Duke Alert Bar


Holly B. Benton
Associate Director of Privacy Risk

Duke is committed to appropriate oversight and takes safeguarding sensitive and/or regulated information seriously, promoting responsible stewardship of information assets institution-wide.

With responsibility for providing assurance to Duke University leadership over the lifecycle management and safeguarding of sensitive information assets, Duke Privacy assesses and collaborates with campus stakeholders to address institutional privacy-related risks and plays an instrumental role in facilitating compliance with federal, state and global privacy laws and regulations.

The Duke Privacy team serves the greater Duke community as a subject matter resource, manages privacy incident assessments and related mitigation and training, conducts risk assessments and risk-based privacy assurance reviews, collaborates with campus partners on privacy impact assessments, and partners throughout the institution on privacy-related matters that impact the university. Grounding all in the Fair Information Practices Principles and Privacy by Design, Duke Privacy takes a strategic, collaborative, dynamic and privacy awareness-first approach to its operational role for the institution.

Privacy: What is it and Why it Matters?

Do your part! Be a Privacy Champion at Duke.

Most, if not all of us at Duke, access, collect and use information to perform our work that identifies, relates to, describes, or is linked to individuals. Be aware that this may be true even when the information appears anonymous or has been de-identified. As an exercise of Duke’s values, and in alignment with Duke’s Confidentiality Policy, we are each responsible for appropriately and responsibly managing and safeguarding the information we access, collect and use to perform our jobs.

Do your part! Follow these information lifecycle management steps and be a Privacy Champion:

  • Only access, collect and use information from reliable sources.
    • Is it from a reliable source?
  • Only access, collect and use what you have a right to and only the minimum you need for the specific purpose.
    • Do you need it?
  • Only share with, send and disclose to those who have a right and need to know.
    • Share carefully!
  • Only use secure enterprise systems when storing, sending or working with information.
    • Employ security (e.g., use encrypted devices, MFA, save on the network, avoid using personal email)!
  • Only store and maintain the minimum you need for the minimum time you need it.
    • Follow retention schedules and delete when you can!

General Data Protection Regulation (GDPR)

Privacy Incident Assessments

Duke Privacy is responsible for University privacy incident assessments and investigates allegations of regulatory violations and impermissible disclosures of sensitive, restricted and regulated information as defined by the Duke Data Classification Standard and protected by such laws and regulations as the Family Education Rights and Privacy Act of 1974 (FERPA), the North Carolina Identity Theft Protection Act of 2005 and the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  Privacy ensures timely compliance with federal and state breach investigation and reporting requirements.

Every privacy incident assessment involves:

  • A thorough investigation of the alleged violation and of the information allegedly disclosed
  • An evaluation of the use and adequacy of the privacy and information technology (IT) security controls implemented for safeguarding the information at issue
  • Breach remediation and mitigation assistance
  • Cooperation with and recommendations to Duke Human Resources and/or management
  • Training and guidance to educate and/or reinforce best practices for safeguarding information assets to ensure compliance with federal and state laws and regulations and Duke policies

Information Security

IT security and privacy are often mistakenly considered to be interchangeable. Information security and privacy are not the same, and the difference is critical. Privacy assesses what information needs to be protected and security addresses how to protect it. Privacy looks at the characterization of the information and identifies the protections that may be required. Security addresses the controls necessary to electronically protect the information. Duke’s Privacy and IT Security teams work closely together to ensure appropriate safeguarding of Duke’s information assets. Links to information security offices at Duke are: