C07.0 Privacy Policy Procedures

Definitions

Capitalized terms used herein have the same definition as the Privacy Policy, C7.0. Additionally, the following definitions shall apply to these Procedures:

  1. “Directory Information” shall have the same meaning as defined in RIT Policy D15.0.
  2. “Process/processing” shall mean any operation or set of operations that is performed on Personal Information, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  3. “Third party” shall mean an entity other than RIT, to whom RIT discloses Personal Information. Examples of third parties include, but are not limited to, entities with whom RIT contracts with to perform or provide services.

Grounds for Processing Personal Information

  1. Processing Personal Information shall be limited to what is reasonably necessary for RIT’s academic, research and administrative functions.
    1. Prior to processing Personal Information, departments must review the processing to ensure that it satisfies a “Legitimate University Interest” (defined below) or if it requires the consent of the data subject.
    2. Contact the Privacy Officer for questions regarding processing Personal Information.
  2. Legitimate University Interests:
    1. Contract – when processing Personal Information is necessary to provide a service to the person (e.g., to provide educational services, student health services, etc.)
    2. Legal Obligation – when law or regulation requires processing Personal Information.
      1. The RIT Office of Legal Affairs shall determine if a subpoena is valid and shall examine RIT Records prior to its disclosure for compliance with the request.
      2. Only those documents required to be disclosed shall be produced and the production shall be limited to RIT Records kept in the ordinary course of business and in the manner in which they are maintained.
    3. Other legitimate interest – when processing Personal Information is in RIT’s interest.
      1. Appropriate where processing Personal Information in ways a data subject would reasonably expect, have a minimal privacy impact, or where there is a compelling justification for the processing.
      2. Legitimate Interest Assessment (LIA)
        1. Before Processing Personal Information, departments must document the Processing activity and complete an LIA.
        2. LIAs must:
          1. Identify a Legitimate University Interest;
          2. Show that the processing is necessary to achieve it; and
          3. Balance it against the individual’s interests, rights and freedoms.
        3. Contact the Privacy Officer for questions regarding LIAs, including forms and assistance in completing LIAs.
  3. Consent
    1. When there are no other Legitimate University Interests applicable to the use of Personal Data, RIT must obtain the consent of the data subject prior to processing their Personal Information.
    2. The department/division processing Personal Information shall be responsible for obtaining and maintaining the data subject’s consent.
    3. Obtaining Consent:
      1. Consent must be obtained through an “opt-in” process. Consent may not be obtained by a person’s failure to “opt-out” or by their lack of response.
      2. Consents must include information on the purpose(s) for which the Personal Information is being processed, and any third parties to whom the Personal Information may be disclosed.
      3. Contact the Privacy Officer for form consent and/or language.
    4. Individuals have the right to withdraw consent at any time.
      1. Information on how to withdraw consent must be provided at the time consent it obtained (e.g., in consent form itself, adjacent to checkboxes, etc.)
      2. Withdrawal of consent does not impact the processing of Personal Information prior to such withdrawal.

Storage of Personal Information

  1. Personal Information shall be maintained in accordance with RIT’s Information Access and Protection Standard (“Standards”). In the event any Procedure contained herein contradicts or otherwise creates a standard lower than that of the Standards, the requirements of the Standards shall be followed.
  2. When kept in non-electronic form, RIT Records containing Personal Information shall be stored in locked cabinets. Access to these locked cabinets shall be limited to Employees and Students with a legitimate business reason for using Personal Information. Whenever possible, locked cabinets should be kept in locked offices.
  3. When kept in electronic form, RIT Records containing Personal Information shall be stored on a secured server. A secured server means a server that meets the required Server Standard for the type of information being stored on it.
    1. Access to the secured server shall be limited to Employees and Students with a legitimate business reason for use of the Personal Information.
    2. Those accessing the Personal Information in electronic form shall access that information with an RIT Computer Account (formerly DCE Account).
    3. These procedures shall not do not replace any requirements of the Server Standard.

