Consent (for the research projects you may participate in; for processing of special categories of personal data). 

Your rights 

  1. The University is committed to facilitating the exercise of the rights granted to you by EU data protection law in a timely manner. 

  1. In the context of our processing activities that are subject to the GDPR, you have the following rights regarding your PII: 

  • Access, correction and other requests – You have the right to obtain confirmation of whether we process your personal data, as well as the right to obtain information about the personal data we process about you. You also have a right to obtain a copy of this data. Additionally, and under certain circumstances, you may have the right to obtain erasure, correction, restriction and portability of your personal data. 

  • Right to object – You have the right to object to receiving marketing materials from us by following the opt-out instructions in our marketing emails, as well as the right to object to any processing of your personal data based on your specific situation. In the latter case, we will assess your request and provide a reply in a timely manner, according to our legal obligations. 

  • Right to withdrawal consent – For all the processing operations that are based on your consent, you have the right to withdraw your consent at any time, and we will stop those processing operations as allowable by law. 

  • Please note that when you make requests based on these rights, if we are not certain of your identity, we may need to ask you for further PII to be used only for the purposes of replying to your request. 

Retention period 

  1. The University strives to keep personal data in our records only as long as necessary for the purposes they were collected and processed. Retention periods vary and are established considering our legitimate interests and all applicable legal requirements. 

Data transfers 

  1. When you interact with the University, your PII is transferred to the United States. The United States is not currently among the countries outside the European Union that have been deemed by the European Commission to have an adequate level of legal protections for PII. To ensure the lawful transfers of PII from the EU, the University relies on the derogations laid out in Article 49 GDPR. In particular, we rely on your explicit consent for some of the transfers and on necessity for the performance of a contract or the implementation of pre-contractual measures taken at your request (for instance, for the transfer of personal data necessary for your application for admission). However, please be aware that we provide safeguards for the information transferred, as required by the GDPR itself and in accordance with this General Privacy Policy. 

Concerns 

  1. If you have any concerns or questions about how your personal data is used, please contact dataprotection@ou.edu. We will promptly respond to your request and do our best to address your concern. However, if you believe we have not been able to deal with your concern appropriately, you have a right to complain to your local data protection authority, as granted by Article 77 of the GDPR. You also have the right to submit a complaint in the Member State of your residence, place of work or of an alleged infringement of the GDPR. 

FERPA 

  1. The University complies with the Family Educational Rights and Privacy Act (FERPA), which governs the privacy of student education records. FERPA establishes requirements related to student rights of access and amendment, conditions under which disclosures may occur without consent, directory-information designations, and the determination of legitimate educational interest by University officials. 

Revision, Review, and Approval History

  • April 2026: Draft version opened for comments by Data Governance Committee Data Privacy Working Group
Print Article