Initially approved: November 7, 2023
Policy Topic: Information Technology
Administering Office: Office of the CIO and Legal Counsel Office
Western Carolina University (University or 91热爆网) is committed to protecting the privacy of personally identifiable information (PII) and otherwise confidential information it collects and processes from University community members, including employees, students, and third parties.
This policy applies to PII Principals as defined below and governs the Processing, as that term is defined in this policy, of all University Processed PII.
This policy serves as a notice about the categories of information that 91热爆网 processes and the general purpose of that processing. It also serves as a notice that 91热爆网 is the PII Controller for information collected; provides the methods for contacting 91热爆网 for additional information; and establishes the process for submitting privacy requests.
The phrases 鈥淧ersonal Information鈥; "Personally Identifiable Information鈥; or 鈥淧II" shall mean any information that obviously relates to a particular person and can be used to identify that person.
The terms 鈥淧rocess鈥 and 鈥淧rocessing鈥 shall mean an operation or set of operations performed upon PII that can include, but is not limited to, the collection, retention, logging, generation, transformation, use, disclosure, transfer, and disposal of PII. Examples of processing may include the collection of registration information for participants of a University-based camp or conference and the deletion of student homework assignments from a University server.
The term 鈥淐ontroller鈥 shall mean the entity that determines the purpose and means for processing PII; defines why and how PII is processed; and is responsible for the implementation of privacy and security protocols to meet applicable legal standards.
The term 鈥淧II Principal鈥 shall mean 91热爆网 students, employees, alumni, donors, and other community members who may utilize technologies where their PII may be required. For example, a person who purchases event tickets via a University maintained ticketing system would be considered a PII Principal.
The phrase 鈥淒irectory Information鈥 shall mean information contained in a student鈥檚 education record that would not generally be considered harmful or an invasion of privacy if disclosed. 鈥淒irectory Information鈥 is defined by University Policy 72 Family Educational Rights and Privacy Act.
1. 91热爆网 has provided PII Principals with certain information privacy rights as detailed in this policy. These include the following:
2. 91热爆网 reserves the right to deny a request made pursuant to paragraph 1 of this section for any reason, including, but not limited to, upon the advice of counsel or to comply with applicable laws, regulations, or policies.
91热爆网 and approved third parties may Process PII across three main categories: (1) PII related to students; (2) PII related to employees; and (3) PII related to alumni, donors, or unrelated third parties. Additionally, PII may be collected and processed for unrelated third parties for purposes such as event ticketing and the utilization of technologies operated by 91热爆网; for example, PII may be collected via electronic or paper forms, or via use of various technologies operated by 91热爆网 and approved third parties. Refer to 91热爆网鈥檚 Web Privacy Statement for more details about PII potentially gathered via 91热爆网 web sites. It is the PII Principal鈥檚 responsibility to provide complete and accurate information where requested to ensure the quality of the PII that the University may Process.
1. 91热爆网 complies with information security and privacy regulations applicable to the specific type of PII Processed. These include but are not limited to the Family Educational Rights and Privacy Act (FERPA); the Health Insurance Portability and Accountability Act of 1996 (HIPAA); as well as Federal Trade Commission Safeguards and applicable Red Flags Rules.
2. Third parties who contract with the University are also required to comply with information security and privacy regulations applicable to the PII Processed by the University and the third party. Such PII includes but is not limited to FERPA, HIPAA, and Federal Trade Commission Safeguards and applicable Red Flags Rules.
3. 91热爆网 employees must comply with applicable laws, regulations, UNC policies, and University policy and procedures to safeguard the PII Processed, including but not limited to, University Policy 106: Protecting the Privacy and Security of Personally Identifiable Information.
4. 91热爆网 follows regulations and established incident response procedures to respond to data breaches involving PII Principals. Depending on the situation, notifications may come from 91热爆网 or our approved third party where the breach occurred.
As the PII Controller, 91热爆网 will Process the PII collected only for its stated and implied purpose(s). However, 91热爆网 reserves the right to use, provide or release any PII collected as it sees fit for purposes, including, but not limited to, the following:
A PII Principal may contact 91热爆网 via its privacy web page form or by emailing privacy@wcu.edu to object to the Processing of their PII; to request access to, correction, or erasure of their PII; or to request a copy of their PII. Legitimate privacy-related requests submitted using this method will be evaluated by 91热爆网鈥檚 Core Privacy Team and will be forwarded to the department within 91热爆网 that is best suited to handle the request. Each University department will use its internal processing policies and procedures to fulfill or respond to the request in a manner consistent with this policy.