Skip to content
Main content

Development Guide:
Acceptable Use Guidelines for Alumni and Donor Data

Giving News

Introduction
In line with its core values, The University of Texas at Austin is committed to safeguarding the security, privacy, and integrity of its alumni and donor information.  In addition, the university complies with all UT System, state and federal laws concerning the privacy and protection of personally identifiable information of alumni and donors.

The University Development Office’s intention for publishing an Acceptable Use Guidelines for Alumni and Donor Data is to maintain the established campus culture of confidentiality and security over all information pertaining to our donors, alumni, and friends made available to university employees.  Effective data security is a team effort involving the participation and support of every user of alumni and donor data.  It is the responsibility of every user to be aware and understand these guidelines, and conduct their practices accordingly.

Consistent with university policy, the University Development Office provides users with the data access and system authorizations to only the information needed to perform their jobs.  Business need and user role will determine the authorization to access confidential information.  The consequences of intentionally or unintentionally disseminating confidential alumni or donor information to parties outside of the University would adversely affect the reputation of the University, severely limit the University’s ability to generate future donations, or potentially cause legal action to be taken against the University or its employees.

Purpose
The purpose of this document is to define the guidelines for users that work with alumni and donor data.  The guidelines and standards set forth in this document clarify the expectations and practices required of all employees to protect and manage the alumni and donor records of The University of Texas at Austin.  Effective implementation of this policy will minimize unauthorized access to confidential information.

Scope
The University Development Office maintains and manages data about donors, alumni, and friends of The University of Texas at Austin.  This information comes from a variety of sources and includes:

  • Personally identifiable information shared directly by the donor, alumni, or friend
  • Personally identifiable information shared by someone who knows the donor, alumni, or friend
  • Financial information shared by the donor, alumni, or friend in the course of doing business with the University
  • Financial information shared by government agencies or financial institutions in the course of doing business with the University
  • Publicly available information obtained from various government and public agencies
  • Publicly available information obtained from various print and online media
  • Purchased data or information acquired from various third parties

Alumni and Donor data is defined as information pertaining to all alumni, donor, member, volunteer, friend, corporation, foundation, association, and government agency records that are stored in VIP and related data systems.

Constituent Description
Alumni Individuals that have received a degree from the University or attended the University
Donor Individuals or organizations that have made a charitable contribution to the University
Member Individuals or organizations that subscribe to a service or membership provided by a unit of the University
Volunteer Individuals that provide their time to assist the University in critical activities such as fundraising, advisory roles, relationship building, recruiting, docent services, etc.
Friend Constituents with a strong interest in supporting the mission of the University, but did not attend the University
Corporation For-profit organizations with an interest in supporting the University’s mission through placements, research, philanthropy, advisory role, etc.
Foundation Charitable organizations with an interest in supporting the University’s mission in education, research, or service through philanthropic opportunities
Association Organizations with an interest in supporting the University’s mission in education and research through philanthropic opportunities
Government City, county, state, federal, and country specific agencies with an interest in leveraging University expertise and services to enhance educational or research initiatives

Acceptable Use of Alumni and Donor Data

In order to safeguard the trust and respect of its donors, alumni, and friends, the university considers all information obtained from or about a donor, alumni, or friend to be confidential.  The university will not share, distribute, or disseminate information about a donor, alumni, or friend of the University unless this information is necessary during the normal business operations of the University or unless compelled by law to release the information.

The following guidelines provide users with a set of general rules to follow when working with alumni and donor data.  All users must comply with the following security practices when in possession of Alumni or Donor Data.

Recognition of Category I, II and III Data
All users should understand the definition and security requirements of the three categories of data as defined by the University.

Data Category Description Examples
Category I University data protected by federal law, state law, University of Texas rules and regulations, or contractual agreements requiring confidentiality, integrity, or availability considerations. Name combined with physical address, telephone number, email, gifts and pledges to the University (including related agreements), prospect management information (including contact reports), and research report information.
Category II University data not identified as Category-I data, but is releasable in accordance with the Texas Public Information Act.  This data is protected to ensure a controlled and lawful release of information. The amount of charitable contributions used to support a University priority.
Category III University data that is not identified as Category-I or Category-II data.  This data has no requirement for confidentiality, integrity, or availability. Summary information used for CAE reporting, CASE reporting, and other surveys the University participates.

Working with Category I and II Data

Users may be required to work with Category I and II data as part of their role in conducting University business.  All users are expected to abide by the following guidelines at all times to minimize the risk of releasing confidential data to an unauthorized person or into the public domain.

Working with University Colleagues
Users are allowed to share Category I and Category II data with University colleagues that require the information to perform their job function.  When sharing data with colleagues, user must follow these guidelines.

1. Hard copy documents or reports mailed within the University must be mailed in a secure envelope marked “Confidential.”

2. Category I and Category II data in documents can only be emailed when using encrypted email technology.

A. Digital certificates are required to enable encryption technologies as well as for signing of e-mail and other important electronic documents.  More information is available at the following link (http://www.utexas.edu/its/user-certs/).

B. The following are alternatives to using email to share documents containing Category I and II data.

i. Secure Messaging System (SMS) supported by the University.  The SMS sends the recipient an email with a link to a document posted by the user that can only be downloaded by the intended recipient.

ii. University supported secure FTP server where data files are removed after the recipient has downloaded the required data set.

iii. University supported SharePoint sites that are password protected and administered by a system manager.

iv. University supported Webspace accounts that are password protected and data is removed after the business purpose is completed.

