Practice & Procedure

Employees of the Research Foundation of CUNY ("Research Foundation", "RF" or "RFCUNY"), or designated individuals who conduct business on behalf of the Research Foundation, have an obligation to protect confidential information to which they have access. This requirement pertains to RF field staff and central office staff alike, as well as to principal investigators, campus project administrators and any others with access to confidential information.

Confidential information is any information concerning the business or operations of the Research Foundation, including (a) personal or private information from any source that belongs to clients, employees or business partners and (b) information that belongs to the Research Foundation and is available to employees solely because of their position as Research Foundation employees or designated individuals who conduct business on behalf of RFCUNY.

Employees or designated individuals who conduct business on behalf of RFCUNY will protect from unauthorized uses and disclosures (by any means including, but not limited to, electronic, written, or verbal uses and disclosures) all confidential information to which they have access in the course of their employment or business with RFCUNY, including information to which they are privy through various RFCUNY systems (including CYBORG, E-I9, E-PAF, E-Timesheet, KUALI, Eclipse, My Payroll and Benefits, their successors and other systems).

Employees or designated individuals who conduct business on behalf of RFCUNY will use the confidential information to which they have access only for the purposes for which it was collected and consistent with their employment or business, and will use that confidential information solely for the performance of their official duties for RFCUNY. Further, Research Foundation employees or designated individuals who conduct business on behalf of RFCUNY will disclose personal information only as permitted by law.

Confidential/Regulated data includes information for which there is a legal obligation not to disclose. These data elements require the highest level of restriction due to the risk or harm that will result from disclosure or inappropriate use. This may include, but is not limited to, social security numbers, credit card numbers, health information, RFCUNY user IDs and passwords.

An employee of the Research Foundation, or a designated individual who conducts business on behalf of RFCUNY is required to take the following additional actions to protect confidential/regulated data:

  • May not ask for confidential/regulated data if it is not necessary and relevant to the purposes of the RF and the particular function for which the RF employee or designated individual is responsible;
  • May not disclose confidential/regulated data to an unauthorized person or entity;
  • May not share confidential/regulated data with a third party except as required by law, with the consent of the individual to whom the confidential/regulated data belongs, or when a third party is an agent or contractor of the RF;
  • May not send confidential/regulated data over the Internet or by e-mail unless using a secured link or the confidential/regulated data is encrypted or otherwise secured. Records containing confidential/regulated data may not be stored on RF or personal computers or other electronic devices unless secured by the Office of Systems and Information Services (SIS) or the College Information Technology Department against unauthorized access.

Records or media (such as disks, tapes, hard drives) that contain Social Security numbers shall be discarded in a way that protects the confidentiality of the Social Security numbers and in accordance with the RF's records retention schedule.

When an RF employee or designated individual who conducts business on behalf of RFCUNY becomes aware, or suspects, that personal information has become lost or shared in an unauthorized way, or any other form of privacy breach, he or she is required to notify his or her supervisor immediately. If a supervisor is not readily available then the employee must notify someone else in a management or executive position. Supervisors will be responsible for reporting the breach, or suspected breach, to the RF Senior Director of Human Resources.

Discipline or sanctions, up to and including termination, may result if an employee accesses, collects, uses, discloses or disposes of personal information in a manner that contravenes legal obligations or RFCUNY's established policies and procedures, including this Procedure. (Any disciplinary action will be taken in accordance with the collective bargaining agreement if applicable.)

These obligations will survive termination of employment at RFCUNY and failure to keep confidential the personal information of individuals obtained during that employment, even if terminated, will be grounds for appropriate legal action.