Disclosure of Personal Information

  1. Even where Personal Information is considered Directory Information under FERPA, the requirements of the Privacy Policy and these procedures still apply to the disclosure of Personal Information.
  2. Personal Information is not limited to only the information of RIT Community Members. Personal Information of RIT Guests and non-RIT Community Members shall be subject to the same protections under the Privacy Policy unless otherwise noted.
  3. When providing RIT Records to third parties (e.g., service providers, vendors, etc.), all Personal Information shall be removed, hidden, or redacted prior to its disclosure unless:
    1. Production of the RIT Record with the Personal Information is required by applicable law, regulation, governmental agency request or validly issued subpoena; or
    2. Removal of the Personal Information prevents the RIT Record from serving an official business or regulatory purpose.
    3. The appropriate contractual safeguards are in place.
      1. Whenever RIT is disclosing Personal Information to a third party, e.g., using a third party to process Personal Information, there must be in place an appropriate Data Processing Agreement (DPA) or its equivalent.
      2. The use of third party service providers to process Personal Information shall remain subject to all requirements found in the Standards, as applicable. See additional resources here:
        1. Requirements for Faculty/Staff

Accountability

  1. Accountability requires RIT to take responsibility for what you do with personal data and how you comply with the other principles. RIT must have appropriate measures and records in place to be able to demonstrate your compliance.
  2. Records of Processing Activities (ROPA)
    1. Departments (or other university units) processing Personal Information must complete and maintain a ROPA
    2. ROPAs shall include, at a minimum:
      1. Categories of Personal Information processed
      2. Purpose of processing
      3. Whether an LIA was completed (LIAs must be maintained by the department processing the data)
      4. Any third parties to whom the Personal Information is disclosed and the purpose for such disclosure
    3. The department or unit processing the data is responsible for maintaining ROPAs and revising such when required.
  3. Data Protection Assessments (DPIA)
    1. Department (or other university units) processing Personal Information must complete and maintain a DPIA whenever such processing is likely to result in a high risk to the data subjects.
    2. Processing may constitute a high risk if it involves:
      1. Special Category Personal Information, which is information that reveals or concerns an individual’s:
        1. Racial or ethnic origin
        2. Political opinions
        3. Religious or philosophical beliefs
        4. Union membership
        5. Genetic data
        6. Biometric data
        7. Health data
        8. Sex and sexual orientation data
      2. Large scale processing
      3. Automated decision making
      4. Monitoring physical or electronic spaces
    3. DPIAs must:
      1. Describe the nature, scope, context and purposes of the processing;
      2. Assess necessity, proportionality and compliance measures;
      3. Identify and assess risks to individuals; and
      4. Identify any additional measures to mitigate those risks.
    4. DPIAs shall be submitted to the Privacy Officer, and other offices, as appropriate (e.g., Information Security Office), for review and approval. DPIAs shall be signed by a vice president (or their designee).
    5. The department or unit processing the data is responsible for maintaining and complying with the DPIA, including revising the DPIA when required.
  4. The Privacy Office shall maintain forms for departments to use in completing ROPAs and DPIAs.
  5. The requirements of this section do not replace the requirements of other applicable RIT policies, including but not limited to Information Security Policy and Standards.

Requests for Access / Removal of Personal Information

  1. Departments receiving a request by an individual to access Personal Information shall comply with applicable RIT policies, including but not limited to D15.0.
  2. Requests for the removal of Personal Information will be honored to the extent RIT does not otherwise have a Legitimate University Interest in maintaining the Personal Information.
  3. Departments who receive a request by an individual to remove their Personal Information shall contact the RIT Privacy Officer.

