General Data Protection Regulation (GDPR)
The European Union's General Data Protection Regulation (GDPR) is a privacy law that went into effect on May 25, 2018. The GDPR governs the use of personal data and grants certain legal rights to people residing in the European Union whose personal data is being collected and processed (Data Subject). It also imposes legal responsibilities on entities that control or process personal data, which may impact certain university programs that collect information from individuals located in Europe. For the full text, see the GDPR website
University programs with questions about the GDPR should contact the Office of the General Counsel.
- Is the primary law regulating how the personal data of individuals within the European Union (EU) is protected and affects organizations worldwide, including Idaho State University.
- Mandates a baseline set of standards for organizations that handle certain personal and other data of Data Subjects located in the EU to better safeguard the processing and movement of that data.
- Applies to institutions with no physical EU presence who controls or processes covered information (irrespective of whether the Data Subject is an EU citizen).
In general, the GDPR covers the collection, processing, management, storage, use, and retention of personal data for University functions or activities that: 1) take place in the EU; 2) offer goods or services to individuals located in the EU; or 3) involve the control or processing of data relating to individuals in the EU, such as tracking the individual online.
Although the GDPR is not a US law, it may apply to a number of Idaho State University's activities that involve information about Data Subjects located in Europe regardless of whether they are citizens or permanent residents of an EU country. This includes:
- Notice: ISU must provide Data Subjects notice on what personal data is being processed and the purpose for the processing (Article 12)
- Consent: ISU must get clear consent from Data Subjects for the use of data (Article 7)
- Data Minimization: ISU must only use personal data that is relevant and limit such use to that which is necessary in relation to the purpose the data is being processed (Articles 5 and 25)
- Right to Access: ISU as a controller, must confirm, provide access to, and a copy of data to the Data Subject free of charge (Article 15)
- Right to Rectify: ISU must give Data Subjects the right to have personal data rectified if inaccurate or incomplete (Article 16)
- Right to be Forgotten: ISU must give Data Subjects the right to erase data and request the data not be disseminated in certain circumstances (Article 17)
- Data Portability: ISU must give Data Subjects the right to obtain data in commonly used and machine readable format, and the right to transmit that data to another data controller (Article 20)
- Data Protection Officer: ISU may need to appoint a Data Protection Officer to be accountable for compliance with the GDPR (Articles 37 and 38)
- Privacy by Design: ISU must protect data at all stages and throughout its systems (Article 25)
- Breach Notification: ISU must provide notification to Data Subjects within seventy-two (72) hours if there is a data breach (Articles 33 and 34)
“Personal data” in the context of GDPR means any information relating to an identified or identifiable person. An “identifiable person” is one who can be identified, directly or indirectly, through an identifier such as a name, an identification number, location data, or an online identifier. The GDPR defines personal data very broadly such that the term includes names, addresses, phone numbers, national IDs, IP addresses, profile pictures, personal healthcare data, educational data, and any other data that can be used to identify an individual.
Glossary of Terms
Data Controller – The original recipient of the data subject’s personal data. Has the power and responsibility to direct how the data is to be held and used.
Data Processor – Any entity that processes data on behalf of the data controller. Data controller and data processor may be the same entity.
Data Protection Officer – An employee or contractor of the data controller responsible for monitoring compliance with GDPR, advising on processing activities and data protection practices, and serving as the contact for supervisory authorities and the public regarding data protection.
Data Subject – Those whose personal data is being obtained and/or processed.
EU – 28 countries currently make up the European Union: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, and Sweden.
Personal Data – Any data relating to an identified or identifiable person.
Personal Information – Data that is not Personal Sensitive Information created by or provided to a Data Controller or Data Processor including name, email address, ID number, user IDs, account numbers, photos, and electronic identifiers such as IP addresses or other online identifiers and device IDs,.
Personal Sensitive Information – Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. Processing of personal sensitive data requires explicit informed consent of the data subject.
Processing – Any use of data for any purpose.
What Information is Collected and Shared
The University collects Personal Sensitive Information which includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. Processing of personal sensitive data requires explicit informed consent of the data subject.
The University also collects Personal Information which includes data that is not Personal Sensitive Information created by or provided number to a Data Controller or Data Processor including name, email address, ID, user IDs, account numbers, photos, and electronic identifiers such as IP addresses or other online identifiers and device IDs.
The University collects and processes Personal Sensitive Information and Personal Information only as necessary in the exercise of the University’s legitimate interests, functions, responsibilities as a public research higher education institution. When information is submitted to the following departments, or you use the University’s secure websites and other services, you consent to the collection, use, and disclosure of that information as described below:
- Academic Affairs: The data is collected and shared with internal and external parties to analyze and improve ISU’s admissions process; for outreach efforts; for processes and functions related to admission as a student; manage an academic account; provide academic advising; develop and deliver education programs; track academic progress; analyze and improve education programs; recruitment; retention; maintenance of accreditation; for regulatory reporting, auditing, and other related University processes and functions.
- Athletics: The data is collected and shared with internal and external parties to recruit student-athletes; for processes and functions related to admissions; for processes and functions related to student-athlete eligibility; manage student-athlete academic accounts; provide academic advising; track academic progress; for regulatory reporting, auditing, and other related University processes and functions.
- Finance and Administration: The data is collected and shared with internal and external parties to administer accounts; perform contracts; administer receipts and payments; analyze and improve cash and credit transaction processes; apply for financial aid and scholarships; for regulatory reporting, auditing, and other related University processes and functions.
- General Use: The data is collected and shared with internal and external parties to conduct general demographic and statistical research to improve University programs; identify appropriate support services or activities; enforce University policies and/or comply with applicable laws; for regulatory reporting, auditing, and other related University processes and functions.
- Graduate School: The data is collected and shared with internal and external parties to analyze and improve ISU’s graduate admissions process; for graduate school outreach efforts; for processes and functions related to admission as a graduate student; manage an academic account; provide academic advising; develop and deliver graduate education programs; track academic progress; analyze and improve graduate education programs; recruitment; retention; maintenance of accreditation; for regulatory reporting, auditing, and other related University processes and functions.
- Human Resources: The data is collected and shared with internal and external parties to consider an applicant for employment; perform background checks; administer an employment contract, including payroll and benefits; provide reasonable accommodations; assess capacity to work; analyze and improve hiring practices; for regulatory reporting, auditing, and other related University processes and functions.
- International Programs: The data is collected and shared with internal and external parties to support admission of foreign students and scholars; employment of individuals from foreign countries; support study abroad, faculty exchange, and student exchange programs; enter into and execute agreements with foreign higher education institutions; identify activities of interest; for regulatory reporting, auditing, and other related University processes and functions.
- Research Subjects: The data is collected and shared with internal and external parties to conduct studies with research subjects in the exercise of scientific, historical research, and/or statistical purposes; for regulatory reporting, auditing, and other related University processes and functions.
- Student Affairs: The data is collected and shared with internal and external parties to provide and administer housing to students; manage a student account; provide reasonable accommodations; provide career counseling and placement; administer conduct processes; improve student experience; personalizing the student experience and interactions; marketing; for regulatory reporting, auditing, and other related University processes and functions.
- University Advancement: The data is collected and shared with internal and external parties to manage relationships with ISU; better serve individual interests by personalizing experiences and interactions; marketing purposes; for regulatory reporting, auditing, and other related University processes and functions.
How Information is Used
The University may use and disclose Personal Sensitive Information and other Personal Information as follows:
- Consent: With consent to do so, unless the GDPR permits such data to be collected and processed without consent.
- Emergency Circumstances: When necessary if, in ISU’s sole judgment, the individual is physically or legally incapable of providing consent and/or such disclosure is necessary to protect the health, safety, or property of any individual;.
- Parents and Guardians: When necessary because of an emergency or to complete the admissions/financial aid process.
- Employment Necessity: When necessary for administering employment or social security benefits in accordance with applicable law, subject to the imposition of appropriate safeguards to prevent further unauthorized disclosure.
- Charitable Organizations: With the ISU Foundation and other organizations in connection with charitable giving, subject to the imposition of appropriate safeguards to prevent further unauthorized disclosure.
- Public Information: If the individual has clearly made it public.
- Archiving: For archiving purposes in the public interest, and for historical research, and statistical purposes.
