The purpose of this policy is to ensure compliance with data protection regulations related to the use, storage, protection, and control of information gathered from users when they interact with St. Edward's University both online and offline.
Audience
All students, faculty, staff, and third-party contractors of St. Edward's University must be aware of and comply with this policy.
Definitions
Consent Form: 使用清晰易懂的语言编写的清晰可区分的表单,允许每个用户选择数据控制器允许使用其数据.
Data Breach Notification: Right of a general user to be alerted when their personal user data has been lost, stolen, inadvertently disclosed to an external party, or accidentally published.
Data Controller: The entity that determines the purposes and means of the processing of personal user data.
Data Portability: The right for a general user to receive the personal data they have previously provided.
Data Processor: The entity that processes personal user data on behalf of the Data Controller.
Data Protection Officer (DPO): An individual appointed by St. Edward's University as the primary point of contact for all matters regarding the GDPR.
General Data Protection Regulation (GDPR): 2016年4月27日欧洲议会和理事会关于保护自然人处理其个人用户数据和使用该数据的条例(EU) 2016/679.
General User: The identified or identifiable person to whom personal user data relates.
General User Data: Any information related to an identified or identifiable natural person.
General User Data Breach: General user data that is held by a data controller that is lost, stolen, inadvertently disclosed to an external party, or accidentally published.
Privacy by Design: The inclusion of data protection processes from the onset of designing systems.
Processing: Any operation which is performed with or upon personal user data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Right to Access: The right of a general user to obtain confirmation from the data controller as to whether their personal data is being processed, where it is being processed, and for what purpose it is being processed.
Right to Erasure: The right of the user to request the data controller to delete his/her personal user data, to cease further dissemination of the data, and potentially have third parties halt processing of the data.
Territorial Scope: The extended jurisdiction of the GDPR applies to all companies processing the personal data of users residing in the Union, regardless of the company's location. As well as all Union citizens regardless of the citizen's location.
University Partner: An organization that the university has entered into an agreement with to provide information. A before an agreement is met a potential partner must meet the requirements of the University Data & Records Policy.
Compliance
The GDPR requires organizations in breach to be significantly fined. There is a tiered approach to fines.
Roles and Responsibilities
St. Edward's University: 作为数据控制者,大学有责任遵守数据保护法,并保持证明合规性的记录.
University Risk & Compliance: 该办公室有责任评估整体风险概况,并确保政策和流程到位,从而遵守数据保护法.
Data Protection Officer: 数据保护官负责监督大学对数据保护法的遵守情况,并作为大学在数据保护方面的主要联系人.
Policy Standards
General
St. Edward's University is acting as a data controller under the GDPR.
Information submitted by users through our websites, such as names, email addresses, and other contact information, may be collected by the university for internal marketing and development purposes and to respond to inquiries.
Data Collection
Registration, Forums, Apps and User Dealings with St. Edward's
The university collects information about users when users provide it to the university. For example, when users fill out the university's various online forms, respond to a promotion, inquire about programs and services, or participate in an event whether by telephone, in person, or on paper. If users contact the university via telephone, or if the university contacts users via telephone, the call may be recorded for quality, training and management purposes. The university may also record user inquiries via online chat for the same purposes.
Information From Devices
The university also collects information indirectly from the devices used to interact with the university's websites or apps. This information can include a user's geographic location, which may be required to provide services that have location restrictions. The university may also collect information from cookies placed on a user's computer or device. See the Cookie section of this policy for more information about the university's use of cookies.
Information From Social Media Log Ins
If a user logs in to the university's websites or online services through a third-party site such as Facebook, that site may pass information such as user ID, name associated with the ID, email address, geographic location, and other information permitted under the privacy policy for that website. The university's websites may also return information about the user to social networking sites regarding a user's login.
Posts, Comments and Correspondence
When users interact with any of our web presences, for example by participating in polls, leaving comments, sending text messages, or sending correspondence via email, phone, or letter, the university reserves the right to display this content indefinitely in any relevant context. This content may be anonymized in the case of testimonials.
Public Information and Social Media Posts
Any personal information that a user shares about themselves via social media sites, including chat rooms, blogs, and forums may be viewed, collected and used by third parties, including search engines. The university is not responsible for the use of any information submitted, posted, or otherwise made available on such sites.
Information from Other Sources
如果用户允许校方分享其用户信息,校方也可以从第三方公司获取用户信息. The university may combine this information with other information.