Personal Property

  1. Prior to searching the Personal Property of an RIT Community Member, RIT shall consider alternative, reasonable means by which to access the information being sought. Such limitation shall not apply in situations identified in Section V(7)(d) and (e) of the Policy.
  2. Where alternative, reasonable means by which to access the information being sought do not exist, requests for the inspection or retention of Personal Property shall be made to the appropriate RIT vice president (or their designee) except in cases where there is an immediate threat of harm. In such cases, RIT Public Safety may approve the inspection or retention of Personal Property.
  3. Whenever possible, the university will access or inspect Personal Property in RIT Facilities, RIT Property, or RIT Housing in the presence of the owner of the Personal Property. If the owner of the Personal Property is not present, the access or inspection shall occur in the presence of at least two (2) Employees.
  4. If required to provide notice prior to access and inspection of Personal Property in RIT Facilities, RIT Property, or RIT Housing:
    1. The university notice may be oral or in writing and shall be provided with sufficient time to allow the owner of the Personal Property to object to its access or inspection, or
    2. The university notice may be in the form of signage or placards placed at entrances to RIT Facilities or RIT Property, or as a term and condition of residence at RIT Housing.
  5. Retention of Personal Property shall occur for only so long as necessary to achieve the Legitimate University Purpose prompting the retention. In the event Personal Property must be retained longer or otherwise disposed of (e.g., possession of said property violate applicable law), the university will, except where prohibited by law or policy, inform the owner of such disposition.

Personal Electronic Devices

  1. Personal Electronic Devices are Personal Property and shall be subject to the same process for the access and inspection of Personal Property.
  2. In addition, Personal Electronic Devices utilizing RIT Information Systems shall be subject to access or inspection when required by applicable laws, regulations, or in response to a validly issued subpoena or law enforcement request.
    1. Whenever possible, and if allowed by applicable laws, regulations, validly issued subpoena or law enforcement request, access and inspection of Personal Electronic Devices shall occur with notice.
    2. Unless required by applicable laws, regulations, validly issued subpoena or law enforcement request, access and inspection of Personal Electronic Devices shall only include information maintained by RIT and shall not include any personal data maintained solely on the Personal Electronic Device.
  3. Members of the RIT Community who use RIT Guest Information Systems shall subject Personal Electronic Devices to access and inspection, with or without notice, at the sole discretion of the university in accordance with the provisions of the Privacy Policy.

Video Surveillance Systems and Audio Recordings

  1. Conspicuous notice of where video or audio surveillance systems are in use may be in the form of written signage in the area where the surveillance is occurring. Where the surveillance system does not utilize audio recording and is clearly visible, such as where surveillance cameras are clearly visible, the cameras themselves shall be deemed conspicuous notice.
  2. The university shall provide notice of the use of audio recording systems. This notice may be oral or in writing and shall be given prior to the commencement of any audio recording.
  3. Requests to use video and/or audio recording systems for surveillance shall be made to RIT Public Safety which shall, in consultation with the Privacy Officer, review the request to ensure there is a Legitimate University Reason.
  4. RIT Public Safety shall maintain a list of all surveillance systems on campus and their location, the record of which shall be available for inspection by members of the RIT Community during normal business hours.

Privacy Statement

  1. RIT shall have at least one Privacy Statement which includes, at a minimum, the following information:
    1. Categories of individuals for whom RIT processes Personal Information;
    2. The purposes for which RIT processes Personal Information;
    3. Whether individuals must provide Personal Information to RIT;
    4. How RIT collects Personal Information;
    5. How long RIT processes Personal Information;
    6. With whom RIT shares Personal Information;
    7. Individual data protection rights; and
    8. Whether RIT performs automated decision-making with your Personal Information.
  2. RIT’s primary Privacy Statement shall be updated as necessary and published on the RIT website.

Privacy Officer

The Privacy Officer shall:

  1. Review on an annual basis the university’s privacy statement(s) for compliance with applicable laws, regulations, and the Privacy Policy (C7.0).
  2. Review on an as needed basis existing RIT Policies and Procedures covering particular types of Personal Information for compliance with applicable laws, regulations, and the Privacy Policy.
  3. Make and maintain form documents, including but not limited to nondisclosure agreements, records of processing activities, legitimate interest analyses, and data protection impact assessments, and assist departments in their completion.
  4. Review privacy-related terms and conditions in contracts involving the disclosure of Personal Information to third parties.
  5. Develop training materials and oversee training and education about RIT policies and legal requirements to protect and manage Personal Information.
  6. Receive and respond to complaints relating to potential violations of privacy laws, regulations, and the Privacy Policy, and assist and coordinate with appropriate departments and divisions the investigations into these potential violations.

Questions should be directed to the RIT Privacy Officer
Evan Thompson
Interim Privacy Officer
dataprivacy@rit.edu

Rev 10-21-2021