1.1 This Privacy Notice applies to all visitors to Ithaca College’s main website (www.ithaca.edu) or other websites run by or on behalf of Ithaca College , to alumni of Ithaca College, donors to the College, any unenrolled or online course attendees, attendees at events and exhibitions (including public events, meetings and other similar activities including at our theatre) and other individuals about whom we collect personal data. It does not apply to current students or employees of Ithaca College (for the Student Privacy Notice please see your introductory pack, for the Employee Privacy Notice please see the Ithaca College intranet).
1.2 This Privacy Notice explains our practices about the collection, use, and disclosure of personal information. Ithaca College is the data controller.
1.3 Paragraphs 1 - 6 inclusive apply to all individuals, regardless of global location or origin. Paragraphs 7 onward apply only to those individuals who are citizens or residents in the UK or the EU, or whose data was collected in the UK or the EU.
2. Information gathered automatically
2.3 Please visit the following site for more information on Google Analytics, one of our analytics providers: http://www.google.com/policies/privacy/partners/.
3. Information you provide to us
3.1 To communicate effectively with visitors to our website, we may ask you for personally identifiable information that can include name, email address or phone number, for example. Any such personally submitted information may be used in internal records and/or correspondence as deemed appropriate by Ithaca College.
4. External links
4.1 Some Ithaca College websites may contain links to external websites not owned by, or officially affiliated with, Ithaca College in any way. Ithaca College is not responsible for the privacy practices or the content of such websites.
4.2 Changes to this policy: Changes to this policy will be posted on the website.
5. Contact information
5.1 If you have any questions about this privacy statement or the practices of this website, please contact firstname.lastname@example.org.
European Union and United Kingdom privacy law
To reflect changes in data protection laws in the European Union in 2018, the paragraphs below 6 – 17 of this Privacy Notice apply only to individuals who live and study in the European Economic Area (“EEA”) or United Kingdom (“UK”) as part of an Ithaca College international program or who are citizens or residents of the EEA or the UK and study at Ithaca College.
6. What categories of personal data do we collect?
6.1 The categories of personal data that we may collect, hold and share include:
6.1.1 Personal information (such as name, title, date of birth, gender);
6.1.2 Contact information (for example, postal address, email address, telephone numbers);
6.1.3 Characteristics (such as ethnicity, language, medical conditions, nationality, country of birth);
6.1.4 Payment details from donations or other payments, including bank details or credit or debit card details;
6.1.5 Technological data gathered when you use our website, including IP address, browser type, page interaction information, and any login information you use, and from CCTV if you attend an event at any of our sites.
7. How do we collect your data?
7.1 Ithaca College will have some of your data because it was mandatory; either under law if you used to attend the college as a student, or because it is necessary for us to be able to carry out a contract with you.
7.2 Otherwise, most of the personal information held by Ithaca College is provided voluntarily by you in communications with us, either written or during telephone conversations.
7.3 In addition, the College uses cameras for security purposes and for the protection of staff and students. Film and images will only be processed to the extent that it is lawful to do so.
8.1 Where appropriate, we will ask you for consent to process personal data where there is no other lawful basis for processing it, for example if we want to ask your permission to use your information for marketing purposes.
8.2 You may withdraw consent at any time.
9. Lawful basis
9.1 We collect and use personal data about individuals under the following lawful bases: 9.1.1 where we have the consent of the data subject;
9.1.2 where it is necessary for the performance of a contract;
9.1.3 where it is necessary for compliance with a legal obligation;
9.1.4 where processing is necessary to protect the vital interests of the data subject or another person;
9.1.5 where it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us; or
9.1.6 where we have a legitimate business interest.
9.2 We will always take individuals’ rights and freedoms into account when processing personal data.
9.3 Where the personal data we collect about individuals is sensitive personal data, we will only process it where:
9.3.1 we have explicit consent;
9.3.2 processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent; and / or
9.3.3 processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
10. How we use personal data
10.1 We use the personal data to support our functions of running an educational establishment, in particular:
10.1.1 to assess the quality of our services;
10.1.2 to comply with the law regarding data sharing;
10.1.3 to improve the online services we provide;
10.1.4 to send newsletters or information we think you might be interested in;
10.1.5 to encourage donations to support the College;
10.1.6 for the safe and orderly running of the College.
11. Data retention
11.1 We will only retain your personal data for as long as necessary to fulfill the purposes we collected it for (see paragraph 11.1 above), including for the purposes of satisfying any legal, accounting, or reporting requirements.
11.2 To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
11.3 By law we have to keep basic information about our alumni (including Contact & Identity information) for six years after you cease being a student. We may keep some other records for an extended period of time. For example, it is current best practice to keep financial records for a minimum period of 8 years.
11.4 Where possible, we anonymize your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.
11.5 A significant amount of personal data is stored electronically, for example, in our Student Information System. Some information may also be stored in hard copy format.
11.6 Data stored electronically may be saved on a cloud based system which may be hosted in a different country.
11.7 Personal data may be transferred to other countries if, for example, we are arranging a College trip to a different country. Appropriate steps will be taken to keep the data secure. We also regularly share personal data between the Ithaca College London Center and Ithaca College locations in the United States.
12. Who do we share personal information with?
12.1 Your personal data will be processed by employees of Ithaca College in line with our obligations in this notice.
12.1.1 We may share your information with selected third parties including:
12.1.2 business partners, suppliers and sub-contractors for the performance of any contract we enter into with you;
12.1.3 third party service providers who perform functions on our behalf under contract, such as CCTV operators who operate our security cameras;
12.1.4 analytics and search engine providers that assist us in the improvement and optimization of our website;
12.2 if we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce any agreement we have entered into with you or to collect debts owing from you to us; or to protect the rights, property, or safety of Ithaca College, our students, or other individuals. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
12.3 We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
13. Requesting access to your personal data
13.1 Subject to the section below, the legal timescales for Ithaca College to respond to a Subject Access Request is one calendar month. As the College has limited staff resources outside of term time, we encourage students to submit Subject Access Requests during term time and to avoid sending a request during periods when the College is closed or is about to close for the holidays where possible. This will assist us in responding to your request as promptly as possible.
14. Your legal rights
14.1 You have the right to:
14.1.1 Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
14.1.2 Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
14.1.3 Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Please note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
14.1.4 Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which overrides your rights and freedoms.
14.1.5 Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
14.1.6 Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
14.1.7 Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
14.2 If you wish to exercise any of the rights set out above, please contact us at email@example.com.
14.3 You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
14.4 We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
14.5 We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
15. Data security
15.1 We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. In addition, we limit access to your personal data to those employees who have a need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
15.2 We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
16. International transfer of data
16.1 Any electronic personal data transferred to countries or territories outside the EU will only be placed on systems complying with measures giving equivalent protection of personal rights either through international agreements or contracts approved by the European Union. Our website is also accessible from overseas so on occasion some personal data (for example in a newsletter) may be accessed from overseas.
17.1 We would encourage you to give Ithaca College the opportunity to deal with any complaints you have in relation to your personal data by contacting us at the email address set out in paragraph 5 above.
17.2 You have the right to make a complaint at any time to your local data protection supervisory authority. You can a list of the relevant local data protection supervisory authorities (including their contact details) on the European Commission Europa website here: http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080