The purpose of this policy is to ensure compliance with data protection regulations related to the use, storage, protection, and control of information gathered from users when they interact with St. Edward's University both online and offline.
Audience
All students, faculty, staff, and third-party contractors of St. Edward's University must be aware of and comply with this policy.
Definitions
Consent Form: A clear and distinguishable form that is written using clear and plain language that allows each user to opt in to the data controller's permissible use of their data.
Data Breach Notification: Right of a general user to be alerted when their personal user data has been lost, stolen, inadvertently disclosed to an external party, or accidentally published.
Data Controller: The entity that determines the purposes and means of the processing of personal user data.
Data Portability: The right for a general user to receive the personal data they have previously provided.
Data Processor: The entity that processes personal user data on behalf of the Data Controller.
Data Protection Officer (DPO): An individual appointed by St. Edward's University as the primary point of contact for all matters regarding the GDPR.
General Data Protection Regulation (GDPR): A Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of their personal user data and on the use of that data.
General User: The identified or identifiable person to whom personal user data relates.
General User Data: Any information related to an identified or identifiable natural person.
General User Data Breach: General user data that is held by a data controller that is lost, stolen, inadvertently disclosed to an external party, or accidentally published.
Privacy by Design: The inclusion of data protection processes from the onset of designing systems.
Processing: Any operation which is performed with or upon personal user data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Right to Access: The right of a general user to obtain confirmation from the data controller as to whether their personal data is being processed, where it is being processed, and for what purpose it is being processed.
Right to Erasure: The right of the user to request the data controller to delete his/her personal user data, to cease further dissemination of the data, and potentially have third parties halt processing of the data.
Territorial Scope: The extended jurisdiction of the GDPR applies to all companies processing the personal data of users residing in the Union, regardless of the company's location. As well as all Union citizens regardless of the citizen's location.
University Partner: An organization that the university has entered into an agreement with to provide information. A before an agreement is met a potential partner must meet the requirements of the University Data & Records Policy.
Compliance
The GDPR requires organizations in breach to be significantly fined. There is a tiered approach to fines.
Roles and Responsibilities
St. Edward's University: The University has a corporate responsibility as a data controller to comply with data protection law and to maintain records that demonstrate compliance.
University Risk & Compliance: This office has a responsibility to assess the overall risk profile and ensure policies and processes are in place that enable compliance with data protection laws.
Data Protection Officer: The data protection officer is responsible for monitoring the University's compliance with data protection law and acting as a primary point of contact for the University regarding data protection.
Policy Standards
General
St. Edward's University is acting as a data controller under the GDPR.
Information submitted by users through our websites, such as names, email addresses, and other contact information, may be collected by the university for internal marketing and development purposes and to respond to inquiries.
Data Collection
Registration, Forums, Apps and User Dealings with St. Edward's
The university collects information about users when users provide it to the university. For example, when users fill out the university's various online forms, respond to a promotion, inquire about programs and services, or participate in an event whether by telephone, in person, or on paper. If users contact the university via telephone, or if the university contacts users via telephone, the call may be recorded for quality, training and management purposes. The university may also record user inquiries via online chat for the same purposes.
Information From Devices
The university also collects information indirectly from the devices used to interact with the university's websites or apps. This information can include a user's geographic location, which may be required to provide services that have location restrictions. The university may also collect information from cookies placed on a user's computer or device. See the Cookie section of this policy for more information about the university's use of cookies.
Information From Social Media Log Ins
If a user logs in to the university's websites or online services through a third-party site such as Facebook, that site may pass information such as user ID, name associated with the ID, email address, geographic location, and other information permitted under the privacy policy for that website. The university's websites may also return information about the user to social networking sites regarding a user's login.
Posts, Comments and Correspondence
When users interact with any of our web presences, for example by participating in polls, leaving comments, sending text messages, or sending correspondence via email, phone, or letter, the university reserves the right to display this content indefinitely in any relevant context. This content may be anonymized in the case of testimonials.
Public Information and Social Media Posts
Any personal information that a user shares about themselves via social media sites, including chat rooms, blogs, and forums may be viewed, collected and used by third parties, including search engines. The university is not responsible for the use of any information submitted, posted, or otherwise made available on such sites.
Information from Other Sources
The university may also obtain information about users from third-party companies if a user has given the company permission to share their user information. The university may combine this information with other information.
