Virginia Commonwealth University seeks to protect the privacy of every employee’s employment and personal information, including social security numbers, whether that data is maintained through paper or electronic means.
This policy clarifies which employee records do and do not require third-party disclosure under the Virginia Freedom of Information Act and the Virginia Personal Information Privacy Act.
Noncompliance with this policy may result in disciplinary action up to and including termination of employment. VCU supports an environment free from retaliation. Retaliation is prohibited against any employee who brings forth a good faith concern, asks a clarifying question or participates in an investigation.
All employees are responsible for knowing this policy and familiarizing themselves with its contents and provisions.
This term refers to any information relating to an identified, or identifiable, individual.
These are individuals outside of VCU, including other state agency representatives, who request information from the records maintained by VCU.
VCU Human Resources officially interprets this policy and is responsible for obtaining approval for any revisions as required by the policy Creating and Maintaining Policies and Procedures through the appropriate governance structures. Please direct policy questions to VCU Human Resources Employee Relations.
VCU will collect only employee data that is needed for valid business purposes or to comply with law, and any such data will be obtained only by lawful and fair means. All data will be used only for the purpose authorized by the employee, to comply with applicable laws, or in support of university business purposes.
VCU will strive to maintain the accuracy of the personal data held to include establishing, as appropriate, mechanisms allowing employees to have the opportunity to review and update or correct their personal information.
Employees should have a reasonable expectation of privacy in both electronic and paper-based environments. Human Resources will take reasonable steps, with technical assistance from VCU Technology Services, to protect personal data from unauthorized access, including developing other personal identification methods (e.g., eID – employee ID; Banner ID - “V” number) and limiting access to such data to those employees with a business need to know. All university departments maintaining paper or electronic personal data are required to adopt and implement similar protection procedures, including discontinuing the use or dissemination of the social security number as an identifier on documents and reports.
In accordance with Department of Human Resources Management (DHRM) Policy 6.10, Personnel Records Management, the use of the social security number within the university will be limited to:
All university departments that may provide personnel records must take care to redact the social security number where it is not required or relevant to the record request.
In accordance with the Government Data Collection and Dissemination Practices Act, unless disclosure is required by federal or state law, the university will not require employees to provide their social security number for any purpose or in connection with any activity. Likewise, the university will not refuse or deny service or rights to employees who do not furnish their social security number.
Employees have access to the contents of their personnel file and other official records, except for letters of reference for employment and certain medical and/or mental health records that employees’ physicians have requested remain confidential.
Access to files is allowed during normal business hours and following the employee's proper release from their work area. The supervisor's approval or presence is not required in viewing such records; however, a Human Resources staff member will be present. Fees appropriate to the cost of reproduction will be charged for copies made of any information.
Requests for employee information should be referred to Human Resources for response to ensure compliance with the Virginia Personal Information Privacy Act and the Virginia Freedom of Information Act.
Vendors who are approved by Human Resources to access employee data will be required, upon request, to sign a confidentiality statement and to provide a copy of their data security plan and the result of their most recent information technology audit. Vendors also should certify their need for data when contracts are initiated and renewed. VCU’s policy on Business Associates and Contracted Sites details requirements for third-party access to personal information.
Requests regarding expense reimbursements to employees may be obtained from the Virginia Department of Accounts or the VCU Controller’s Office.
In accordance with the Virginia Freedom of Information Act and the Government Data Collection and Dissemination Practices Act, the following information is considered public information and requires disclosure when requested by third parties:
In addition to the data above, VCU will provide information required by subpoena or other court orders. Questions about what information may or may not be disclosed should be referred to the Office of University Counsel at VCU.
There are no forms associated with this policy and procedures.
This policy supersedes the following archived policies:
|January 16, 2009||Maintenance and Release of Employment and Personal Information|
|August 21, 2012||Maintenance and Release of Employment and Personal Information|
|August 06, 2015||Maintenance and Release of Employment and Personal Information|
|July 29, 2016||Maintenance and Release of Employment and Personal Information|
There are no FAQ associated with this policy and procedures.