- Legal Obligation: When the disclosure is required or permitted by international, federal, and state laws and regulations.
- Contractual Obligation: When the disclosure is necessary for the performance of a contract to which the individual is a party or in order to take steps at the request of the data subject prior to entering into a contract.
- Service Providers: When a third party has entered into a contract with the University to support the administration of University operations and policies, subject to the imposition of appropriate safeguards to prevent further unauthorized disclosure.
- University Affiliated Programs: With parties that are affiliated with the University for the purpose of contacting individuals about goods, services, charitable giving, or experiences that may be of interest to that individual.
- De-Identified and Aggregate Information: In de-identified or aggregate form without limitation.
ISU has appropriate technical and organizational security measures to protect your information transmitted to us and stored in files and on our information technology systems (see the Information Technology Services policies page). ISU is solely responsible for the privacy practices of our internal departments and websites and not for third parties or their websites. If you suspect a data breach, call the IT Help Desk at 208-282-4357.
Idaho State University (ISU) is committed to protecting your privacy and developing processes and procedures to safeguard your personal data. This Privacy Statement applies to information submitted to ISU, including through the use of ISU’s websites, and governs the way we collect, store, use, and share data.
By providing information to ISU, you consent to the data practices in this Privacy Statement.
COLLECTING PERSONAL DATA
ISU collects “personal data”, which includes Personal Sensitive Information (race, ethnic origin, religious or philosophical beliefs, health data, sexual orientation, and criminal convictions), and Personal Information, which is any other information concerning the data subject that is created by ISU or provided to ISU, including your name, home address, work address, telephone number, and e-mail address, as well as demographic information that is not unique to you.
Information about your computer hardware and software is automatically collected, including IP address, browser, domain names, access times, and referring website addresses. This information assists ISU in the operation and quality of our services, and provides general statistics about use of ISU’s website.
Information that you directly share through ISU’s website, such as public message boards, may be collected and used by others. You may interact with ISU on several social media networks, and information you share is through a third party site.
ISU is not responsible for the privacy statements or other content on websites outside of ISU and its websites, including links to other websites controlled or maintained by third parties. Please be familiar with the privacy statement of each and every website that you visit that collects your information.
USE OF PERSONAL DATA
ISU must collect and use your information to operate the website and deliver services to you, and to inform you of other products or services that are available from ISU and its affiliates. ISU may contact you through surveys to conduct research on current services or potential new services that may be offered in the future.
ISU does not sell, rent, or lease customer lists to third parties. However, ISU may contact you on behalf of a third party business partner about a service or offering that may interest you, but will not transfer your information to that third party business partner.
ISU may share data with trusted third parties to assist with statistical analysis, to send you email or postal mail, to provide customer support, or to arrange for deliveries. ISU may also share data with trusted third parties who have entered into a contract with ISU to support its operations. These trusted third parties are prohibited from using your information for any other purpose, and are required to maintain your confidentiality.
ISU keeps track of the websites and web pages that you visit within ISU. This data is used to deliver customized content and advertising within ISU to those whose behavior indicates that they are interested in a particular subject area.
ISU will disclose your information, without notice, if required by law or with the good faith belief that such action is necessary to comply with legal process served on ISU, to protect and defend the rights and/or property of ISU, and to protect the personal safety of users of ISU or the public. ISU will not use or disclose Personal Sensitive Information without your explicit consent.
COOKIES AND IDENTIFIERS
A “cookie” is a small data file that is written to your hard drive that contains information about your visit to a website. Information is not stored in cookies. ISU has “first-party cookies” that are set through ISU websites, including Google Analytics. There are also “third-party cookies” set by third parties through ISU websites.
An “anonymous identifier” is a random string of characters used for the same purpose as a cookie, but on platforms where cookie technology is not available, such as mobile devices.
If you prefer not to receive cookies, configure your browser not to accept them at all, or to notify and require your approval before setting new cookies. This may cause some websites or web pages to malfunction, and/or you may have to provide the same information each time you visit those websites or web pages.