Information Shared on Behalf of Others
By submitting information about an individual to the university, a submitter confirms that they have been appointed by the individual whose information they are providing to act on the individual's behalf by providing information, including sensitive personal data, which may be transferred across international borders. The submitter also agrees via such submissions to receive any data protection notices on the individual's behalf.
Use of Information by St. Edward's University
User information is utilized for various purposes, including providing requested information and related services, providing a personalized experience, and managing the university's relationship with users, including allowing users to interact, participate, and complete online solicitations. User information is used to monitor, improve, and protect the university's content and services, both online and offline. The university may also provide users with help and support where it is required.
The university provides personalization by using cookies, IP addresses, web beacons, URL tracking and app settings. See the Cookie section for more information.
Market Research and Analytics
The university may use information to conduct market research to improve current services and develop new products and services.
Advertising
The university may use targeted advertising to provide online advertisements that are more relevant to user interests and deliver online ads based on the way users interact with university websites, mobile apps, and physical services. The university may also use information obtained through participation in events provided both by the university and in cooperation with the university's commercial partners to deliver more relevant online advertisements. For more information, please see the Cookie section of this policy.
Relevant Communications
Unless told otherwise, the university may use user information to send newsletters, bulletins and other information about the user's identified academic programs, interests, or related university non-academic programs.
Direct marketing
This may include communications by mail, telephone, email and messages to a user's mobile phone and through social media (such as Facebook, LinkedIn and Twitter) about the university's programs, services, and events, including for a reasonable time after the user may have ceased a subscription, application, or enrollment.
Sharing Information
Where users consent, the university may share user information within the university for use in accordance with this policy and with any entity who is a university partner for use in accordance with this policy. The university may share information that does not personally identify users without restriction.
The university will not sell users' personal information to third parties for use in direct marketing, advertising, or promotion of their products or services.
Sharing With Third Parties
The university may pass user information to third parties that provide services to the university, such as delivery services or market research agencies. The university may also use third parties to collect user information on our behalf, and the use of user information will be subject to this policy. The university will only disclose user information to third-party companies for their purposes, including marketing, when the university has the user's permission to do so.
The university may reveal personally identifiable information about a user to unaffiliated third parties:
- if requested or authorized by a user;
- if the information is provided to comply with the law, applicable regulations, governmental and quasi-governmental requests, court orders or subpoenas, or to protect the university's rights, property or safety or the rights, property or safety of our users or others (e.g., to a consumer reporting agency for fraud protection etc.)
- if the information is provided to our agents, outside vendors or service providers to perform functions on our behalf (e.g., analyzing data, providing marketing assistance, providing customer service, processing orders, etc.), or as otherwise described in this policy.
Linked Services
The university's services may be linked to websites operated by third-party companies that may carry advertisements or offer content, functionality, games, newsletters, contests, sweepstakes, or applications developed and maintained by unaffiliated companies. The university is not responsible for the privacy practices of unaffiliated companies. Once a user leaves the university's services, the user should check the applicable privacy policy of the unaffiliated company.
Disclosures Required by Law
Users' personal information will be disclosed where the university is obliged by law to do so. The university may also disclose a user's personal information where the university is allowed by law to protect or enforce its rights or the rights of others and for the detection and prevention of crimes, such as fraud.
Acceptable Use of Services
Users are expected to abide by the university's Acceptable Use Policy. If users post or send offensive or objectionable content anywhere on or to any of the university's websites or apps or otherwise engage in any disruptive behavior on any university websites or apps, the university may use available user information to stop such behavior. The university may inform relevant third parties such as law enforcement agencies about the offensive or objectionable content and behavior.
Payment and Credit Checks
User information is required to take payment for products and services and this information may be used to verify credit details related to this payment. Permission to do so is implicit in providing financial details to process payment. Direct debit information may be retained by processing partners for ease of automation of payments.
Data Transfers
When a user completes web forms or uses the university's services, the university may transfer your information to Data Processors outside the United States but will do so with appropriate measures and controls in place to protect that information in accordance with applicable data protection legislation.
Mobile Applications
By downloading university apps, the university will require access to the following services on a user's device: a unique identifier (UDID), and a MAC address or other applicable device identifier and location. Other services may also be required in order for the apps to function. University apps may also provide push notifications to a user's device. Users may control these by adjusting device settings, such as turning off push notification and location services.
