College of Wooster Privacy Statement: General Statement of our practices and policies
Effective: May 23, 2018
As a current or prospective student, former student, graduate, applicant for employment, employee, donor, research participant, or parent or guardian, you provide, or have provided, The College of Wooster with personal information. We are committed to respecting and protecting your information; to let you know how we collect, use, and disclose the information you provide. The College complies with applicable federal, state, or international privacy regulations, for example, the GDPR and California Consumer Privacy Act, as applicable.
As a U.S. not-for-profit corporation, what we do to protect your personal information is governed by various U.S. regulations, including but not limited to the Higher Education Opportunity Act of 2008 (and its reauthorizations), the Family Educational Rights and Privacy Act (FERPA), the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Gramm-Leach-Bliley Act (GLBA) & FTC Safeguards Rule, and PCI DSS guidelines as established by major credit/debit card companies.
Wooster’s Basis for Collecting Your Information
[what is our “lawful use” for collection?]
The College of Wooster is a not-for-profit, private, residential higher education institution that fulfills its educational purpose through the activities of education, research, student development, community service, and advancement/development. To fulfill and support our educational purpose, it is essential and necessary to collect, process, use, and maintain data about our students and parents/guardians if applicable, employees, applicants, research subjects, and others involved in our educational, research, and community programs (this is what’s termed our “lawful base” for collecting and processing information as defined in specific privacy regulations).
Our bases for collecting and processing your Personal Information (PI) and Sensitive Personal Information (SPI) most often will fall under the following categories:
- You have given us consent to process your information for one or more specific purposes.
- It is necessary for performance of a contract (to fulfill our responsibility to provide educational and related services to you and other current and former students and graduates, or to fulfill research grants and contracts).
- It is necessary for compliance with our legal obligations, such as meeting regulatory requirements, assisting with investigations carried out by responsible authorities.
- It is necessary to protect your “vital interests,” for example, for emergency medical purposes, or to protect you or another person.
- It is necessary for performance of a task carried out in public interest or exercise of official authority (e.g., paying required taxes, reporting crimes, public health).
- It is necessary for our or third parties’ legitimate interests in fulfilling our “lawful base” activities which include carrying out the College’s mission, its strategic plans, and its policies; to fundraise; and for constituent engagement.
Typical activities included in our “lawful base” include: admission; financial aid; registration; delivery of classroom, field, off-campus, and other experiential education and related educational support services; research; grading and assessment; residential life; student organizations, activities, and athletics; provision of wellness services to students; campus safety; communications; employment; program analysis for improvements; advancement/development; records retention; and information technology services and security.
How We Get Your Personal Information
We receive PI and SPI from multiple sources. Most often, we obtain this data directly from you or from a third-party you have authorized to share the data (for example, application to Wooster through the Common Application, submittal of test scores through the College Board or ACT, or submitting your credentials for employment through a service such as Interfolio or Hirezon). We may also collect this data:
- when you complete enrollment, “new student,” and/or “new employee” forms and documents.
- when you apply for financial aid.
- when you register for courses.
- when you apply for internships, fellowships, research experiences, etc.
- in your activities as a student at Wooster.
- when you communicate with us by telephone, email, or via our website.
- from individuals and employers who you have asked to provide references for you.
- through disciplinary and grievance procedures.
- when you use campus services, such as the Wellness Center, Libraries, Learning Center, Information Technology resources.
- when you apply for employment.
- when you participate in research, surveys, or other feedback mechanisms.
- when you access our webpages (in the form of “cookies” or the IP address of your device).
- through our Advancement/Development activities.
- through other activities relating to our “lawful uses” of your information.
Types of PI and SPI that We Collect and Why
We may use the PI and SPI data to meet one or more of our “lawful bases.” Most often the data is used for academic admissions, enrollment, educational programs, employment, providing wellness services, participation in research, advancement and development, and community outreach.
Examples of the PI and SPI we may collect about you include:
- Name, biographical, and address information
- Ethnicity, race, and citizenship
- Education and employment history, including the courses you have completed, dates of study, and examination results
- Academic and extracurricular interests
- Records related to your use of our facilities and services
- Photographs from events and video footage
- Information about your involvement as a student, alumnus/ae, parent, donor including activities and awards
- Financial information including tuition, fees, donations, scholarships, individual or family income, etc.
