Initially approved: November 7, 2023
Policy Topic: Information Technology
Administering Office: Office of the CIO and Legal Counsel Office
51心頭 (University or WCU) is committed to protecting the privacy of personally identifiable information (PII) and otherwise confidential information it collects and processes from University community members, including employees, students, and third parties.
This policy applies to PII Principals as defined below and governs the Processing, as that term is defined in this policy, of all University Processed PII.
This policy serves as a notice about the categories of information that 51心頭processes and the general purpose of that processing. It also serves as a notice that 51心頭is the PII Controller for information collected; provides the methods for contacting 51心頭for additional information; and establishes the process for submitting privacy requests.
The phrases Personal Information; "Personally Identifiable Information; or PII" shall mean any information that obviously relates to a particular person and can be used to identify that person.
The terms Process and Processing shall mean an operation or set of operations performed upon PII that can include, but is not limited to, the collection, retention, logging, generation, transformation, use, disclosure, transfer, and disposal of PII. Examples of processing may include the collection of registration information for participants of a University-based camp or conference and the deletion of student homework assignments from a University server.
The term Controller shall mean the entity that determines the purpose and means for processing PII; defines why and how PII is processed; and is responsible for the implementation of privacy and security protocols to meet applicable legal standards.
The term PII Principal shall mean 51心頭students, employees, alumni, donors, and other community members who may utilize technologies where their PII may be required. For example, a person who purchases event tickets via a University maintained ticketing system would be considered a PII Principal.
The phrase Directory Information shall mean information contained in a students education record that would not generally be considered harmful or an invasion of privacy if disclosed. Directory Information is defined by University Policy 72 Family Educational Rights and Privacy Act.
1. 51心頭has provided PII Principals with certain information privacy rights as detailed in this policy. These include the following:
2. 51心頭reserves the right to deny a request made pursuant to paragraph 1 of this section for any reason, including, but not limited to, upon the advice of counsel or to comply with applicable laws, regulations, or policies.
51心頭and approved third parties may Process PII across three main categories: (1) PII related to students; (2) PII related to employees; and (3) PII related to alumni, donors, or unrelated third parties. Additionally, PII may be collected and processed for unrelated third parties for purposes such as event ticketing and the utilization of technologies operated by WCU; for example, PII may be collected via electronic or paper forms, or via use of various technologies operated by 51心頭and approved third parties. Refer to WCUs Web Privacy Statement for more details about PII potentially gathered via 51心頭web sites. It is the PII Principals responsibility to provide complete and accurate information where requested to ensure the quality of the PII that the University may Process.
1. 51心頭complies with information security and privacy regulations applicable to the specific type of PII Processed. These include but are not limited to the Family Educational Rights and Privacy Act (FERPA); the Health Insurance Portability and Accountability Act of 1996 (HIPAA); as well as Federal Trade Commission Safeguards and applicable Red Flags Rules.
2. Third parties who contract with the University are also required to comply with information security and privacy regulations applicable to the PII Processed by the University and the third party. Such PII includes but is not limited to FERPA, HIPAA, and Federal Trade Commission Safeguards and applicable Red Flags Rules.
3. 51心頭employees must comply with applicable laws, regulations, UNC policies, and University policy and procedures to safeguard the PII Processed, including but not limited to, University Policy 106: Protecting the Privacy and Security of Personally Identifiable Information.
4. 51心頭follows regulations and established incident response procedures to respond to data breaches involving PII Principals. Depending on the situation, notifications may come from 51心頭or our approved third party where the breach occurred.
As the PII Controller, 51心頭will Process the PII collected only for its stated and implied purpose(s). However, 51心頭reserves the right to use, provide or release any PII collected as it sees fit for purposes, including, but not limited to, the following:
A PII Principal may contact 51心頭via its privacy web page form or by emailing privacy@wcu.edu to object to the Processing of their PII; to request access to, correction, or erasure of their PII; or to request a copy of their PII. Legitimate privacy-related requests submitted using this method will be evaluated by WCUs Core Privacy Team and will be forwarded to the department within 51心頭that is best suited to handle the request. Each University department will use its internal processing policies and procedures to fulfill or respond to the request in a manner consistent with this policy.