2018 GDPR PRIVACY NOTICE FOR STUDENTS
THIS NOTICE DESCRIBES HOW YOUR PERSONAL DATA MAY BE PROCESSED BY SAINT LAWRENCE UNIVERSITY (“SLU,” “WE,” “OUR,” AND “US”) AND WHAT YOUR RIGHTS ARE WITH RESPECT TO YOUR PERSONAL DATA. PLEASE REVIEW IT CAREFULLY.
This Notice is being provided to you in accordance with the requirements of the General Data Protection Regulation (Regulation (EU) 2016/679, or the “GDPR”).
What is “Personal Data” and “Processing”?
Under the GDPR, “Personal Data” means any information relating to an identified or identifiable Data Subject; specifically including, but not limited to, name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that Data Subject. A Data Subject is a natural person who can be identified, directly or indirectly, by reference to Personal Data. Processing means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. “Process” and “processed” have a corresponding meaning.
The GDPR prohibits the processing of “special categories” of Personal Data” unless certain exceptions apply, because this type of data could create more significant risks to a Data Subject’s fundamental rights and freedoms. For example, an unauthorized disclosure of “special categories” of Personal Data may put Data Subjects at risk of unlawful discrimination. For this purpose, processing of “special categories” of Personal Data includes processing of: (i) Personal Data that reveals; (A) racial or ethnic origin, (B) political opinions, (C) religious or philosophical beliefs, or (D) trade union membership; or (ii) (A) genetic data, (B) biometric data for the purpose of uniquely identifying a natural person, (C) data concerning health, or (D) data concerning a natural personal’s sex life or sexual orientation.
How and When Do We Collect Your Personal Data?
We may lawfully collect your Personal Data in a number of ways for legitimate purposes. For example, we may collect your Personal Data: (i) from the information you provide to us when you interact with us before applying (e.g., when you express your interest in studying at SLU); (ii) when you apply to study at SLU and complete enrollment forms or other admissions documentation; (iii) when you communicate with us by telephone, email or via our website (e.g., in order to make inquiries or raise concerns); (iv) when you interact with us during your time as a student at SLU, for one or more of the purposes set out below; and (v) from third parties (e.g., from recruitment organizations, government agencies in connection with financial aid, and student visas, or from your previous or current school, university, or employer(s), who may provide records or a reference about you, or who may sponsor or pay for your studies).
The Types of Personal Data We Collect
We may collect and keep the following types of Personal Data about you: (i) your name, and contact information (i.e., local and permanent address, email address and telephone number); (ii) your date of birth, gender and gender identity, social security number or taxpayer identification number; (iii) insurance information; (iv) your passport or national identity card details; (iv) your country of domicile and your nationality; (v) your unique student identification number; and (vi) information relating to your education and employment history, including the school(s) and other colleges or universities you have attended, places where you have worked, the courses you have completed, dates of study and examination results.
We also may collect and keep: (i) records relating to your work product, details of examinations taken, your examination grades, and other information in your student record (including disciplinary records); (ii) information about both academic and extracurricular interests and activities; (iii) information about [felony] criminal convictions and offenses if you apply for participation in certain activities at SLU; (vi) information concerning your health and medical conditions (i.e., disability and dietary needs); (vii) information about your racial or ethnic origin; religion or similar beliefs; and sexual orientation; and (viii) information about your personal or family circumstances.
How We Use Your Personal Data
The lawful and legitimate purposes for which we may use Personal Data (including “special categories” of Personal Data) that we collect during your association with us include: (i) recruitment and admissions; (ii) academic matters, including the provision of our core teaching, learning and research services (i.e., registration, grading, attendance, managing progress, academic misconduct investigations, certification(s), and graduation); (iii) maintaining student records; (iv) assessing your eligibility for scholarships, student housing, financial aid, etc.; (v) providing library and IT services; (vi) for non-academic reasons in support of our core services, including: (A) providing student support services; (B) monitoring equal opportunities; (C) safeguarding and promoting the welfare of students; (D) ensuring students' safety and security; (E) managing student housing; (F) managing the use of social media; (G) managing parking on campus; (H) financial matters (i.e., administering fees, financial aid, tuition payments, and scholarships); and (I) other administrative purposes, including: (1) carrying out research and statistical analysis; (2) carrying out audits (i.e., to ensure compliance with our regulatory and legal obligations); (3) providing operational information (i.e., providing IT support, information about building closures or access restrictions on campus, or safety advice); (4) promoting our services (i.e., providing information about summer schools, student exchanges, or other events happening on and off campus); (5) preventing and detecting crime; (6) dealing with grievances and disciplinary actions; (7) dealing with complaints and inquiries; and (8) matriculation, graduation, degree, and transcript information. Personal Data may be published or disclosed in some cases (for example, in connection with graduation, as directory information, etc.). This Personal Data also may be passed to third parties involved in our graduation ceremonies. You may request to be excluded from the publication when you register online to attend the applicable graduation ceremony or if you graduate in absentia.
