How To Identify a Reportable Privacy Violation
Types of disclosures: Incidental, Accidental and Intentional
(When in doubt, report!)
Incidental Disclosures
Incidental Disclosures are unintended revelations of private data that occur during normal business activities involving an otherwise permitted use or disclosure of the information
If a member of the workforce is taking reasonable precautions, and another individual happens to see or overhear private data that the workforce member is using, the workforce member will not be held liable for that disclosure.
Reasonable precautions include:
- Keeping one's voice low while discussing information
- Moving to as private a location as possible while using information
- Keeping private data in paper and electronic formats covered or otherwise inaccessible to those who do not have authorization or a legitimate need to know the information.
Incidental disclosures are usually not considered reportable Privacy Incidents. However, members of the workforce should use professional judgment and assess the potential outcome(s) of an incidental disclosure: report any disclosures that may result in a fraudulent or criminal misuse of the information or have a negative impact on the University of Florida or its affiliated entities.
Accidental Disclosures
Accidental Disclosures are unintended exposures of private data that occur when proper procedures are followed, but circumstances beyond the control of the individual cause an unwanted outcome.
Accidental disclosures are Privacy Incidents and must be reported immediately to the Privacy Office. Examples of accidental disclosures include, but are not limited to:
- Disclosure of private data to a person who falsely identifies himself.
- The default printer for a computer was changed, now documents containing private data are printing out in another office.
- Private data documents or electronic media were properly placed in an official recycling receptacle; an item or document falls or blows out during transport.
- With the individual's permission, a message that contains private data is left on an answering machine, but it was the wrong number.
Members of the workforce should assist in correcting or recovering from a disclosure ONLY if instructed to do so by the Privacy Office.
Intentional Disclosures
Intentional Disclosures are disclosures of private data that occur due to disregard of established policies and procedures, with or without malicious intent.
All members of the workforce are obligated to report any known and suspected intentional disclosures of private data immediately. Examples of intentional disclosures include, but are not limited to:
- Gaining access to private data by deliberately circumventing security measures, by using someone else's password, or by other fraudulent means;
- Negligently disclosing private data to unauthorized persons (i.e., without verifying the person's identity or authority to receive the data);
- Disclosing private data with intent to harm others by, or to personally profit from the disclosure;
- Purposefully compiling and saving unencrypted private data on portable computers or computer media.
Intentional disclosures are Privacy Incidents and will result in counseling or disciplinary action by the University. They may also result in personal liability, either in civil or criminal legal action.