11.0 Privacy and Disclosure of Information
11.2 Privacy of Personal Information
Recognizing that specific items of information about current (as well as former) individual students, faculty, and staff must be maintained for educational, research, and other institutional purposes, it is MIT policy that such information be collected, maintained, and used by the Institute only for appropriate, necessary, and clearly defined purposes, and that such information be controlled and safeguarded in order to ensure the protection of personal privacy to the extent permitted by law. The education records of students are also subject to MIT's policy on the privacy of student records (see Section 11.3 Privacy of Student Records).
11.2.1 Responsibility for Safeguarding Information
Persons with responsibility for records containing personal information should exercise care to ensure accuracy and completeness. Both departments and individuals are responsible for protecting personal information against accidental or intentional misuse or improper disclosure within or outside MIT.
For more information concerning safeguarding Institute records and information (whether or not they contain personal information), see Section 13.2 Policy on the Use of Information Technology Resources.
11.2.2 Use of Personal Information
When a member of the MIT community is asked by an office or individual at the Institute to provide information about himself or herself, that person should be informed of the purposes for which it will be used and the consequences, if any, of not supplying it. Such information should not be used or exchanged within the Institute for purposes other than those stated, for legitimate purposes that would be reasonably expected, or where the information exchanged does not identify any individual, such as with aggregated data.
11.2.3 Review of Personal Information
Federal and state laws give students and employees, respectively, the right to see certain records maintained about them. In accordance with such laws, and while respecting the privacy of others and the traditional confidentiality of faculty peer review and evaluation, an individual should be provided the means for seeing and obtaining copies of records about him or her maintained by the Institute, as well as for challenging their accuracy and completeness and the propriety of their use.
11.2.4 Disclosure of Personal Information Outside of MIT
Personal information, other than directory information about students and standard personnel information, should not be released to anyone outside MIT without the permission of the individual to whom the information relates, except in connection with court orders or other legal process (see Section 11.2.7 Court Orders and Other Legal Process), in cases where such release would be clearly expected (employment references, award nominations, etc.), or for other legitimate business needs. In the case of such other legitimate business needs, disclosure is permitted only with approval of the applicable Senior Officer or his or her designee, see Section 13.2.4 Privacy of Electronic Communications, Electronic Files, and Other Files; Section 13.2.4 also covers access to information).
Directory information for students is defined in Section 11.3 Privacy of Student Records. Standard personnel information comprises dates of MIT employment, job classification or title, the department in which an individual is or was employed, and MIT telephone extension, office address (in most cases), and email address for current employees.
11.2.5 Information on Foreign Nationals
Requests for information about individual foreign nationals, other than directory information about students and standard personnel information, should be directed to the Provost, who may release such information provided that the query is specific (rather than general, as in a form letter), that it concerns a named individual rather than a class of people, that it is made by a senior government official, and that it is lawful to release the information; it must also be apparent that a response is warranted by serious considerations of national security or law enforcement.
11.2.6 Archiving Records Containing Personal Information
When records containing personal information are no longer actively needed, they should be retired and maintained in accordance with the Institute Archival Policy (Section 13.3), which ensures all rights of privacy stated in this section and in Section 11.3 Privacy of Student Records, with one modification: Under special circumstances, the Archivist may grant scholarly researchers access to records that have been inactive for many years. Students' education records maintained by the Institute Archivist are subject to all of the rights and restrictions provided by the Family Educational Rights and Privacy Act of 1974 (see Section 11.3 Privacy of Student Records).
11.2.7 Court Orders and Other Legal Processes
In the case of court orders or other legal process (including subpoenas or agency requests for information) that require release of information about a current member of the MIT community, that individual should ordinarily be notified of the request as soon as possible. Notification will not be made, however, where such notification is specifically prohibited by the law or where the request for information asks for nondisclosure and such nondisclosure is, in the judgment of a Senior Officer, appropriate under the circumstances (for example, where notification might interfere with a criminal investigation). The requested information should be released only by an authorized officer of the Institute after consultation with the Office of the General Counsel.