The University deals with a great deal of sensitive, private or confidential information that must be protected and used properly.  This website serves as a resource on a wide range of privacy issues affecting the members of the University community.

Privacy Compliance Programs

The following compliance programs are managed by the Office of Compliance, Ethics, and Regulatory Affairs.  Click each box for additional information.

University of Alabama Privacy Policy

The UA Privacy Policy sets guidelines for the management of personal data.

EU General Data Protection Regulation (GDPR)

GDPR affects organizations worldwide, including The University of Alabama.

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA protects a patient’s right to privacy.

Identity Theft Prevention Program (Red Flags Rule)

This program protects information associated with covered accounts.

Children's Online Privacy Protection Act (COPPA)

COPPA protects kids’ identifying information online by requiring parental consent.

CAN-Spam Act Requirements

Overview of the CAN-Spam requirements for external email and marketing communications.

Record Retention and Destruction Program

Information on how long to retain information and when information should be deleted.

Identity Theft Prevention Program (Red Flags Rule) Report Portal

Submit reports associated with covered accounts.

Additional Privacy Resources


  • All employees are responsible for protecting the personal information that UA gathers and uses – this includes information that UA faculty and staff compile, store and access regularly.  It only takes a few details about an individual for a criminal to steal an identity.
  • Whenever you gather information (especially sensitive or private information), make sure you understand and clearly note the purpose(s) for which that information is being gathered. That way, you can ensure the information is used and secured appropriately in the future – not only by you, but by others who may have access to it.
  • As a general rule, you should only be accessing information or records when you have a legitimate need to  access that information – for instance, only accessing student records when there is a legitimate educational purpose, and only accessing UA business records when there is a legitimate business purpose.
  • All employees are responsible for organizing their work-related records so that they are accessible to those others in the University with a legitimate business need to access that information and are not accessible by others.
  • You should never access the personal or scholarly records of another employee unless you have their permission, or some extenuating circumstances require it.
  • Please remember that privacy regulations may apply to personal information that is stored or transmitted via any type of media – electronic, paper, cell phones, and even verbal communication.

For more information or general guidance, see the Generally Accepted Privacy Principles.

Access a list of UA third-party vendors’ privacy information  and  travel abroad  privacy request.