Policy Number: AUS-09P-01002
Sponsor: Office of the Executive Vice President
Effective Date: September 3, 2021
I. POLICY RATIONALE
The American University of Science ("AUS", "University", "university") is an institute of higher education involved in education, research, and community development. For AUS to educate its foreign and domestic students, engage in research, and provide community services, it is essential and necessary. AUS has a lawful basis to collect, process, use, and/or maintain the personal data of its students, employees, applicants, research subjects, and others involved in its educational, research, and community programs. These activities include, without limitation, admission, registration, delivery of classroom, field, and study abroad education, grades, communications, employment, research, development, program analysis for improvements, and records retention.
AUS takes seriously its duty to protect the personal data it collects or processes. In addition to AUS’s overall data protection program, the European Union (EU) General Data Protection Regulation (“EU GDPR”) imposes obligations on entities, like AUS, that collect or process personal data about people in the European Union (“EU”). The EU GDPR applies to personal data AUS collects or processes about anyone in the EU, regardless of whether they are a citizen or permanent resident of an EU country.
Among other things, the EU GDPR requires AUS to:
1. be transparent about the personal data it collects or processes and the uses it makes of any personal data
2. keep track of all uses and disclosures it makes of personal data
3. appropriately secure personal data
This policy describes AUS’s data protection strategy to comply with the EU GDPR.
II. POLICY APPLICABILITY
Any entity that handles the personal data of individuals while engaging in business transactions within the EU will be impacted. If there is a variance between departmental expectations and the common approach described through policy, AUS will look to the campus community, including volunteers to support the spirit and the objectives of policy.Failure to adhere to this policy could result in discipline under the applicable rules, policy, or contract, up to and including termination of employment.
III. POLICY PURPOSE
The policy ensures compliance with the EU GDPR. This regulation requires that institutions that collect personal data from natural persons who are in EU member states meet specific standards, including disclosure of what information is being collected, why the information is being collected, how the information will be stored, what the information will be used/processed for and who will have access to it. The regulation also gives robust rights to the person regarding their data.
IV. POLICY STATEMENT
A. Definition
Key definitions are found in Chapter 1, Article 4 of the GDPR Regulation. Those definitions include:
1. Personal data: any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified—directly or indirectly—in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
2. Processing: any operation or set of operations which is performed on personal data or on sets of personal data—whether or not by automated means—such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
3. Consent: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
4. Personal data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed.
5. Data subject: a natural person (not a corporate or other organizational entity).
6. European Union (EU): those countries that have ratified membership in the Union.
7. Supervisory authority: an independent public authority which is established by an EU state pursuant to the GDPR.
8. Legal basis: necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
B. Policy Principles
1 Collection of personal data
1.1. All University activities that collect personal data from natural persons in the EU related to admission or employment shall communicate to the person the reason and purpose for collecting the information by using University-approved forms and directing such persons to the University’s GDPR Compliance website. This provision shall apply to any person (student, faculty or staff) who is physically present in the EU and from whom the University is collecting personal data, regardless of the reason for the person’s presence in the EU.
1.2. All University activities that collect personal data from natural persons in the EU not related to admission or employment—or otherwise collected on a lawful basis—shall obtain written consent from the person with regard to the collection of the information using University-approved forms available from the Office of the General Counsel.
1.3. Any personal data collected from a natural person in the EU shall be stored, secured and accessed consistent with the Office of Information Technology’s data security policies.
2. Personal data breaches
Any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed shall be reported to the Supervisory Authority of the EU member state within 72 hours of notice of the breach, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
3. Data subject rights and retention of academic data
3.1. The individual rights of persons in the EU with regard to their personal data includes the rights of access, ratification, removal, restriction, portability, to object and to not be subject to automated individual decision making, and those rights shall be respected consistent with the procedures implementing this policy.
3.2. With regard to academic data—including course work attempted and/or completed, as well as grades associated with those courses—the University must preserve that data for legal and accrediting requirements. With respect to other data, the individual’s right to erasure and to be forgotten will be respected consistent with the regulation and United States law.
4. Implementation
4.1. All University operations that collect data should perform an analysis to determine whether and to what extent the office collects personal data that could originate from natural persons in EU member states. Units that collect such information must document the processing and storage of the data.
4.2. All University contracts within those offices should be reviewed for compliance with this policy and, if non-compliant, a strategy to achieve compliance must be implemented.
4.3. All personnel who deal with GDPR-covered data must go through appropriate training.
5. Communication
All academic and administrative offices will be made aware of this policy through appropriate University mechanisms.
6. Exceptions
No exceptions exist for this policy.
C. FAQ
1. When does this policy apply?
Whenever personal data is being collected from a person who is physically present in an EU member state.
2. How does this policy differ from other data security policies, such as HIPAA, FERPA or GLBA?
The GDPR provides rights to individuals different from data protection laws in the United States and, in most circumstances, provides individuals with greater rights and controls over their own data.
3. Who should I contact with questions?
Contact the Office of Information Technology or the Office of the General Counsel with questions.
4. Does this policy apply to EU students and faculty when they’re located in the US?
No. This policy only applies to natural persons physically in an EU member state.
5. Does this policy apply to US students, faculty and staff when they are in the EU?
Yes. Any natural person in the EU has the rights afforded by the GDPR while in an EU member state.
D. REFERENCES
Information regarding the GDPR