Ithaca College Privacy Notice For Students

1.              Applicability

This Privacy Notice applies only to Ithaca College (www.ithaca.edu), or certain other websites run by or on behalf of Ithaca College, and explains our practices about the collection, use, and disclosure of personal data about students (including prospective students) of the College.  Ithaca College is the data controller.

2.             Information gathered automatically

Similar to most institutions on the internet, Ithaca College tracks users’ web browsing patterns when you visit our website(s) to inform our understanding of how our sites are being used unless you take steps to browse the Internet anonymously or opt-out. Generic information is collected through the use of "cookies," which are text files placed on your computer, to evaluate usage patterns so that we can improve both content and distribution. You may refuse the use of cookies by selecting the appropriate settings on your browser; however, doing so may prevent you from using the full functionality of all of our websites. The generic information we collect is based on IP address, which is the location of a computer or network.

Some sections of Ithaca College owned websites use web analytics services that use cookies to help us analyze how users use our sites. The information generated by the cookie about your use of the website includes your IP address. This information may be transmitted to and stored by the analytics service provider(s) on their server(s). They will use this information for the purpose of evaluating your use of the website, compiling reports on website activity and providing other services relating to Internet usage. They may also transfer this information to third parties where required to do so by law, or where such third parties process the information on their behalf. By using this website, you consent to the processing of data about you by Ithaca College and our analytic services provider(s) in the manner and for the purposes set out above.

Please visit the following site for more information on Google Analytics, one of our analytics providers: http://www.google.com/policies/privacy/partners/.

3.             Family Educational Rights and Protection Act (FERPA)

If you enroll in an academic program at Ithaca College, personal information you provide to us, or that we maintain that pertains to you, may be protected from disclosure under the provisions of the federal Family Educational Rights and Privacy Act (“FERPA”).  For further information regarding the applicability of FERPA and your rights under it, please contact us at privacy@ithaca.edu.  Ithaca College’s FERPA Policy can be found here: https://www.ithaca.edu/policies/vol7/general/070101/.

4.             External links

This site may contain links to external websites not owned by, or officially affiliated with, Ithaca College in any way. Ithaca College is not responsible for the privacy practices or the content of such websites. The terms and conditions and privacy notices of such websites govern your use of the services offered on those websites.

5.             Changes to this policy

We reserve the right to modify this Privacy Policy at any time. Changes to this policy will be posted here before the changes take effect. If we make changes, we will post an updated effective date below.

6.             Contact information

If you have any questions about this privacy statement or the practices of this website, please contact privacy@ithaca.edu.

7.             How we use Personal data

We collect and use personal data about students under the following lawful bases:

  1. where we have the consent of the data subject;
  2. where it is necessary for compliance with a legal obligation;
  3. where processing is necessary to protect the vital interests of the data subject or another person;
  4. where it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us

Where the personal data we collect about students is sensitive personal data, we will only process it where:

  1. we have explicit consent;
  2. processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent; and / or
  3. processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

We use the personal data to support our functions of running an educational establishment, in particular:

  1. to support student learning;
  2. to monitor and report on student progress;
  3. to provide appropriate pastoral care;
  4. to assess the quality of our services;
  5. to comply with the law regarding data sharing;
  6. for the protection and welfare of students and others in the college;
  7. for the safe and orderly running of the college.

8.             The categories of personal data that we collect, hold and share include:

  1. Personal information (such as name, unique student number and address);
  2. Characteristics (such as ethnicity, language, medical conditions, nationality, country of birth);
  3. Attendance information (such as sessions attended, number of absences and absence reasons)
  4. Assessment information
  5. Medical information
  6. Special educational needs information
  7. Disciplinary and/or behavioral information
  8. Student outcome data and relevant background information,

From time to time and in certain circumstances, we might also process personal data about students, some of which might be sensitive personal data, including information about criminal proceedings / convictions, information about sex life and sexual orientation, child protection / safeguarding.  This information is not routinely collected about students and is only likely to be processed by the college in specific circumstances relating to particular students, for example, if a child protection issue arises or if a student is involved in a criminal matter.  Where appropriate, such information may be shared with external agencies such as the child protection team at the Local Authority, the Local Authority Designated Officer and / or the Police.  Such information will only be processed to the extent that it is lawful to do so and appropriate measures will be taken to keep the data secure.

We collect information about students when they join Ithaca College and update it during their time on the roll as and when new information is acquired.

9.             Collecting student information

Whilst the majority of personal you provide to us is mandatory, some of it is provided to us on a voluntary basis. In order to comply with data protection laws, we will inform you whether you are required to provide certain information to us or if you have a choice in this. Where appropriate, we will ask you for consent to process personal data where there is no other lawful basis for processing it, for example where we wish to use photos or images of a student on our website or on social media to promote College activities or if we want to ask your permission to use your information for marketing purposes.  You may withdraw consent at any time.

Our site is not intended for children under 13 years of age. As a result, we do not specifically collect information about children.  If we learn that we have collected information from a child under the age of 13, we will delete the information as quickly as possible.

In addition, the College also uses cameras for security purposes and for the protection of staff and students.  Film and images may be referred to during the course of disciplinary procedures (for staff or students) or to investigate other issues.  Film and images involving students will only be processed to the extent that it is lawful to do so.