Information Shared on Behalf of Others
By submitting information about an individual to the university, 提交人确认他们已由其提供信息的个人指定,通过提供信息代表该个人行事, including sensitive personal data, which may be transferred across international borders. The submitter also agrees via such submissions to receive any data protection notices on the individual's behalf.
Use of Information by St. Edward's University
User information is utilized for various purposes, including providing requested information and related services, providing a personalized experience, and managing the university's relationship with users, including allowing users to interact, participate, and complete online solicitations. User information is used to monitor, improve, and protect the university's content and services, both online and offline. The university may also provide users with help and support where it is required.
The university provides personalization by using cookies, IP addresses, web beacons, URL tracking and app settings. See the Cookie section for more information.
Market Research and Analytics
The university may use information to conduct market research to improve current services and develop new products and services.
Advertising
大学可能会使用定向广告,提供与用户兴趣更相关的在线广告,并根据用户与大学网站的互动方式提供在线广告, mobile apps, and physical services. 大学也可以使用通过参加由大学提供的活动以及与大学的商业伙伴合作获得的信息来发布更相关的在线广告. For more information, please see the Cookie section of this policy.
Relevant Communications
Unless told otherwise, the university may use user information to send newsletters, bulletins and other information about the user's identified academic programs, interests, or related university non-academic programs.
Direct marketing
This may include communications by mail, telephone, email and messages to a user's mobile phone and through social media (such as Facebook, LinkedIn and Twitter) about the university's programs, services, and events, including for a reasonable time after the user may have ceased a subscription, application, or enrollment.
Sharing Information
Where users consent, 大学可以根据本政策在大学内部共享用户信息,也可以根据本政策与大学合作伙伴的任何实体共享用户信息. The university may share information that does not personally identify users without restriction.
The university will not sell users' personal information to third parties for use in direct marketing, advertising, or promotion of their products or services.
Sharing With Third Parties
The university may pass user information to third parties that provide services to the university, such as delivery services or market research agencies. The university may also use third parties to collect user information on our behalf, and the use of user information will be subject to this policy. The university will only disclose user information to third-party companies for their purposes, including marketing, when the university has the user's permission to do so.
The university may reveal personally identifiable information about a user to unaffiliated third parties:
- if requested or authorized by a user;
- if the information is provided to comply with the law, applicable regulations, governmental and quasi-governmental requests, court orders or subpoenas, or to protect the university's rights, property or safety or the rights, property or safety of our users or others (e.g., to a consumer reporting agency for fraud protection etc.)
- if the information is provided to our agents, outside vendors or service providers to perform functions on our behalf (e.g., analyzing data, providing marketing assistance, providing customer service, processing orders, etc.), or as otherwise described in this policy.
Linked Services
The university's services may be linked to websites operated by third-party companies that may carry advertisements or offer content, functionality, games, newsletters, contests, sweepstakes, or applications developed and maintained by unaffiliated companies. The university is not responsible for the privacy practices of unaffiliated companies. Once a user leaves the university's services, the user should check the applicable privacy policy of the unaffiliated company.
Disclosures Required by Law
Users' personal information will be disclosed where the university is obliged by law to do so. 在法律允许的情况下,大学也可以披露用户的个人信息,以保护或执行大学或他人的权利,以及侦查和预防犯罪, such as fraud.
Acceptable Use of Services
Users are expected to abide by the university's Acceptable Use Policy. 如果用户在任何地方或任何大学的网站或应用程序上发布或发送攻击性或令人反感的内容,或在任何大学网站或应用程序上从事任何破坏性行为, the university may use available user information to stop such behavior. The university may inform relevant third parties such as law enforcement agencies about the offensive or objectionable content and behavior.
Payment and Credit Checks
接受产品和服务的付款需要用户信息,这些信息可用于验证与此付款相关的信用详细信息. Permission to do so is implicit in providing financial details to process payment. Direct debit information may be retained by processing partners for ease of automation of payments.
Data Transfers
When a user completes web forms or uses the university's services, 大学可能会将您的信息传输给美国以外的数据处理者,但会根据适用的数据保护立法采取适当的措施和控制措施来保护该信息.
Mobile Applications
By downloading university apps, the university will require access to the following services on a user's device: a unique identifier (UDID), and a MAC address or other applicable device identifier and location. Other services may also be required in order for the apps to function. University apps may also provide push notifications to a user's device. Users may control these by adjusting device settings, such as turning off push notification and location services.
