Effective: May 23, 2018
As a current or prospective student, former student, graduate, applicant for employment, employee, donor, research participant, or parent or guardian, you provide, or have provided, The College of Wooster with personal information. We are committed to respecting and protecting your information; to let you know how we collect, use, and disclose the information you provide; and to advise you of your rights under the GDPR.
We have prepared this Statement to specifically address the requirements of the European Union General Data Protection Regulation (the GDPR). Because the College is a U.S. not-for-profit corporation, what we do to protect your personal information is also governed by various U.S. regulations, including but not limited to the Higher Education Opportunity Act of 2008 (and its reauthorizations), the Family Educational Rights and Privacy Act (FERPA), the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Gramm-Leach-Bliley Act (GLBA), and PCI DSS guidelines as established by major credit/debit card companies.
Wooster’s Basis for Collecting Your Information (our GDPR “lawful base”)
The College of Wooster is a not-for-profit, private, residential higher education institution that fulfills its educational purpose through the activities of education, research, student development, and community service and advancement/development. To fulfill and support our educational purpose, it is essential and necessary to collect, process, use, and maintain data about our students and parents/guardians if applicable, employees, applicants, research subjects, and others involved in our educational, research, and community programs (this is our “lawful base” for collecting and processing information).
Our bases for collecting and processing your Personal Information (PI) and Sensitive Personal Information (SPI) most often will fall under the following categories identified in the GDPR:
- You have given us consent to process your information for one or more specific purposes.
- It is necessary for performance of a contract (to fulfill our responsibility to provide educational and related services to current and former students and graduates, or to fulfill research grants and contracts).
- It is necessary for compliance with our legal obligations, such as meeting regulatory requirements, assisting with investigations carried out by responsible authorities.
- It is necessary to protect your “vital interests,” for example, for emergency medical purposes, or to protect you or another person.
- It is necessary for performance of a task carried out in public interest or exercise of official authority (e.g., taxation, reporting crimes, public health).
- It is necessary for our or third parties’ legitimate interests in fulfilling our “lawful base” activities which include carrying out the College’s mission, its Strategic Plan, and its policies; to fundraise; and for constituent engagement.
Typical activities included in our “lawful base” include: admission; financial aid; registration; delivery of classroom, field, study abroad, and other experiential education and related educational support services; research; grading and assessment; residential life; student organizations, activities, and athletics; provision of wellness services to students; campus safety; communications; employment; program analysis for improvements; advancement/development; records retention; and information technology services and security.
How We Get Your Personal Information
We receive PI and SPI from multiple sources. Most often, we obtain this data directly from you or from a third-party you have authorized to share the data (for example, application to Wooster through the Common Application, submittal of test scores through the College Board or ACT, or submitting your credentials for employment through a service such as Interfolio). We may also collect this data:
- When you complete enrollment and “new student” paperwork
- When you apply for financial aid
- When you register for courses
- When you apply for internships, fellowships, research experiences, etc.
- In your activities as a student at Wooster
- When you communicate with us by telephone, email, or via our website
- From individuals and employers who you have asked to provide references for you
- Through disciplinary and grievance procedures
- When you use campus services, such as the Wellness Center, Libraries, Learning Center, Information Technology resources
- When you apply for employment
- When you participate in research, surveys, or other feedback mechanisms
- When you access our webpages (in the form of “cookies” or the IP address of your device)
- Through our Advancement/Development activities
- Through other activities relating to our “lawful uses” of your information
Types of PI and SPI that We Collect and Why
We may use the PI and SPI data to meet one or more of our “lawful bases.” Most often the data is used for academic admissions, enrollment, educational programs, employment, providing wellness services, participation in research, advancement and development, and community outreach.
Examples of the PI and SPI we may collect about you include:
- Name, biographical, and address information
- Ethnicity, race, and citizenship
- Education and employment history, including the courses you have completed, dates of study, and examination results
- Academic and extracurricular interests
- Records related to your use of our facilities and services
- Photographs from events and video footage
- Information about your involvement as a student, alumnus/ae, parent, donor including activities, and awards
- Financial information including tuition, fees, donations, scholarships, individual or family income, etc.