Why We Process Your Personal Data
As set out above, we process your Personal Data because it is necessary for the performance of a contract with you (i.e., our agreement with you to provide you with an education), or in order to take steps at your request prior to and in furtherance of entering into that “education contract.” In this respect, we use your Personal Data as follows: (i) to interact with you before you are enrolled as a student, as part of the admissions process (i.e., to send you a prospectus or answer inquiries about our courses); (ii) to provide you with services once you have enrolled; (iii) to deal with any concerns or feedback you may have; and (iv) for any other purpose for which you provide us with your Personal Data. We also may process your Personal Data because it is necessary for the performance of our business as a provider of higher education, or because it is necessary for our, or a third party's legitimate interests. In this respect, we may use your Personal Data for the following: (i) to provide you with educational services that are a part of our academic and educational mission; (ii) to monitor and evaluate our performance and effectiveness, including by training our faculty and staff, or monitoring their performance; (iii) to maintain and improve our academic, financial, and human resource management; (iv) to promote equality and diversity throughout SLU; (v) to seek advice on our rights and obligations, such as where we require legal advice; (vi) recovering money you owe to us; and (vii) for alumni relations and fundraising purposes. We also may process your Personal Data for our compliance with our legal obligations. In this respect, we may use your Personal Data for the following: (i) to meet our compliance and regulatory obligations, such as compliance with anti-money laundering laws, Title IX and other non-discrimination laws, FERPA, and certain other legal requirements; (ii) to assist with investigations (including criminal investigations) carried out by the police and other legal authorities; and (iii) to maintain or acquire accreditation status with regulatory bodies. Finally, we also may process your Personal Data where: (i) it is necessary for medical purposes (i.e., medical diagnosis, provision of health or social care or treatment, or a contract with a health professional); (ii) it is necessary to protect your (or another person’s) vital interests; or (iii) we have your explicit consent to do so.
How We Share Your Personal Data
For the purposes referred to in this Notice and relying on the legal bases for processing as set out above, we may share your Personal Data with certain third parties in accordance with applicable law (including FERPA). We may disclose limited Personal Data to a variety of recipients including: (i) the US Department of Education, the Federal Student Aid office, and relevant state agencies and/or offices; and (ii) our Board of Trustees, faculty members, employees, agents, contractors, consultants, volunteers, students serving on official committees at SLU or assisting school officials, where there is a legitimate reason for their access to or receipt of the information, including disclosures to: (A) third parties who work with us to provide student services; (B) third parties who work with us to provide student support services (i.e., health services and counseling); (C) third parties who are contracted to provide IT services for us; (D) organizations operating anti-plagiarism software on our behalf; (E) internal and external auditors, attorneys, and other professional service providers; (F) certain third parties interested in tracking student progress and attendance, including: (1) current or potential education providers; (2) current or potential employers (i.e., to provide references and, where students are sponsored by their employer and/or where you take part in a placement program, to provide details of progress/attendance); (3) professional and regulatory bodies in relation to the confirmation of qualifications, professional registration, conduct, and the accreditation of courses; (4) government departments and agencies where we have a statutory obligation to provide information; (5) police or law enforcement agencies; (6) parents, guardians, and next-of-kin (where there is a legitimate reason for disclosure); (7) third parties conducting surveys; and (8) third parties engaged in fundraising and alumni relations efforts on our behalf.
Retention of Your Personal Data
Your Personal Data will be stored in accordance with our records retention policy, which is governed in part by New York law, and available at [HYPERLINK].
Your Rights with Respect to Your Personal Data
Under the GDPR, you have a number of rights with respect to your Personal Data. You have the right, in certain circumstances, to request: (i) access to your Personal Data, (ii) rectification of mistakes or errors and/or erasure of your Personal Data, (iii) that we restrict processing, and (iv) that we provide your Personal Data to you in a portable format.
In certain circumstances, you also may have the right to object to our processing of your Personal Data.
If SLU requested, and you provided your explicit consent for the processing of your Personal Data (or where a parent or legal guardian provided consent on your behalf because you are under 16 and we are processing your Personal Data for “information society services” (as defined in the GDPR [generally, online services that you pay for]), you (or your parent or legal guardian, as applicable) have the right (in certain circumstances) to withdraw that consent at any time. However, withdrawal of consent will not affect the lawfulness of the processing before your consent was withdrawn.
If you would like more information about, or if you would like to exercise any of these individual rights, please contact our Data Protection Officer (contact information is below).
If you have questions, concerns or complaints about how we are using your Personal Data, we may be able to resolve your complaints, and we request that you contact the Data Protection Officer (contact information is below). You also have the right to lodge a complaint with the applicable Supervisory Authority (available here) if you believe that we have not complied with the requirements of the GDPR with regard to your Personal Data, or if you are not happy with the response you receive from us regarding your complaint.
Relevant SLU Contacts
SLU may be a “controller” and also may be a “processor” (as those terms are used in the GDPR) of your Personal Data for the purposes of the GDPR. If you have any questions or concerns as to how your Personal Data is collected and/or processed you can contact: Vice President for Community and Employee Relations Lisa Cania, firstname.lastname@example.org