- Information about your family or personal circumstances if required to provide services to meet our “lawful bases”
- Information about your health, medical conditions, disabilities, and accommodation needs (we will not collect this information without your consent)
How We Use Your PI and SPI
We use your PI and SPI to fulfill and support our educational purpose. For example, we may use your information to:
- Recruit and admit you as a student
- Provide educational programs and experiences and related support services to you as a student
- Maintain your educational records
- Assess your eligibility for financial aid and scholarships
- Provide accommodations
- Provide library, media, information technology, and other information services
- Provide co-curricular opportunities and activities
- Provide student services including residential and wellness/health/counseling services
- Ensure your safety and security
- Address complaints, inquiries, grievances, or disciplinary actions
- Hire you as an employee
- Engage you as a graduate of the College
- Provide information to you as a parent or guardian of a student
- Conduct research to assess our programs and services, for accreditation, or for institutional planning, sometimes with the assistance of third-parties (such as NSSE or HERI)
- Fulfill our regulatory and legal obligations
- Maintain your donor records.
We may share your PI and SPI with certain third parties. When we do, we prefer that these third-parties ask you to consent to sharing your information, and that they provide you with a clear description of the information they seek and how it will be used. Such third parties may include third-parties that may be contracted to provide educational, academic support, or student support services; organizations providing software services; organizations conducting assessments or surveys; organizations providing data and analytics services; professional and regulatory organizations; government agencies; organizations that provide services to assist us in fulfilling our reporting responsibilities (such as the National Student Clearinghouse); parents, guardians, or others where there is legitimate reason for disclosure or where you have permitted such disclosure (such as signing a FERPA release form or granting proxy access). We may also share your data if it is “de-identified” or included in data that has been aggregated (such as total enrollment numbers, total number of alumni residing in a given geographical area, percentage of graduates in certain career fields, etc.).
Protecting Your Information
We take appropriate and reasonable measures to protect your information from loss, misuse, unauthorized access, disclosure, modification, or inadvertent destruction. For your information stored on College-hosted servers, we have implemented appropriate information security applications and controls. These controls are subject to periodic review by our external risk management firm, financial auditors, and independent security auditors. For your information stored on third-party servers not managed by the College (“software as a service” applications or “cloud-hosted” providers), we require the third-party provider to attest to a set of requirements and expectations that include compliance with the provisions all applicable laws and regulations.
Retaining and Destroying Your Information
To comply with various federal and state regulations, many of our records must be kept for specified periods of time. In addition, accomplishing the work of the College may, in some instances, require that records be retained longer than the minimum required by statute. Because we do not have a centralized record management function, each College department is responsible for the retention and disposal of the records it generates or receives. The means of disposing or destroying your information will be appropriate to preserve privacy and confidentiality.
The College gives you the right to:
- request information about the processing of your personal data
- obtain access to the personal data held about you
- ask for incorrect, inaccurate, or incomplete personal data to be corrected
- request that personal data be erased when it’s no longer needed or if processing it is unlawful (“right to be erased,” “right to be forgotten”)
- object to the processing of your personal data for marketing purposes or on grounds relating to your particular situation
- request the restriction of the processing of your personal data in specific cases.
Please note that these rights are not absolute and we are entitled to deny your request, especially when we continue to have a “legitimate interest” to retain and/or process your PI or SPI. The “right to erase” or “be forgotten” will be subject to our retention periods and in accordance with applicable state and federal laws.
Also note that should you withdraw consent for us to process your PI or SPI, we may not be able to continue to provide some or all our services to you, including educational services.
Revisions to this Statement
We reserve the right to modify our policies and this statement at any time. Revised policies or versions of this statement shall be posted to our website. If changes in other regulations require significant revision or specific notification to you, we will do so using contact information we have on file (assuming you have continued to grant us the ability to contact you).
College of Wooster Privacy Contacts
- Admissions: email@example.com
- Alumni: firstname.lastname@example.org
- Dean of Students/Student Affairs: email@example.com
- Financial Aid: firstname.lastname@example.org
- Health & Wellness Services: Student_Wellness_Center@wooster.edu
- Human Resources: email@example.com
- Student Records/Registrar: firstname.lastname@example.org
- Information Technology/Information Security: IT@wooster.edu
- Website: wooster.edu
This statement was developed at the time the College adopted its GDPR statement.
reviewed February 24, 2023