Cookies
Cookies and other online tracking technologies are small bits of data or code that are used to identify a user's devices when the user interacts with the university's websites and other services. They are often used to remember user preferences, to identify popular content, and remember that the user logged in. For example, to permit a user's connection to the university's websites, the university's servers receive and record information about the user's computer, device, and browser, including potentially the user's IP address, browser type, other software or hardware information, and the user's geographic location.
Please see the Procedures section for information about managing and controlling the various types of cookies.
Use of Cookies
The university may use cookies to collect, use and store information about an individual's use of university services, websites and apps, such as pages visited, content viewed, search queries run, and content seen or interacted with.
The university may also use cookies to provide relevant content to users. The content on university websites and in university communications with users may be adjusted depending on what is known about the content, programs and services that a user likes. The university can highlight content and articles believed to be of interest to a user and provide personalization by using cookies, IP addresses, web beacons, URL tracking and mobile app settings.
The university may use any of the following types of cookies:
- Essential Cookies and Similar Technologies: These cookies are vital for the running of university services on websites and apps. Without the use of these cookies, parts of the university's websites would not function. Example single- sign-on (SSO) services.
- Analytics Cookies and Similar Technologies: These cookies collect information about use of websites and apps, and enable the university to improve the way they work. For example, analytics cookies show the most frequently visited pages on university websites allowing content to be optimized. These cookies help identify any difficulties a user has in accessing services so the university can fix these problems. These cookies also allow the university to see overall patterns of usage at an aggregated level.
- Functional/Preference Cookies and Similar Technologies: These cookies collect information about user choices and preferences and allow the university to remember things like language, username, text size, and location, so the websites can show content relative to a user's location. These cookies allow the university to customize the services that users have accessed and provide users with third party services embedded in university content (e.g. YouTube, Twitter, etc.).
- Tracking/Advertising Cookies and Similar Technologies: The university use these types of technologies to provide content that are more relevant to your interests. This can be done by delivering online adverts based your previous web browsing activity, known as "online behavioral advertising" (OBA). Cookies are placed on your browser which will remember the websites you have visited. Advertising based on what you have been looking at is then displayed to you when you visit websites who use the same advertising networks. To help us deliver relevant advertising using cookies, as an example the university participates in the DoubleClick network.
- Web Beacons: These are bits of data that count the number of users that access a website or webpage and allow the university to see if a cookie has been activated. Web beacons used on web pages or in emails allow the university to see how successful an article has been or that an email message was successfully delivered and read in a marketing campaign. Web beacons are also used to verify any clicks through to links or advertisements contained in emails. The university may use this information to identify which emails are more interesting to users.
- Flash Cookies: The university may, in certain situations, use Adobe Flash Player to deliver special content, such as video clips or animation. To improve the user experience, Local Shared Objects (commonly known as Flash cookies) are used to provide functions such as remembering user settings and preferences. Flash cookies are stored on a user's device, but they are managed through an interface different from the one provided by the user's web browser.
- Tracking URLs: These are special web links that allow the university to measure when a link is clicked on. They are used to help the university measure the effectiveness of campaigns and advertising and the popularity of articles that are read.
Third-Party Cookies
Third parties that support the university's services by serving advertisements, tracking aggregate service usage, or providing other services such as allowing users to share content may also use cookies and other technologies to collect information relevant to the provision of those services. The university does not control third-party cookies or other technologies. Their use is governed by the privacy policies of third parties using such technologies. Users should make sure they know how third parties will use cookies by checking the third party's cookie policy.
User Data Breach
One of the most important accountability obligations concerns personal data breaches - that is, when personal data held by the university is lost, stolen, inadvertently disclosed to an external party, or accidentally published. If a personal data breach occurs, this should be reported immediately to your supervisor, who should then inform:
- Vice President Institutional Effectiveness & Planning and Chief Data Officer
Director of University Risk & Compliance
If the breach is IT-related in any way, the Office of Information Technology will be notified, and remedial work can then be done to contain the breach. Occasionally, the university will need to report breaches to relevant external authorities.
Procedures
Right to Transparency
Users have the right to receive certain information about the university's data processing including, but not limited to, the nature of the university's data processing, whether the data subject's data is being processed by the university, and the existence of any data breaches that create a high risk to the data subject's rights and freedoms.