THIRD PARTY SERVICES
ISU and third party vendors, including Google, use first-party cookies and third-party cookies together to inform, optimize ads, and serve ads based on a person’s past visits to ISU websites, and to display content-specific advertisements to visitors that have previously visited ISU websites when they go to other websites. They are also used to report visitor ad impressions other uses of the ad services, and how interactions with those ad impressions and ad services are related to visits to ISU websites.
ISU uses data from Google’s interest-based advertising or third-party audience data such as age, gender, and interests, with Google Analytics to report, optimize, and deliver interest-based advertisements.
SECURITY OF YOUR PERSONAL DATA
ISU uses its best efforts to secure your information from unauthorized access, use, or disclosure, ISU secures the information you provide on computer servers in a controlled, secure environment, protected from unauthorized access, use, or disclosure. When information, such as a credit card number, is transmitted to other websites, it is protected through encryption, such as the Secure Socket Layer (SSL) protocol.
Student records are protected by the Family Educational Rights and Privacy Act (FERPA), which is a federal regulation that assigns rights to students and responsibilities to educational institutions with regard to student educational records, including release of information from those records. For more information, see the Registrar’s Office website.
CHANGES TO THIS PRIVACY STATEMENT
ISU may periodically change this Privacy Statement as necessary, and encourages you to review this Privacy Statement to keep updated on how ISU is protecting your information.
If you have comments about this Privacy Statement or believe that ISU has not adhered to this Privacy Statement, please contact firstname.lastname@example.org.
The GDPR gives individuals located in the European Economic Area the right to request:
- A copy of your personal data that was processed by ISU with your consent, or was provided to ISU to fulfill a contract with you. ISU reserves the right to refuse a copy of financial information of a parent or guardian, letters of recommendation if you waived your right of access to such letters, data that was collected and maintained before May 25, 2018, and data that is excluded under the GDPR.
- Rectification of your data if it is inaccurate, misleading, or incomplete. If ISU decides not to comply with the request, the Data Subject will be advised of the right to challenge the decision through a hearing before an ISU hearing officer who is a disinterested party. Both the Data Subject and ISU may present relevant evidence. The hearing officer will render a written decision based upon the information presented at the hearing. If the hearing officer does not believe the data is inaccurate, misleading, or incomplete, the Data Subject has the right to present a written statement to be included with the Data Subject’s file.
- Restriction in the use of data if the data was processed unlawfully but the Data Subject does not want it erased, the Data Subject shows that ISU does not have a legitimate interest in the data, or the data is no longer needed by ISU, but the Data Subject needs it for a legal claim.
- Erasure of your information in accordance with all applicable laws. ISU will comply if the data is no longer necessary for the purpose in which it was collected, consent to use the data has been withdrawn and there is no legal basis to permit the use of the data (this does not affect the lawfulness of ISU’s use of the information prior to receipt of your request), the student’s interest in erasure outweighs ISU’s interest, the student objects to use of data for profiling related to marketing, or the data was processed unlawfully. The erasure of your information shall be subject to the retention periods in accordance with the State of Idaho Records Retention Schedule and applicable federal laws.
You may exercise any of these rights by emailing email@example.com with the request. Once a request has been made, ISU will respond within thirty (30) days of receipt of the request. ISU reserves the right to extend the period of time to respond by giving written notice to the Data Subject of the reason for the delay and the new response date. If ISU fails to respond within the first thirty (30) days, the Data Subject may file a complaint with the appropriate EU authority.
Educational records are governed by the Family Education Rights and Privacy Act (FERPA). ISU will disclose such FERPA records with the Data Subject’s consent; however there are situations where records may be disclosed without consent to:
- School faculty and staff who have a need to know to fulfill their official responsibilities
- Other schools to which the Data Subject is transferring
- Accrediting organizations
- Organizations doing certain studies for or on behalf of the University
- Appropriate parties in connection with financial aid to a student
- Parents, when a student over eighteen (18) is still a dependent
- Certain government officials in connection with local, state, or federally-supported education programs
- Individuals who have a court order or subpoena
- Faculty and school officials who have a need to know concerning disciplinary action taken against a student
- Persons who need to know in cases of emergencies when necessary to protect the health and safety of the Data Subject and/or others
- State and local authorities to whom disclosure is required by state law
- Directory information