10.          Data retention

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for (see paragraph 7 above), including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

By law we have to keep basic information about our students (including Contact & Identity information) for six years after you cease being a student. We may keep some other records for an extended period of time. For example, it is current best practice to keep financial records for a minimum period of 8 years.

Where possible, we anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.

A significant amount of personal data is stored electronically, for example, on our student information management system.  Some information may also be stored in hard copy format.

Data stored electronically may be saved on a [cloud] based system which may be hosted in a different country.

Personal data may be transferred to other countries if, for example, we are arranging a College trip to a different country.  Appropriate steps will be taken to keep the data secure.  We also regularly share personal data with Ithaca College in the USA.

11.          Who do we share student information with?

We routinely share student information with:

  1. colleges that  students attend after leaving us;
  2. municipal, state, and federal government agencies, as required by law, including the U.S. Department of Education;
  3. a student’s home local authority (if different);
  4. members of the Board of Trustees of Ithaca College;
  5. the central team at Ithaca College in the USA;
  6. exam boards;
  7. Other school officials, as defined under FERPA

From time to time, we may also share student information other third parties including the following:

  1. the Police and law enforcement agencies;
  2. NHS health professionals including the College health services providers,
  3. Education Welfare Officers;
  4. Courts, if ordered to do so;
  5. the National College for Teaching and Learning;
  6. the Joint Council for Qualifications;
  7. Prevent teams in accordance with the Prevent Duty on College;
  8. other Colleges, for example, if we are negotiating a managed move and we have your consent to share information in these circumstances;
  9. the College chaplain;
  10. our HR providers, for example, if we are seeking HR advice and a student is involved in an issue;
  11. our legal advisors;
  12. our insurance providers / the Risk Protection Arrangement;

Some of the above organisations may also be Data Controllers in their own right in which case we will be jointly controllers of your personal data and may be jointly liable in the event of any data breaches. 

In the event that we share personal data about students with third parties, we will provide the minimum amount of personal data necessary to fulfil the purpose for which we are required to share the data.

We do not share information about our students with anyone without consent unless the law allows us to do so.

We share students’ data with the Department for Education (DfE) on a statutory basis. This data sharing underpins college funding and educational attainment policy and monitoring.

To find out more about the data collection requirements placed on us by the Department for Education (for example; via the college census) go to https://www.gov.uk/education/data-collection-and-censuses-for-schools.

We will also share certain information about students aged 16+ with our local authority and / or provider of youth support services as they have responsibilities in relation to the education or training of 13-19 year olds under section 507B of the Education Act 1996.

This enables them to provide services as follows:

  1. post-16 education and training providers;
  2. youth support services;
  3. careers advisers.

The National Pupil Database (NPD)

The NPD is owned and managed by the Department for Education and contains information about students in colleges in England. It provides invaluable evidence on educational performance to inform independent research, as well as studies commissioned by the Department. It is held in electronic format for statistical purposes. This information is securely collected from a range of sources including schools, colleges, local authorities and awarding bodies.

We may be required to provide information about certain students to the DfE as part of statutory data collections in the UK such as the school census and early years’ census. Some of this information would then be stored in the NPD. The law that authorizes this is the Education (Information About Individual Pupils) (England) Regulations 2013.

To find out more about the personal data collected by the DfE go to https://www.gov.uk/education/data-collection-and-censuses-for-schools.

To find out more about the NPD, go to https://www.gov.uk/government/publications/national-pupil-database-user-guide-and-supporting-information.

The department may share information about our students from the NPD with third parties who promote the education or well-being of children in England by:

  1. conducting research or analysis
  2. producing statistics
  3. providing information, advice or guidance

The DfE has robust processes in place to ensure the confidentiality of our data is maintained and there are stringent controls in place regarding access and use of the data. Decisions on whether DfE releases data to third parties are subject to a strict approval process and based on a detailed assessment of:

  1. who is requesting the data;
  2. the purpose for which it is required;
  3. the level and sensitivity of data requested; and
  4. the arrangements in place to store and handle the data.

To be granted access to personal data, organisations must comply with strict terms and conditions covering the confidentiality and handling of the data, security arrangements and retention and use of the data.

For more information about the department’s data sharing process, please visit:

https://www.gov.uk/data-protection-how-we-collect-and-share-research-data

For information about which organisations the department has provided personal data, (and for which project), please visit the following website: https://www.gov.uk/government/publications/national-pupil-database-requests-received

To contact DfE: https://www.gov.uk/contact-dfe

12.          Requesting access to your personal data

[Subject to the section below, the legal timescales for the College to respond to a Subject Access Request is one calendar month.  As the College has limited staff resources outside of term time, we encourage students to submit Subject Access Requests during term time and to avoid sending a request during periods when the College is closed or is about to close for the holidays where possible.  This will assist us in responding to your request as promptly as possible].

13.          Your legal rights 

You have the right to:

Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.

Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.

Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Please note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.

Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which overrides your rights and freedoms.

Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.

Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.

Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

If you wish to exercise any of the rights set out above, please contact us at privacy@ithaca.edu.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

If you remain dissatisfied then you have the right to apply directly to the Information Commissioner for a decision. The Information Commissioner can be contacted at: -

The Information Commissioner, Wycliffe House, Water Lane, Wilmslow Cheshire SK9 5AF

Switchboard: 01625 545 700

Data Protection Help Line: 01625 545 745