- Information about your family or personal circumstances if required to provide services to meet our “lawful bases”
- Sensitive Personal Data, including information about your health, medical conditions, disabilities, and accommodation needs
How We Use Your PI and SPI
We use your PI and SPI to fulfill and support our educational purpose. For example, we may use your information to:
- Recruit and admit you as a student
- Provide educational programs and experiences and related support services to you as a student
- Maintain your educational records
- Assess your eligibility for financial aid and scholarships
- Provide accommodations
- Provide library, media, information technology, and other information services
- Provide co-curricular opportunities and activities
- Provide student services including residential and wellness services
- Ensure your safety and security
- Address complaints, inquiries, grievances, or disciplinary actions
- Hire you as an employee
- Engage you as a graduate of the College
- Provide information to you as a parent or guardian of a student
- Conduct research to assess our programs and services, for accreditation, or for institutional planning, sometimes with the assistance of third-parties (such as NSSE or HERI)
- Fulfill our regulatory and legal obligations
- For archiving and use in the aggregate for statistical purposes
How We May Share Your PI and SPI
We may share your PI and SPI with certain third parties. When we do, we prefer that these third-parties ask you to consent to sharing your information, and that they provide you with a clear description of the information they seek and how it will be used. Such third parties may include third-parties that may be contracted to provide educational, academic support, or student support services; organizations providing software services; organizations conducting assessments or surveys; organizations providing data and analytics services; professional and regulatory organizations; government agencies; organizations that provide services to assist us in fulfilling our reporting responsibilities (such as the National Student Clearinghouse); parents, guardians, or others where there is legitimate reason for disclosure or where you have permitted such disclosure (such as signing a FERPA release form). We may also share your data if it is “de-identified” or included in data that has been aggregated (such as total enrollment numbers, total number of alumni residing in the EU, percentage of graduates in certain career fields, etc.).
Protecting Your Information
We take appropriate and reasonable measures to protect your information from loss, misuse, unauthorized access, disclosure, modification, or inadvertent destruction. For your information stored on College-hosted servers, we have implemented appropriate information security applications and controls. These controls are subject to periodic review by our external risk management firm and financial auditors. For your information stored on third-party servers (“software as a service” applications or “cloud-hosted” providers) we require the third-party provider to attest to a set of requirements and expectations that include compliance with the provisions of the GDPR.
Retaining and Destroying Your Information
In order to comply with various federal and state regulations, many of our records must be kept for specified periods of time. In addition, accomplishing the work of the College may, in some instances, require that records be retained longer than the minimum required by statute. Because we do not have a centralized record management function, each College department is responsible for the retention and disposal of the records it generates or receives. The means of disposing or destroying your information will be appropriate to preserve privacy and confidentiality.
Your Rights under the GDPR
The GDPR grants you the right to:
- request information about the processing of your personal data
- obtain access to the personal data held about you
- ask for incorrect, inaccurate, or incomplete personal data to be corrected
- request that personal data be erased when it’s no longer needed or if processing it is unlawful (“right to be erased,” “right to be forgotten”)
- object to the processing of your personal data for marketing purposes or on grounds relating to your particular situation
- request the restriction of the processing of your personal data in specific cases
- receive your personal data in a machine-readable format and send it to another controller (“data portability”)
- request that decisions based on automated processing concerning you or significantly affecting you and based on your personal data are made by natural persons, not only by computers. You also have the right in this case to express your point of view and to contest the decision.
Please note that the individual rights are not absolute and we are entitled to deny your request, especially when we continue to have a “legitimate interest” to retain and/or process your PI or SPI. The “right to erase” or “be forgotten” will be subject to our retention periods and in accordance with applicable state and federal laws.
Also note that should you withdraw consent for us to process your PI or SPI, we may not be able to continue to provide some or all of our services to you.
Additional or Related Policy Statements
We may have policy statements for specific audiences that relate to this statement. We will post them to our GDPR Statement website. Unless noted otherwise, such policies will be considered corollary policies to this statement.
Revisions to this Statement
We reserve the right to modify our policies and this statement at any time. Revised policies or versions of this statement shall be posted to our website. If changes in the GDPR or other regulations require significant revision or specific notification to you, we will do so using contact information we have on file (assuming you have continued to grant us the ability to contact you).
GDPR Privacy Contacts:
- Admissions: firstname.lastname@example.org
- Alumni: email@example.com
- Dean of Students/Student Affairs: firstname.lastname@example.org
- Financial Aid: email@example.com
- Health & Wellness Services: firstname.lastname@example.org
- Human Resources: email@example.com
- Student Records/Registrar: firstname.lastname@example.org
- Information Technology/Information Security: IT@wooster.edu
- Website: wooster.edu
The following resources were used in developing this statement: EIIA “European Union General Data Protection Regulation FAQ (2/28/18)”; AACRAO GDPR FAQ (1/22/18); privacy and GDPR polices from Colorado College, Butler University, Webster University (thank you, colleagues); NACAC “European Union General Protection Regulation Guidance”, EAB’s “[Four things campus[es] need to know about the EU’s General Data Protection Regulation|https://www.eab.com/blogs/it-forum-perspectives/2018/04/general-data-protection-regulation-higher-education-it-compliance]”; EDUCAUSE “7 Things you should know about GDPR;” European Commission Data Protection website