Covered Activities
Being "covered" means that the Red Flags Rule and University of Illinois System policy apply. The U of I System program groups covered activities into four categories:
Accounts
The Red Flags Rule applies to units that:
- Administer financial accounts (open, maintain, bill and close)
- Use consumer credit reports (those issued by Experian, TransUnion, and Equifax)
- Report information to credit reporting agencies
- Sell or transfer debts to a third party
Covered accounts include:
- Declining balance and debit accounts (meal plans, Campus Cash or Dragon Dollars, scholarships or aid)
- Campus-based student loans
- Loans to students, faculty, or staff
- Other financial loans
Cards
Units must comply with the Rule if they:
- Issue cards that can be used to access accounts
- Mail cards directly to cardholders
Examples of U of I System cards that can access financial accounts
Cards can include but are not limited to the following:
- iCards
- Visitor identification cards
- Pay cards
- Loan cards
- Other University of Illinois photo IDs
Some of the financial accounts U of I System cards can access are:
- Meal plans
- Campus debit plans (such as Campus Cash, Dragon Dollars, or Extra Credits)
- Checking accounts linked to student iCards
- Bank accounts (for employees issued pay cards)
- Loan funds (for students issued loan cards)
- Photocopying services
Note: The preceding list is not exhaustive: any other covered accounts that units establish with card-based access are included.
Goods and Services
The Red Flags Rule Units applies to units that:
- Provide goods or services that patrons can pay for later. This applies whether you bill and collect through Banner Accounts Receivable, payroll deduction, a third party vendor, or any other system.
- Require payment at time of sale or service but accept payment over the phone
- Pursue debt collection (directly or from another unit's services) from nonpaying patrons
- Bill for fines (which can only be paid for later)
Note: Credit card payments don't apply, because the relevant credit card company pays the unit and pursues payment from its individual customers.
Personal information
The Red Flags program covers units that:
- Enter new information into any record system
- Alter data that is already in a system
- Maintain a system that generates UINs, NetIDs, email addresses, or login names
- Grant 0% appointments for persons without I-9 forms.
Note: Units that enter or alter data only for the purpose of hiring comply with the Red Flags program because they must file an I-9 (Employee Eligibility Verification) form for every new hire.
Examples of personally identifying information
Personally identifying information for the Red Flags Rule means any data that is or may become associated with covered accounts. It does not matter which system your unit uses to handle personal data; it matters whether that data could be used for covered accounts.
The following identifiers can be used alone or in combination with each other to uniquely identify an individual account holder. This list is not exhaustive; your unit may know of other identifiers.
- Name (first name, middle name, surname or last name, suffix)
- Address*
- Phone number*
- Email address*
- Birth date
- Gender
- University Identification Number (UIN)
- NetID
- Login names
- Social Security number (SSN)
*Note: Many U of I System records include several different instances of the same type of identifier. For example, most students and employees have more than one phone number and address on file. Similarly, many systems include a preferred email address in addition to others. Due to name and/or gender changes, multiple names can be associated with one person.
Remember: The Rule applies to any identifying information that is or may become associated with a covered account—not just one particular set of identifiers.