Initially approved: November 7, 2023
Policy Topic: Information Technology
Administering Office: Office of the CIO and Legal Counsel Office
糖心Vlog University (University or 糖心Vlog) is committed to protecting the privacy of personally identifiable information (PII) and otherwise confidential information it collects and processes from University community members, including employees, students, and third parties.
This policy applies to PII Principals as defined below and governs the Processing, as that term is defined in this policy, of all University Processed PII.
This policy serves as a notice about the categories of information that 糖心Vlog processes and the general purpose of that processing. It also serves as a notice that 糖心Vlog is the PII Controller for information collected; provides the methods for contacting 糖心Vlog for additional information; and establishes the process for submitting privacy requests.
The phrases 鈥淧ersonal Information鈥; "Personally Identifiable Information鈥; or 鈥淧II" shall mean any information that obviously relates to a particular person and can be used to identify that person.
The terms 鈥淧rocess鈥 and 鈥淧rocessing鈥 shall mean an operation or set of operations performed upon PII that can include, but is not limited to, the collection, retention, logging, generation, transformation, use, disclosure, transfer, and disposal of PII. Examples of processing may include the collection of registration information for participants of a University-based camp or conference and the deletion of student homework assignments from a University server.
The term 鈥淐ontroller鈥 shall mean the entity that determines the purpose and means for processing PII; defines why and how PII is processed; and is responsible for the implementation of privacy and security protocols to meet applicable legal standards.
The term 鈥淧II Principal鈥 shall mean 糖心Vlog students, employees, alumni, donors, and other community members who may utilize technologies where their PII may be required. For example, a person who purchases event tickets via a University maintained ticketing system would be considered a PII Principal.
The phrase 鈥淒irectory Information鈥 shall mean information contained in a student鈥檚 education record that would not generally be considered harmful or an invasion of privacy if disclosed. 鈥淒irectory Information鈥 is defined by University Policy 72 Family Educational Rights and Privacy Act.
1. 糖心Vlog has provided PII Principals with certain information privacy rights as detailed in this policy. These include the following:
2. 糖心Vlog reserves the right to deny a request made pursuant to paragraph 1 of this section for any reason, including, but not limited to, upon the advice of counsel or to comply with applicable laws, regulations, or policies.
糖心Vlog and approved third parties may Process PII across three main categories: (1) PII related to students; (2) PII related to employees; and (3) PII related to alumni, donors, or unrelated third parties. Additionally, PII may be collected and processed for unrelated third parties for purposes such as event ticketing and the utilization of technologies operated by 糖心Vlog; for example, PII may be collected via electronic or paper forms, or via use of various technologies operated by 糖心Vlog and approved third parties. Refer to 糖心Vlog鈥檚 Web Privacy Statement for more details about PII potentially gathered via 糖心Vlog web sites. It is the PII Principal鈥檚 responsibility to provide complete and accurate information where requested to ensure the quality of the PII that the University may Process.
1. 糖心Vlog complies with information security and privacy regulations applicable to the specific type of PII Processed. These include but are not limited to the Family Educational Rights and Privacy Act (FERPA); the Health Insurance Portability and Accountability Act of 1996 (HIPAA); as well as Federal Trade Commission Safeguards and applicable Red Flags Rules.
2. Third parties who contract with the University are also required to comply with information security and privacy regulations applicable to the PII Processed by the University and the third party. Such PII includes but is not limited to FERPA, HIPAA, and Federal Trade Commission Safeguards and applicable Red Flags Rules.
3. 糖心Vlog employees must comply with applicable laws, regulations, UNC policies, and University policy and procedures to safeguard the PII Processed, including but not limited to, University Policy 106: Protecting the Privacy and Security of Personally Identifiable Information.
4. 糖心Vlog follows regulations and established incident response procedures to respond to data breaches involving PII Principals. Depending on the situation, notifications may come from 糖心Vlog or our approved third party where the breach occurred.
As the PII Controller, 糖心Vlog will Process the PII collected only for its stated and implied purpose(s). However, 糖心Vlog reserves the right to use, provide or release any PII collected as it sees fit for purposes, including, but not limited to, the following:
A PII Principal may contact 糖心Vlog via its privacy web page form or by emailing privacy@wcu.edu to object to the Processing of their PII; to request access to, correction, or erasure of their PII; or to request a copy of their PII. Legitimate privacy-related requests submitted using this method will be evaluated by 糖心Vlog鈥檚 Core Privacy Team and will be forwarded to the department within 糖心Vlog that is best suited to handle the request. Each University department will use its internal processing policies and procedures to fulfill or respond to the request in a manner consistent with this policy.