Privacy Policy

Written Information Security Program

The American University of Florence (AUF) is committed to protecting the confidentiality of all sensitive data that it maintains, including information about individuals who work or study at the Institution. 

Data - For the purposes of this Program, “data” refers to all information stored, accessed, or collected at the Institution about members of the Institution community.

Personal Information - Personal Information (PI), as defined by GDPR (Regulation (EU) 2016/679), is any information that relates to an identified or identifiable living individual.

Examples of personal data AUF collects to fulfill its mission in accordance to the law are:

  • name and surname;
  • home address;
  • email address;
  • identification card number;
  • location data (for example the location data function on a mobile device such as a phone or a computer);
  • Internet Protocol (IP) address;
  • phone number;
  • data held by a hospital or doctor, which could be information that uniquely identifies a person.
  • passport number, alien registration number, or other government-issued identification numbers.

 

OVERVIEW AND PURPOSE

This document has been  implemented to comply with security and privacy regulations, including but not limited to:

  • General Data Protection Regulation (EU) 2016/679
  • ISO 9000
  • ISO 27001 

AUF is committed to protecting the confidentiality of all sensitive data that it maintains. 

AUF is required to take measures to safeguard personally identifiable information and to provide notice of security breaches of protected information at the appropriate state agencies, to affected individuals and to institutions/organizations involved.

AUF has implemented several policies to protect such information, as described at the end of this document.

 

OBJECTIVES

AUF ensures the security and privacy of all personal information by following the program’s objectives as outlined below:

  • Establishing a comprehensive information security program for AUF with policies designed to safeguard sensitive data that is maintained by the Institution, in compliance with state laws and regulations;
  • Establishing employee responsibilities in safeguarding data according to its classification level;
  • Establishing administrative, technical, and physical safeguards to ensure the security of sensitive data.

 

SCOPE

The Program applies to all AUF students and employees, whether full- or part-time, including faculty, administrative staff, interns, contract and temporary workers. The Program also applies to certain contracted third-party vendors and hired consultants. The data covered by this Program includes any information stored, accessed, or collected at the Institution or for Institution operations.

 

GENERAL PROGRAM MONITORING

AUF employs multiple monitoring procedures  in the protection of Information and Information System assets. These procedures  are  in compliance with best practice  ISO 9000:2018 and General Data Protection Regulation (GDPR) protocols. The fundamental focus is to prevent improper disclosure, alteration, and destruction of information assets; to ensure that transactions are genuine and cannot be disputed.

AUF information assets are classified as follows:

Confidential - Confidential data refers to any data where unauthorized access, use, alteration, or disclosure of this data could present a significant level of risk to the Institution. All PI, as defined above, are designated as Confidential. Confidential data should be treated with the highest level of security to ensure the privacy of that data and prevent any unauthorized access, use, alteration, or disclosure.

Restricted - Restricted data refers to all other personal and institutional data where the loss of such data could harm an individual's right to privacy or negatively impact the finances, operations, or reputation of the Institution. Any non-public data not explicitly designated as Confidential should be treated as Restricted Data. 

Restricted data include, but are not limited to, donor information, research data on human subjects, intellectual property, Institution financial and investment records, employee salary information, or information related to legal or disciplinary matters.

Access to restricted data is limited to individuals who are employed by or matriculate at the Institution and who have legitimate reasons for accessing such data. 

A reasonable level of security should be applied to this both Confidential and Restricted data to ensure the privacy and integrity of this data.

 

Public (or Unrestricted) - Public data includes any information for which there is no restriction to its distribution, and where the loss or public use of such data would not present any harm to the Institution or its members (staff and students). Any data that is not classified as Confidential or Restricted should be considered Public data.

 SECURITY ARCHITECTURE

A multi-layer security architecture supports the Institution's business infrastructure. The security architecture enables the effective deployment of security resources that include policy, standards, and risk-based decisions, enabling technical decisions in support of the Institution's business goals and the management of its information assets.

AUF employs active network peripheral and monitoring tools. Where possible, encryption is enforced at rest, in application databases, on portable media, backup media, desktops, laptops, and in data transmissions. The Institution also enforces end-point protection.

 RISK MANAGEMENT

AUF Institution recognizes it has both internal and external risks to the privacy and integrity of Institution information. These risks include, but are not limited to:

  • Unauthorized access of Confidential/Restricted data by someone other than the owner of such data or authorized personnel
  • Compromised system security as a result of system access by an unauthorized person
  • Interception of data during transmission
  • Loss of data integrity
  • Physical loss of data in a disaster
  • Errors introduced into the system
  • Corruption of data or systems
  • Unauthorized access of Confidential/Restricted data by employees
  • Unauthorized requests for Confidential/Restricted data
  • Unauthorized access through hard copy files or reports
  • Unauthorized transfer of Confidential/Restricted data through third parties

This may not be a complete list of the risks associated with the protection of Confidential and Restricted data. Since technology growth is not static, new risks are created regularly. Accordingly, the Institution’s CIO will actively participate in and monitor advisory groups such as the CVE Database and SANS Internet Storm Center for the identification of new risks.

 

VENDOR MANAGEMENT AND MONITORING

The Institution exercises appropriate diligence in selecting service providers capable of maintaining appropriate security safeguards for PI provided by the Institution to them. All relevant contracts with these third parties are reviewed and approved to ensure the contracts contain the necessary language regarding safeguarding PI. It is the responsibility of the Chief Information Officer to confirm that the third parties are required to maintain appropriate security measures to protect PI consistent with this Program and all laws and regulations

 

PERSONNEL AND AWARENESS

The Institution promotes security awareness using email messages, formal instruction, and newsletters to communicate awareness. All employees are required to complete ongoing information security training. Training consists of a core security curriculum plus additional materials based on the employee's role.

The training goals are to ensure that Employees:

  • Understand and utilize techniques to minimize security threats
  • Know how to respond to security incidents diligently
  • Are aware of the policies, standards, and procedures that protect Institution information assets

AUF reviews and updates all training content on an annual basis to ensure that it reflects changes to AUF regulatory and legal environment and policies.

 

ACCESS CONTROL

AUF manages access control, identification, and authorization through established policies and procedures that grant access using the principle of least privilege as the guiding tenet, the use of strong passwords, and the approval of access by the information owners. Access to Institution assets is audited on a user and application level at defined frequencies and criticality as stated in the User Account Review Policy

The Institution utilizes video surveillance (CCTV) as part of its campus security program to enhance safety, monitor access points, and investigate potential criminal activity, in full compliance of the GDPR directive and the Italian law. The recording data retention time is limited to 24 hours. Further information can be requested by writing to the Data Protection Officer, dpo@auf-florence.org.it.

chevron-down linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram