Privacy concerns relating to students
All universities are subject to the Federal Education Rights and Privacy Act of 1974, or FERPA. FERPA has two main purposes: (1) it gives students the right to access their own records and (2) it restricts the university from releasing, sharing and disclosing education records without the subject student's consent.
"Education records," as defined by federal regulation, broadly includes any documents (physical or electronic), files or other materials that contain information directly related to a student and are maintained by William & Mary. So despite the word "education," many records that have nothing to do with courses or academics are protected by FERPA as education records.
Student health records are protected by the Virginia Health Records Privacy Act. The Act applies to certain records of the Student Health Center and the Counseling Center. These records are not covered by HIPAA, as discussed below.
Other student privacy issues
William & Mary's Statement of Rights and Responsibilities affirms students' Constitutional freedom from "searches and seizures except in accordance with law." The 4th Amendment of the U.S. Constitution protects people from unreasonable searches. Generally, this means that we are free from a warrantless search of our own home. This right is enjoyed by students. Specifically, students are free from warrantless searches of their rooms, office, lockers, or private possessions on campus. There are three important situations in which a warrantless search may be made:
- The Vice President for Student Affairs (or designee) may authorize, through a certificate, an administrative search when there is reasonable cause to believe that a student is violating university rules.
- W&M retains the right to conduct routine inspections.
- William & Mary Police may make searches with or without a warrant under circumstances permitted by law.
Privacy concerns relating to employees
Employee personnel records and files are protected by university and state policy. William & Mary's Statement of Rights and Responsibilities gives each employee an expectation of privacy with respect to "all records of his/her association with the institution" and sets limitations on the release of information. Virginia Department of Human Resource Management Policy 6.05, Personnel Records Disclosure, establishes guidelines for access to and release of personal information on employees maintained by the university. It applies to records of all employees, including faculty.
These policies are mainly interested in protecting employee records from disclosure outside of the insitution. There are also some protections for internal disclosure, as well. The IT Policy on Granting Access to Electronic Records establishes the protocols for supervisors and other to obtain access to employee emails and other electronic records.
Certain employee information -- particularly salary information -- is obtainable by Virginia residents under the Virginia Freedom of Information Act. Information about FOIA and W&M compliance is provided in the Freedom of Information Act Policy.
A commonly known privacy law is HIPAA - the Health Insurance Portability and Accountability Act. HIPAA is a federal law protecting the privacy and security of health records. HIPAA does not apply to records at William & Mary. According to publicly-available guidance provided by the U.S. Department of Health and Human Services (HHS), HIPAA only applies to health plans, health care clearinghouses, and certain health care providers. If an educational institution has an office that provides health care, such the Student Health Center, the institution may be covered by HIPAA. However, as explained in guidance issued jointly by HHS and the U.S. Department of Education [pdf], "many schools, even those that are HIPAA covered entities, are not required to comply with the HIPAA Privacy Rule because the only health records maintained by the school are “education records” or “treatment records” of eligible students under FERPA, both of which are excluded from coverage under the HIPAA Privacy Rule."
In addition, HIPAA does not cover health records that William & Mary receives or maintains about employees -- in other words, when William & Mary is acting as an employer and has medical information about an employee, that information is not protected by HIPAA. As HHS explains, HIPAA "does not prevent your supervisor, human resources worker or others for asking you for a doctor's note or other information about your health if your employer needs the information . . . ."