Cookies
cookie和其他在线跟踪技术是当用户与大学网站和其他服务交互时,用于识别用户设备的小块数据或代码. They are often used to remember user preferences, to identify popular content, and remember that the user logged in. For example, to permit a user's connection to the university's websites, the university's servers receive and record information about the user's computer, device, and browser, including potentially the user's IP address, browser type, other software or hardware information, and the user's geographic location.
Please see the Procedures section for information about managing and controlling the various types of cookies.
Use of Cookies
The university may use cookies to collect, use and store information about an individual's use of university services, websites and apps, such as pages visited, content viewed, search queries run, and content seen or interacted with.
The university may also use cookies to provide relevant content to users. The content on university websites and in university communications with users may be adjusted depending on what is known about the content, programs and services that a user likes. The university can highlight content and articles believed to be of interest to a user and provide personalization by using cookies, IP addresses, web beacons, URL tracking and mobile app settings.
The university may use any of the following types of cookies:
- Essential Cookies and Similar Technologies: These cookies are vital for the running of university services on websites and apps. Without the use of these cookies, parts of the university's websites would not function. Example single- sign-on (SSO) services.
- Analytics Cookies and Similar Technologies: These cookies collect information about use of websites and apps, and enable the university to improve the way they work. For example, analytics cookies show the most frequently visited pages on university websites allowing content to be optimized. These cookies help identify any difficulties a user has in accessing services so the university can fix these problems. These cookies also allow the university to see overall patterns of usage at an aggregated level.
- 功能/偏好cookie和类似技术:这些cookie收集有关用户选择和偏好的信息,并允许大学记住诸如语言之类的东西, username, text size, and location, so the websites can show content relative to a user's location. 这些cookie允许大学定制用户访问的服务,并向用户提供嵌入在大学内容中的第三方服务(例如.g. YouTube, Twitter, etc.).
- 跟踪/广告cookie和类似技术:大学使用这些类型的技术来提供与您的兴趣更相关的内容. This can be done by delivering online adverts based your previous web browsing activity, known as "online behavioral advertising" (OBA). Cookies are placed on your browser which will remember the websites you have visited. Advertising based on what you have been looking at is then displayed to you when you visit websites who use the same advertising networks. To help us deliver relevant advertising using cookies, as an example the university participates in the DoubleClick network.
- 网络信标:这些数据可以统计访问网站或网页的用户数量,并允许大学查看cookie是否已被激活. 网页或电子邮件中使用的网络信标可以让大学看到一篇文章有多成功,或者电子邮件信息在营销活动中是否被成功传递和阅读. Web beacons are also used to verify any clicks through to links or advertisements contained in emails. The university may use this information to identify which emails are more interesting to users.
- Flash Cookies: The university may, in certain situations, use Adobe Flash Player to deliver special content, such as video clips or animation. To improve the user experience, Local Shared Objects (commonly known as Flash cookies) are used to provide functions such as remembering user settings and preferences. Flash cookies are stored on a user's device, but they are managed through an interface different from the one provided by the user's web browser.
- Tracking URLs: These are special web links that allow the university to measure when a link is clicked on. They are used to help the university measure the effectiveness of campaigns and advertising and the popularity of articles that are read.
Third-Party Cookies
Third parties that support the university's services by serving advertisements, tracking aggregate service usage, 或提供其他服务(例如允许用户共享内容)也可能使用cookie和其他技术来收集与提供这些服务相关的信息. The university does not control third-party cookies or other technologies. Their use is governed by the privacy policies of third parties using such technologies. Users should make sure they know how third parties will use cookies by checking the third party's cookie policy.
User Data Breach
One of the most important accountability obligations concerns personal data breaches - that is, when personal data held by the university is lost, stolen, inadvertently disclosed to an external party, or accidentally published. If a personal data breach occurs, this should be reported immediately to your supervisor, who should then inform:
- Vice President Institutional Effectiveness & Planning and Chief Data Officer
Director of University Risk & Compliance
If the breach is IT-related in any way, the Office of Information Technology will be notified, and remedial work can then be done to contain the breach. Occasionally, the university will need to report breaches to relevant external authorities.
Procedures
Right to Transparency
Users have the right to receive certain information about the university's data processing including, but not limited to, the nature of the university's data processing, whether the data subject's data is being processed by the university, and the existence of any data breaches that create a high risk to the data subject's rights and freedoms.
Users can request the information described above by submitting an electronic request to GDPR@hsbolivia.net with the Subject "Data Processing Transparency".
