Personal privacy is about protecting individuals and them control over their personal information. Institutional privacy is about protecting proprietary information. In either case, privacy requirements must reflect campus values and also meet the institution's legal and regulatory obligations. The requirements must be reflected in the identity management system: its flexibility, how it is used to support access to resources, and who makes the decisions about that access. IAM can provide for the externalization and consolidation of roles that can be used to determine permissions and access without that function being built into each resource. This session will discuss these topics from the auditor, identity management architect, and security staff perspectives and offer a case study on how one campus has addressed these issues.