Purpose of Policy
This policy defines the College’s commitment to personal privacy.
The policy applies to all employees, students, contractors, volunteers, third party vendors, etc., and all items of personal data that are created, collected, stored and/or processed through any activity of Franklin & Marshall College, across all its areas. This includes data collected for the purposes of research.
The College, as data controller, remains responsible for the control of personal data it collects even if that data is later passed onto another organization or is stored on systems or devices owned by other organizations or individuals (including personally owned devices or devices otherwise not managed by the College).
The College Information Technology Committee periodically reviews and revises this policy based upon emerging best practices.
A data subject is an identifiable natural person with a relationship with Franklin & Marshall College who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Data Protection Officer
The data protection officer is the identified point of contact for anyone seeking to make inquiries about this policy or their records with the College. F&M’s Chief Information Officer (CIO) is the College’s named Data Protection Officer.
Data Protection principles
The College is required to adhere to the six principles of data protection, which means that information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully. The six principles are:
Personal data shall be processed lawfully, fairly and in a transparent manner (‘lawfulness, fairness and transparency’).
Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in any manner incompatible with those purposes. Further processing for archiving, scientific or historical research or statistical purposes is permissible (‘purpose limitation’)
Personal data shall be adequate, relevant and limited to what is necessary in relation to the purpose for which it is processed (‘data minimization’).
Personal data shall be accurate and kept up to date where necessary (‘accuracy’).
Personal data processed for any purpose shall not be kept for longer than is necessary for that purpose (‘storage limitation’).
Personal data shall be processed in a manner that ensures appropriate security including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or administrative controls (‘integrity and confidentiality’).
Personal data is information about an individual, who is identifiable from that information or who could be identified from that information when combined with other data which the College either holds or is likely to obtain.
Personal Data, ‘special categories’
Special categories of data include particularly sensitive personal information such as health details, racial or ethnic origin or religious beliefs.
The definition of ‘processing data’ includes obtaining/collecting, recording, holding, storing, organizing, adapting, aligning, copying, transferring, combining, blocking, erasing and destroying the information or data. It also includes carrying out any operation or set of operations on the information or data, including retrieval, consultation, use and disclosure.
Consent is defined as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she by statement or other clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. Silence, pre-ticked boxes or inactivity does not constitute consent.
Direct marketing relates to communication (regardless of media) with respect to advertising or marketing material that is directed to individuals. Individuals must be given the opportunity to remove themselves from lists or databases used for direct marketing purposes. The College must cease direct marketing activity upon request from the individual.
Right to Object
Data subjects have the right to object to specific types of processing which includes processing for direct marketing. The data subject needs to demonstrate grounds for objecting to the processing relating to their particular situation except in the case of direct marketing where it is an absolute right. Online services must offer an automated method of objecting. In some cases there may be an exemption to this right for research or statistical purposes done in the public interest.
Right to be forgotten (erasure)
Individuals have the right to have their data erased in certain situations such as where the data are no longer required for the purpose for which they were collected, the individual withdraws consent, or the information is being processed unlawfully. There is an exemption to this for scientific or historical research purposes or statistical purposes if the erasure would seriously impair the achievement of the objectives of the research. Individuals can ask the controller to ‘restrict’ processing of the data until complaints (for example, about accuracy) are resolved or the processing is unlawful.
Rights in relation to automated decision making and profiling
The right relates to automated decisions or profiling that could result in significant effects to an individual. Profiling is the processing of data to evaluate, analyze or predict behavior or any feature of their behavior, preferences or identity. Individuals have the right not to be subject to decisions based solely on automated processing. When profiling is used, measures must be put in place to ensure security and reliability of services. Automated decision-taking based on sensitive data can only be done with explicit consent.
Right to Rectification
The right to require a controller to rectify inaccuracies in personal data held about them. In some circumstances, if personal data are incomplete, an individual can require the controller to complete the data, or to record a supplementary statement.
Right to Portability
The data subject has the right to request information about them is provided in a structured, commonly used and machine-readable form so it can be sent to another data controller. This only applies to personal data that is processed by automated means (not paper records); to personal data which the data subject has provided to the controller, and only when it is being processed on the basis of consent or a contract.
The College is responsible for ensuring appropriate and proportionate security for the personal data that we hold. This includes protecting the data against unauthorized or unlawful processing and against accidental loss, destruction or damage of the data.