Physical Storage of Documents
Guidelines for storage of physical documents or reports containing Category I and II data

1. All documents containing Category I and Category II data must be labeled “Confidential.”

2. Documents are not to be left unattended at printers, copiers, desks, tables, etc.

3. Documents must be stored in secure file cabinets or desk drawers under lock and key when not in use.

4. Destruction of documents must be done through secure shredding before placing in trash or recycle bins.

Out of Office Storage of Physical Documents
Guidelines when required to use Category I or II data outside of the office.

1. Users are allowed to transport documents containing Category I or Category II data out of their office only to conduct University business.

A. The documents must be labeled as “Confidential.”

2. Users must store physical documents securely in briefcases, computer bags, travel bags, folders, etc, and maintain with them at all times.

3. Documents must be shredded before disposing into trash or recycle bins.

Electronic Storage of Documents
Data security over electronic documents containing Category I or II data.

1. Consistent with University policy, users must employ user identification and passwords on computers, databases, and other storage devices to protect data.  Security practices and passwords must comply with the following University standards.

A. Personal Computer Security

B. Information System Security (including websites)

C. Strong Passwords

D. Security Awareness

E. Security Glossary

2. Users must not store emails or electronic documents with Category I or Category II data in their mailbox unless the data can be adequately encrypted during storage and transmission.

3. Users of portable devices (e.g., laptops) must store all electronic documents on an encrypted hard drive.  The recommended solution in this case is the Enterprise Whole Disk Encryption service for Windows systems and FileVault for Mac systems.

A. Electronic documents containing Category I or Category II data must never be stored on an unencrypted portable device.

B. The university must be able to verify that the portable device containing Category I or Category II is actually encrypted.  Your technology services support personnel should be able to assist you by using the recommended encryption solutions above and properly tracking the encrypted devices in use in the department.

C. It is recommend that users manually back up encrypted documents to the Local Area Network (LAN) file server upon returning to the office.

4. Desktop users must store all electronic documents on a University local area network (LAN) file server.

A. Electronic documents should not be stored on the hard disk of the desktop.

B. If a LAN is not available for data storage, the desktop must comply with portable device security requirements.

5. Files stored on external hardware devices must be encrypted and password protected.

A. This includes USB drives, flash drives, pen drives, camera sticks, and any device that can store an electronic document.

B. University Category I and Category II data stored on non-University computers, databases, or any devices is subject to all applicable University policies and guidelines.

Sharing Information with Individuals Outside of the University
Users must never share Category I or Category II Data with persons outside of the University without consultation and special authorization from the University Development Office, the Office of Institutional Relations and Legal Affairs, or the University’s Public Information Officer.  Users should consult with the above parties before taking any action to share data with a third party.

There exist four scenarios where the University may share data with persons outside of the University:

1. Open Records Request
External open records requests for confidential information should be directed to the University’s Public Information Officer (Chief Business Officer) BPM 32 Texas Public Information Act.

2. Service Provider to the University
Data sharing with vendors and other third parties that provide services for the University must abide by the University’s standards for data security as articulated in contractual and procurement policies.  Users should consult with purchasing and the ISO before sharing Category I Data with a third party.

3. Comply with Governmental Requests
Information request by a State or Federal agency.  Users should consult with Legal Affairs before providing data to any agency.

4. Volunteer Role
Volunteers assisting the University in advancing fundraising opportunities by hosting philanthropic oriented meetings and events, and peer-to-peer solicitation of gifts.  Providing category I data to a volunteer must be approved by the unit leader (Dean, Director, and Vice President) and the volunteer must sign the volunteer confidentiality agreement.

Additional Questions Regarding Category I or Category II Data
If you have additional questions regarding the use of Category I or Category II Data please contact your supervisor or the Information Security Officer.

Additionally, you can also review the following link that outlines the University’s data classification standard.
http://www.utexas.edu/its/policies/opsmanual/dataclassification.php#standard

Applicable Policies over Alumni and Donor Data

As a component institution of UT System, The University of Texas at Austin is responsible for implementing information technology policies adopted by UT System and other governing bodies.

All users of VIP will comply with the security policies and standards set by Federal and State statutes, UT System Regent’s Rules, and University policies.  Additionally, users of data downloaded from VIP are also required to maintain the same level of security requirements as users working on the VIP system.  These security requirements also apply to all external parties the University may share any alumni or donor data.  University data security standards apply to alumni and donor data in all its forms (e.g. hard copy, electronic file, etc.) and all locations (e.g. campus office, vendor server, home office, event, Smartphone, external hard drive, etc.).

The following is a listing of the key policies applicable to all users accessing Development Data.  The complete set of University IT policies can be found at the following link (https://www.utexas.edu/cio/policies/).

UT Austin Policies and Guidelines

  • Acceptable Use Policy (AUP) governs the use of information technology resources at The University of Texas at Austin.  All users are required to acknowledge the AUP annually.
  • Data Classification Standard assists data stewards, IT owners, and custodians to determine the level of security required to protect University data.

UT System Regents Rules and Regulations

State Laws

Federal Laws

  • Gramm-Leach-Bliley Act (GLB Act) defines privacy provisions to protect consumer information held by financial institutions and requires financial institutions to have a security plan to protect confidentiality and integrity of personal information.  In 2003, the Federal Trade Commission (FTC) confirmed that higher education institutions are considered financial institutions under this federal law.
  • Can Spam Act defines the Federal standards to protect email users from receiving unsolicited emails from organizations.

Building the Future of Nursing

Monday, April 17, 2017

Taking Action

Monday, April 17, 2017

Practical Activism

Monday, April 17, 2017

A Royal Artifact Finds a New Home

Friday, February 10, 2017

Matches Light a Fire in Liberal Arts

Thursday, February 9, 2017

Read More News