Users can request the information described above by submitting an electronic request to GDPR@s2sfoundation.org with the Subject "Data Processing Transparency".
Right to Access
Users have the right to confirm whether the university processes their data. If a university processes that user's data, the university must provide the user access to the data along with other detailed information about its use of the data.
Users can request access to their data by making a Subject Access Request. To make a Subject Access Request to the university, the request must be:
- Made in writing (this may be in electronic form)
- By mail:
- Subject Access Request C/M 814
3001 South Congress Avenue, Austin, TX 78704 USA
- Subject Access Request C/M 814
- By e-mail:
GDPR@s2sfoundation.org Subject: "Subject Access Request" Users may apply to access their data in writing. A Subject Access Request Form template is made available for convenience. On receipt of a completed request, verification of identity, and sufficient details to enable the university to locate the information, the university is obliged to respond within 40 calendar days. The information will be supplied subject to any applicable exemptions. The data will be provided as of the date of receipt of the user's request.
Right to Rectification
Users have the right to request that the university rectifies any inaccurate personal data or completes any incomplete data. The requested information updates may require additional information under university policies (e.g. FERPA protected updates such as name). Users can update their personal information by submitting an initial request with supporting documentation to:
- By mail:
- Made in writing (this may be in electronic form)
- By mail:
- Right to Rectification C/M 814 3001 South Congress Avenue, Austin, TX 78704 USA
- By e-mail:
GDPR@s2sfoundation.org Subject: "Right to Rectification
Right to Erasure
Users have the right to request that the university erase their personal data when the data is no longer necessary for the purposes collected, when the user withdraws consent, or when the user objects to data processing. It is important to note that some information cannot be erased under state, local, and federal law (see University Data and Records Policy). If a university has already made the data public, it must take reasonable steps to inform anyone currently processing the data of the erasure request. Users can request data erasure by submitting an initial request with supporting documentation to:
- By mail:
- Made in writing (this may be in electronic form)
- By mail:
- Right to Erasure C/M 814
3001 South Congress Avenue, Austin, TX 78704 USA
- Right to Erasure C/M 814
- By e-mail:
GDPR@s2sfoundation.org Subject: "Right to Erasure"
Right to Data Portability
A data subject has the right to request a copy of all personal data provided to a university when the university's data processing is based on consent or a contract, and the processing is carried out by automated means. Users can request copies of personal data by submitting an initial request with supporting documentation to:
- By mail:
- Made in writing (this may be in electronic form)
- By mail:
- Data Portability C/M 814 3001 South Congress Avenue, Austin, TX 78704 USA
- By e-mail:
GDPR@s2sfoundation.org Subject: "Data Portability"
Right to Restriction of Processing
Users have the right to object to the processing of their personal data in certain circumstances. Processing by key university services is required for conditions of enrollment at the university (e.g. the university's Learning Management System). Users can submit objections to the processing of personal data by submitting a formal request made in writing (this may be in electronic form)
- By mail:
- Data Processing C/M 814 3001 South Congress Avenue, Austin, TX 78704 USA
- By e-mail:
- GDPR@s2sfoundation.org Subject: "Data Processing"
- By mail:
Managing Cookies
Most modern browsers are set to accept cookies by default, but users can change their settings to notify them when a cookie is being set or updated, or to block cookies altogether. Users should consult the "Help" section of their browser.
Controlling Flash Cookies
Controlling Web Beacons
Please note that by blocking any or all cookies, users may not have access to certain features, content, or personalization available on the university's websites, or apps.
Controlling Direct Marketing
Controlling Other Communications
Users can control communications such as emails and other information about their chosen programs by following the unsubscribe instructions within the communication. Users may still receive other communications that are relevant to their chosen services but do not relate to that specific type of communication. Where this is the case, users will be able to unsubscribe from these communications in the same way.
Forms
Related Regulations, Statutes, and Related Policies
European Union General Data Protection Regulation Acceptable Use of Student Data Policy
University Data & Records Policy Technology & Information Policy
Contacts
Contact | Telephone | |
VP, Institutional Effectiveness and Technology, Chief Information Officer | 512-326-7002 | abetsing@s2sfoundation.org |
Document History
This section must contain the following dates or placeholders for future dates:
- Effective Date: May 14, 2018
- Last Revised Date: April 17, 2018