Examples of personal data breaches include:
- Loss or theft of data or equipment
- Inappropriate access controls allowing unauthorized use
- Equipment failure
- Unauthorized disclosure (e.g. email sent to the incorrect recipient)
- Human error
- Hacking attack
The College is required to keep a record of its data processing activities as a summary of the processing and sharing of personal information and the retention and security measures that are in place. The College is also expected to comply with the requirements outlined below.
All personal data collection undertaken by the college, including data collected for the purpose of research or similar activities must incorporate an appropriate form of consent on any data collection form.
Data must be kept secure
Any community member with access to personal data must ensure that all personal data they hold is kept securely. They must ensure that it is not disclosed to any unauthorized third party in any form.
Data must be retained based upon need and follow defined data retention policies
Individual areas within the College are responsible for ensuring the appropriate retention periods for the information they hold and manage, based on College data retention policies.
Personal data must only be kept for the length of time necessary to perform the processing for which it was collected. Once information is no longer needed is should be disposed of securely. Paper records should be shredded or disposed of in confidential receptacles and electronic records should be permanently deleted.
If data is fully anonymized then there are no time limits on storage from a data protection point of view.
Conditions of Processing and Consent must be met
Legal and appropriate conditions for the College to process personal data (at least one of these conditions must be met):
a) The data subject has given his or her consent
b) The processing is required due to a contract
c) It is necessary due to a legal obligation
d) It is necessary to protect someone’s vital interests (i.e. life or death situation)
e) It is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
f) It is necessary for the legitimate interests of the controller or a third party and does not interfere with the rights and freedoms of the data subject (this condition cannot be used by public authorities in performance of their public tasks).
Anyone who has provided consent has the right to revoke their consent at any time.
Privacy Notices must be given
Under the ‘fair and transparent’ requirements of the first data protection principle, the College is required to provide data subjects with a ‘privacy notice’ to let them know what it does with their personal data.
Privacy notices are published on the College website and are available at the point of first contact with the College.
Opportunity to opt out of direct marketing (regardless of media) must be given
Individuals must be given the opportunity to remove themselves from lists or databases used for direct marketing purposes regardless of media (email, phone, print mail, etc.) The College must cease direct marketing activity upon request from the individual.
Records of Processing Activities must be maintained
As a data controller the College is required to maintain a record of processing activities which covers all the processing of personal data carried out by the College. This record contains details of why the personal data is being processed, the types of individuals about which information is held, who the personal information is shared with and when personal information is transferred to countries outside the United States. The College has three Records of Processing activities:
- ∙ Employee data (including job applicants, former and retired employees, honorary, emeritus)
- ∙ Student data (including applicants and alumni)
- ∙ Data subjects other than employees, students, applicants, alumni and former employees
Subject Access Requests and Data Subject Rights
This policy gives data subjects the right to access personal information the College has about them. The purpose of a subject access request is to allow individuals to confirm the accuracy of personal data and check the lawfulness of processing to allow them to exercise rights of correction or objection, if necessary.
The College must respond to all requests for personal information and information will normally be provided free of charge.
Responding to data subjects requests
Any requests made to invoke any of the rights above must be dealt with promptly and within one month of receiving the request. Employees should consult the Data Privacy Officer if any requests like these are received.
Data sharing requirements
Certain conditions need to be met before personal data can be shared with a third party or before an external data processor is used to process data on behalf of the College.
As a general rule personal data should not be passed on to third parties, particularly if it involves special categories of personal data. There are certain circumstances when it is permissible.
Any transfers of personal data must meet the data processing principles, in particular it must be lawful and fair to the data subjects concerned.
It must meet one of the conditions of processing. Legitimate reasons for transferring data would include:
Official business of the College
If no other conditions are met, then consent must be obtained from the individuals concerned and appropriate privacy notices provided.
Where a third party is processing personal data on behalf of the College, a written contract must be in place.
All cloud service providers must complete the College’s cloud service questionnaire, administered by Information Technology Services, to assure the third party meets the College’s requirements particularly for information security.
Employees must consult with the Data Privacy Officer, the College’s Contract Office and Information Technology Services if they are considering entering into a new contract that involves the sharing or processing of personal data.
Data Breaches must be reported in a timely fashion
The College makes every effort to avoid data breaches, however, it is possible that mistakes will occur on occasions. If a data breach occurs the College is required in most circumstances to report this as soon as possible, and not later than 72 hours after becoming aware of it. If you become aware of a data breach you must report it immediately. Details of how to report a breach can be obtained from the the College’s Information Technology Services department.
Policy Maintained by: Information Technology Services, Vice President and Chief Information Officer
Last Reviewed: 9 August 2018