Right to Access
Users have the right to confirm whether the university processes their data. If a university processes that user's data, the university must provide the user access to the data along with other detailed information about its use of the data.
Users can request access to their data by making a Subject Access Request. To make a Subject Access Request to the university, the request must be:
- Made in writing (this may be in electronic form)
- By mail:
- Subject Access Request C/M 814
3001 South Congress Avenue, Austin, TX 78704 USA
- Subject Access Request C/M 814
- By e-mail:
GDPR@hsbolivia.net Subject: "Subject Access Request" Users may apply to access their data in writing. A Subject Access Request Form template is made available for convenience. On receipt of a completed request, verification of identity, and sufficient details to enable the university to locate the information, the university is obliged to respond within 40 calendar days. The information will be supplied subject to any applicable exemptions. The data will be provided as of the date of receipt of the user's request.
Right to Rectification
Users have the right to request that the university rectifies any inaccurate personal data or completes any incomplete data. The requested information updates may require additional information under university policies (e.g. FERPA protected updates such as name). Users can update their personal information by submitting an initial request with supporting documentation to:
- By mail:
- Made in writing (this may be in electronic form)
- By mail:
- Right to Rectification C/M 814 3001 South Congress Avenue, Austin, TX 78704 USA
- By e-mail:
GDPR@hsbolivia.net Subject: "Right to Rectification
Right to Erasure
Users have the right to request that the university erase their personal data when the data is no longer necessary for the purposes collected, when the user withdraws consent, or when the user objects to data processing. It is important to note that some information cannot be erased under state, local, and federal law (see University Data and Records Policy). If a university has already made the data public, it must take reasonable steps to inform anyone currently processing the data of the erasure request. Users can request data erasure by submitting an initial request with supporting documentation to:
- By mail:
- Made in writing (this may be in electronic form)
- By mail:
- Right to Erasure C/M 814
3001 South Congress Avenue, Austin, TX 78704 USA
- Right to Erasure C/M 814
- By e-mail:
GDPR@hsbolivia.net Subject: "Right to Erasure"
Right to Data Portability
当大学的数据处理是基于同意或合同时,数据主体有权要求获得提供给大学的所有个人数据的副本, and the processing is carried out by automated means. Users can request copies of personal data by submitting an initial request with supporting documentation to:
- By mail:
- Made in writing (this may be in electronic form)
- By mail:
- Data Portability C/M 814 3001 South Congress Avenue, Austin, TX 78704 USA
- By e-mail:
GDPR@hsbolivia.net Subject: "Data Portability"
Right to Restriction of Processing
Users have the right to object to the processing of their personal data in certain circumstances. Processing by key university services is required for conditions of enrollment at the university (e.g. the university's Learning Management System). Users can submit objections to the processing of personal data by submitting a formal request made in writing (this may be in electronic form)
- By mail:
- Data Processing C/M 814 3001 South Congress Avenue, Austin, TX 78704 USA
- By e-mail:
- GDPR@hsbolivia.net Subject: "Data Processing"
- By mail:
Managing Cookies
Most modern browsers are set to accept cookies by default, but users can change their settings to notify them when a cookie is being set or updated, or to block cookies altogether. Users should consult the "Help" section of their browser.
Controlling Flash Cookies
Controlling Web Beacons
Please note that by blocking any or all cookies, users may not have access to certain features, content, or personalization available on the university's websites, or apps.
Controlling Direct Marketing
用户可以通过以下方式联系大学,或按照通信中的退订指示,或通过向unsubscribe@stedwards提交主题为“退订”的电子邮件,更改他们对接收大学直接营销的偏好.edu.
Controlling Other Communications
用户可以按照通信中的退订指示控制通信,如电子邮件和其他有关他们所选程序的信息. Users may still receive other communications that are relevant to their chosen services but do not relate to that specific type of communication. Where this is the case, users will be able to unsubscribe from these communications in the same way.
Forms
Related Regulations, Statutes, and Related Policies
European Union General Data Protection Regulation Acceptable Use of Student Data Policy
University Data & Records Policy Technology & Information Policy
Contacts
Contact | Telephone | |
VP, Institutional Effectiveness and Technology, Chief Information Officer | 512-326-7002 | abetsing@hsbolivia.net |
Document History
This section must contain the following dates or placeholders for future dates:
- Effective Date: May 14, 2018
- Last Revised Date: April 17, 2018