How To Identify a Reportable Privacy Violation
Types of violations: Incidental, Accidental and Intentional
(When in doubt, report!)
Incidental violations are usually unintended uses or revelations of private data that occur during normal business activities involving an otherwise permitted use or disclosure of the information
If a member of the workforce is taking reasonable precautions, and another individual happens to see or overhear private data that the workforce member is using, the workforce member will not be held liable for that disclosure. Likewise, if a workforce member accidentally accesses data without meaning to, they will not be held liable for that access if they make no further use or disclosure of the data.
Reasonable precautions include:
- Keeping one’s voice low while discussing information
- Moving to as private a location as possible while using information
- Keeping private data in paper and electronic formats covered or otherwise inaccessible to unauthorized individuals.
Incidental disclosures are usually not considered reportable Privacy Incidents. However, members of the workforce should use professional judgment and assess the potential outcome(s) of an incidental disclosure: report any disclosures that may result in a fraudulent or criminal misuse of the information or have a negative impact on the University of Florida or its affiliated entities.
Accidental Disclosures are unintended exposures of private data that occur through human error or when circumstances beyond the control of the individual cause an unwanted outcome, even though proper procedures were followed.
Accidental disclosures are Privacy Incidents and must be reported immediately to the Privacy Office. Examples of accidental disclosures include, but are not limited to:
- Mailing, faxing, or emailing restricted information to a wrong address or number.
- Verbally disclosing private data to the wrong person or to a person who falsely identifies himself.
- The default printer for a computer was changed, now documents containing private data are printing out in another office.
Members of the workforce should assist in correcting or recovering from a disclosure ONLY if instructed to do so by the Privacy Office.
Intentional Disclosures are disclosures of private data that occur due to disregard of established policies and procedures, with or without malicious intent.
All members of the workforce are obligated to report any known and suspected intentional disclosures of private data immediately. Examples of intentional disclosures include, but are not limited to:
- Gaining access to private data by deliberately circumventing security measures, by using someone else’s password, or by other fraudulent means;
- Negligently disclosing private data to unauthorized persons (i.e., without verifying the person’s identity or authority to receive the data);
- Disclosing private data with intent to harm others by, or to personally profit from the disclosure;
- Purposefully compiling and saving unencrypted private data on portable computers or computer media.
Intentional disclosures are Privacy Incidents and will result in counseling or disciplinary action by the University. They may also result in personal liability, either in civil or criminal legal action.