|Policy Category||Ethics, Integrity and Legal Compliance Policies|
|Original Policy Approval Date||July 13, 2018|
|Responsible Office/Vice President||General Counsel|
|Related Policies||FERPA Policy, Data Governance Policy, Information Technology Policy|
|Frequency of Review||3 Years|
|Date of Revision||February 22, 2023|
|Date of Next Review||February 22, 2025|
II. Policy Statement
The University is committed to safeguarding the privacy of personal information. This Policy outlines the collection, use, and, management, and disclosure of personal information of students, faculty, staff, alumni and other members of the community that is provided to or collected by the University. When information is submitted to the University, or you use the University’s websites and other services, you consent to the collection, use, and disclosure of that information as described in this Policy. The University endeavors to take reasonable precautions to maintain the privacy and security of personal information that it collects and uses. The University cannot guarantee that these efforts will always be successful and, therefore, users and other individuals must assume the risk of a breach of University privacy and security systems. Individuals are advised to be discreet and cautious in their use of University systems.
The University strives to protect the personal information that we process, and to adhere to a lawful and consistent approach to data processing. We do not sell personal information. No matter where an individual is located, the University will process the personal information in its control in the United States and other countries around the world. The laws of the United States and other countries governing data protection may not be as comprehensive or as protective as the laws in the country where you live.
The University collects, maintains, and shares the personal information needed to deliver our educational and study abroad services, and/or manage employer responsibilities, and to meet accreditation, regulatory, and statutory requirements. This includes but is not limited to: United States laws relating to Personally Identifiable Information (PII), the Family Educational Rights and Privacy Act (FERPA), the provisions of Regulation (EU) 2016/679 – Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“EU GDPR”), and the United Kingdom’s Data Protection Act 2018, individual state laws that protect privacy, as well as the privacy laws of other countries that may apply.
The laws in some countries require us to inform you of the lawful grounds we rely on to collect, use, disclose, and otherwise process your personal information. To the extent those laws apply, our lawful basis for processing your personal information will depend on the personal information concerned and the specific context in which we collect it, including the following:
(1) the processing is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract – this basis applies to processing information relating to providing services to students, applications for enrollment and employment, and as part of our employment relationship with our employees;
(2) the processing is necessary in order to protect the vital interests of the data subject or another person – this basis applies to processing information relating to certain health and safety matters;
(3) is in support of our legitimate interests, where those interests are not overridden by your fundamental rights and freedoms. Those interests include, but are not limited to, (i) sending communications to you to advise you of University events; (ii) analyzing and improving our operations (e.g., updating software that collects data on our website); and (iii) managing legal issues; and
(4) if we have asked you for consent to the processing of your personal information for one or more specific purposes, our lawful basis is your consent.
The laws in some countries may require us to gain consent for the collection of certain items of personal information. To the extent that those laws apply to any data we collect, we will gain consent from the individual providing the data, pursuant to the applicable laws.
Any specific questions about your personal information or to exercise your data privacy rights can be directed to DataProtection@arcadia.edu.
If you are within the European Union or the United Kingdom: you may have the right to request access to your personal information and the rectification of inaccurate personal information from the University. You also may have the right to request the erasure or the restriction of processing of your personal information in certain circumstances, including when the personal information is no longer necessary in relation to the purposes for which it was collected or otherwise processed, except when the University is required by law to maintain or otherwise process your personal information for the establishment, exercise, or defense of legal claims, or the protection of the rights of another person. You may exercise these rights by contacting the University using the contact information provided above. You also may have the right to lodge a complaint with a supervisory authority, in particular in the country of your habitual residence, place of work, or place of alleged infringement of the applicable law.
We share your personal information as necessary to provide the services you request, including sharing information with third party service providers; when required by law; to protect rights and safety; and with your consent.
We may share personal information with:
- Authorized service providers: We may share your personal information with our authorized service providers that perform certain services on our behalf. These services may include providing customer service and assistance communications, performing operations analysis, supporting our website functionality, and supporting other features offered through our website. These service providers may have access to personal information needed to perform their functions but are not permitted to share or use such information for any other purposes.
- Other situations: We also may disclose your information:
- in response to a subpoena or similar investigative demand, a court order, or a request for cooperation from a law enforcement or other government agency; to establish or exercise our legal rights; to defend against legal claims; or as otherwise required by law. In such cases, we may raise or waive any legal objection or right available to us;
- to ensure compliance with applicable federal, state, or local laws including, but not limited to, the Higher Education Act;
- when we believe disclosure is appropriate in connection with efforts to investigate, prevent, or take other action regarding illegal activity, suspected fraud or other wrongdoing; to protect and defend the rights, property, or safety of the University, our website users, our employees, or others; to comply with applicable law or cooperate with law enforcement; or to enforce our website terms and conditions or other agreements or policies;
- in connection with a substantial organizational transaction, such as the sale of assets, a divestiture, merger, or consolidation; and
- when you provide us with your consent to share your information with third parties.
We will retain your personal information for as long as is needed to fulfill the purposes set forth in this Policy, unless a longer retention period is required or permitted by law (such as tax, accounting, or other legal requirements).
B. Applicable specifically to students and applicants for enrollment
We may collect and share the following types of personal information about you:
- Your name, contact details, physical mailing address, location, email address, home school, and Internet Protocol (IP) address.
- Information necessary to facilitate your planning, enrollment, participation, and assessment in our study abroad programs such as academic, health, and emergency contact information. This includes copies of documents you provide, which in the case of your passport includes details of your full name, date of birth, place of birth, gender, nationality and facial image.
- We also collect details of your interactions with us through our advising, enrollment management, and support services online, via email, in person, and by telephone.
- Data from sources that you have agreed can share your personal information.
- Other information you chose to provide to support your health, safety, and well-being in your program.
Whenever we collect or process your personal information, we will retain it in accordance with the University’s policies and practices concerning record retention. Generally, we will retain personal information as long as it is necessary for the purpose for which it was collected and for purposes of legal compliance. To the extent it is commercially practicable, at the end of that retention period, your personal information will either be deleted completely or anonymized, for example by aggregation with other data so that it can be used in a non-identifiable way for statistical analysis and business planning.
Students also should refer to the University’s FERPA Compliance Policy located here: https://www.arcadia.edu/ferpa-compliance-policy.
C. Applicable specifically to University employees and applicants for employment
The University processes personal information in connection with your employment or application for employment, including but not limited to, the following purposes: fulfilling the obligations established by any applicable United States or state, local, or foreign law that may apply to the University, such as immigration, labor, tax, social security contribution requirements, payroll, benefits, safety, other employee/employer requirements, and/or contractual obligations as well as for the administration and performance of academic, co-curricular, and related services.
D. Notification of Changes
The University reserves the right to change this Policy at any time. We will republish this Policy to reflect those changes. Posting new versions of this Policy at this location will constitute sufficient notice of those changes in our Policy.
Personal information: Any information that relates to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or by one or more factors specific to his/her physical, physiological, genetic, mental, economic, cultural, or social identity. Personal information does not include aggregate information or de-identified information, meaning that the information can no longer be attributed to an identifiable natural person without the use of additional information.
University refers to Arcadia University, its colleges, schools, affiliates, divisions, and subsidiaries.
V. Effective Date
This Policy is effective on the date that it is signed by the President.
VI. Signature, Title, and Date of Approval
Signed: /s/ Ajay Nair, President
Date: February 22, 2023