Skip to header Skip to Content Skip to Footer

Related Programs & Offices

Privacy

The Information Privacy Program at UNCW is a collaborative effort supported by various programs and offices across campus, as well as external partners. This coordinated approach ensures that privacy and data protection are integrated into distributed University operations. By leveraging the expertise and resources of multiple stakeholders, our goal is to create a robust privacy framework that benefits the entire UNCW community.

Data governance establishes the processes and responsibilities that ensure the quality, security, and privacy of data used at UNCW. The Data Governance Program at UNCW establishes an information sharing and risk review structure to ensure that University and third-party data are properly utilized, protected, and maintained in accordance with applicable laws, rules, and policies. UNCW Data Governance is managed by various campus constituents and overseen by leadership from Information Technology Services and Institutional Research & Planning. 

The Data Governance Committee oversees program initiatives and serves as an inter-divisional group responsible for overseeing data governance strategy, policy, risk, and data management. One of the key goals of the program and committee is to promote a culture of responsible data use to achieve the University’s goals. 

Additional information and resources can be found on the UNCW Data Governance SharePoint site that is available to university constituents.

The University’s IT Vendor Risk Management (VRM) program is overseen by ITS and was created to ensure the protection of University and third-party data as such data is stored, processed, transmitted, or otherwise utilized by third-party software, systems, services, or other related solutions.

This program fosters a collaborative approach to reviewing requests from the campus community. Key partners include IT Security, the UNCW Purchasing Services Department, the Office of the General Counsel, Enterprise Risk Management, and those appointed as Data Trustees, Data Stewards, and Data Custodians. 

All information technology solutions, whether free or paid, are required to be reviewed for appropriate data protection controls prior to use with University data. Solutions that are identified as processing sensitive University data, anything classified as high sensitivity or ultra-high sensitivity per the UNCW data classification matrix, will be required to satisfactorily pass a formal risk assessment prior to purchase, use, or renewal.

The risk assessment process includes key components such as reviewing intended data use, conducting outreach to the solution’s vendor for security and privacy documentation, negotiating data protection contract terms, and receiving final approval from the respective Data Steward(s). Data Stewards are appointed under the Data Governance Program and are responsible for the accuracy, privacy, and security of institutional data under their purview.

Vendor solutions that do not yield satisfactory results during the risk assessment process may not be approved for use.

Additional information on the IT VRM Program is available through the UNCW 07.400.01 IT Vendor Risk Management Policy. The ITS VRM team may be contacted via email at VRM@uncw.edu.

The UNCW IT Security team is charged with safeguarding the confidentiality, integrity, and availability of all information processed, stored, or transmitted using university electronic resources. Security control implementation, continuous monitoring, vulnerability management, security audits, training, and comprehensive information security awareness campaigns are overseen and provided by the IT Security team to support campus efforts in mitigating related threats.

IT Security is also responsible for security incident response, including:

  • Preparing a response to campus security incidents, detection and analysis, containment, eradication, recovery of assets, and post incident analysis.
  • Assistance with investigations initiated by the University Police Department, Internal Audit, the Office of the General Counsel, and other internal and external authorities.

 UNCW Data Privacy and Security Teams work together to ensure the protection of institutional data and other data utilized by the University community. As related functions, they support multiple aspects of organizational data management practices and policies.

Additional information is available on the UNCW IT Security web page and the IT Security Updates and Information SharePoint site. The 07.300 series of IT security policies are also available for more information.

UNCW recognizes and supports the responsible use of generative AI, but emphasizes several critical factors when using such tools. Key considerations for the use of institutional and third-party data with AI tools include but are not limited to:

  • Information security
  • Data privacy
  • Regulatory compliance
  • Academic integrity
  • Copyright
  • Intellectual Property

Users shall avoid entering any sensitive or confidential information as well as certain classifications of University data and regulated data into publicly available generative AI tools. Many of these platforms use submitted data to train their model(s). This means privacy is not guaranteed and could result in sensitive information being exposed to other users of the tool(s).

Users desiring to utilize new AI-based platforms are required to submit the appropriate request to have the solution reviewed by ITS to ensure it meets established security, privacy, and compliance requirements.

UNCW’s Guide for Responsible AI Use can be found on the ITS web page.

The UNCW Sponsored Programs and Research Compliance (SPARC) team supports and promotes the work of UNCW’s researchers and research administrators. As part of the research lifecycle, SPARC negotiates, accepts, and manages all agreements with external sponsors and subrecipient organizations. 

Use of data provided by a third party, often the organization sponsoring or funding the research, may be governed under a Data Use Agreement (DUA) or similar document. DUAs outline the specific requirements UNCW researchers, affiliated staff, and/or the University itself must abide by with regards to data protection. These requirements may include privacy conditions related to the identification, re-identification, sharing, storage, and publication of certain information associated with a specific individual or confidential or proprietary information of the organization (data provider) itself.

DUAs are reviewed on a case-by-case basis by SPARC, ITS, and the Office of the General Counsel, as needed, to ensure the requirements set forth can be met prior to the receipt of or access to third-party data. 

Additional information may be found on the SPARC web page. Questions regarding the DUA review process may be directed to SPARC@uncw.edu.

UNCW has a federally mandated Institutional Review Board (IRB) to protect the rights of human subjects in research. The Research Integrity Office (RIO) serves as the administrative office that coordinates IRB activities and reviews. 

The IRB reviews research submissions continuously and holds monthly meetings to review protocols subject to full committee review. Representatives on the IRB review all materials submitted by researchers with a focus on informed consent and data protection controls and documentation. Studies that include the collection, storage, analysis, publication, or other use of personally identifiable information, health information, or other information that could be used to connect study results to an individual are carefully reviewed to determine if any technical or non-technical controls are required to preserve the privacy of the research subject(s).

The UNCW 03.380 Institutional Review Board Policy provides additional information and requirements for researchers using Protected Health Information, whether deidentified or not, and Individually Identifiable Health Information. Researchers are strongly encouraged to determine if identifiable health information is necessary to support their research project. In the event any of these types of data are utilized, additional steps may be required before the IRB may make a final decision on approving the research project. Potential requirements may include the completion of HIPAA training by project staff, completion of a Data Use Agreement (DUA) with a third-party data provider, authorization from the research subject(s) including informed consent, and/or other authorization or waiver from a Covered Entity’s IRB or privacy board, as appropriate.

Additional information is available on the Research Integrity and the Human Subject Protection web pages.

The Office of Privacy and Data Protection, housed within the N.C. Department of Information Technology (“NCDIT”), leads the state’s privacy program. This NCDIT office works with state agencies and agency divisions, stakeholders, and business partners to prioritize privacy risk assessments and security.

UNCW periodically works with NCDIT on various aspects of technology solutions, contract support, and maintaining awareness of updates to the State’s privacy program. 

Additional information can be found on the NCDIT Office of Data Protection website.