Personal Information and Privacy Policy

Policy Summary

The university is committed to maintaining the privacy of personal information. Throughout the performance of university operations, the university will safeguard the generation, collection, use, storage, disposal, and disclosure of personal information in accordance with best practices and as required by applicable laws and regulations. The responsibility for the protection of personal information is shared by all individuals who process such information on behalf of the university. 

Related Regulations

This policy helps promote compliance with the requirements of privacy laws and regulations, including but not limited to the Family Educational Rights and Privacy Act (FERPA), Gramm-Leach Bliley Act (GLBA), and the General Data Protection Regulation (GDPR).  

Who is Governed by this Policy

  • Staff
  • Faculty
  • Students
  • Contractors
  • Any persons or entities who generate, collect, use, store, or process personal information on behalf of the University


Information plays a critical role in the university’s educational, research, administrative, and public service activities. The university recognizes the importance of safeguarding personal information, in all formats, that is processed or shared within the university and with third parties on its behalf. 

This policy provides guidance to university faculty, staff, and students on the community’s responsibilities with respect to privacy and protection of personal information. 

Collection of Personal Information 

All university offices, contractors, and others that collect personal information on behalf of the university (each a “data collector”) are responsible for collecting only the minimum amount of such information necessary. Collecting no more information than is necessary minimizes the information that the university must secure and hold private. When collecting personal information from individuals, the following is required: 

a. Transparency: the data collector must inform the individual what information is being collected (both actively and passively). 

b. Lawful Basis: the data collector must establish a lawful basis for the collection of personal information. This may include obtaining consent, collection of information necessary to perform under a contract, a legal obligation, vital interest, public task, or a legitimate interest. 

c. Adherence with privacy notice: any information that is collected through a university webpage (, regardless of where it is hosted, must adhere to the website privacy notice. This also applies to contracted third parties that host marketing web pages on behalf of university academic programs.  

Use of Personal Information 

Any university office, contractor engaged to act on the behalf of the University, or other university-authorized persons or entities using or processing (each a “data processor”) personal information on behalf of the university is required to do the following: 

a. Notice: the data processor must make available a privacy notice detailing how personal information will be used and who to contact with any questions or concerns. 

b. Non-Public Information: the data processor using information collected on behalf of the university is prohibited from selling, sharing, or publicizing personal information. Personal information is to remain private and is considered “Non-Public Information,” as defined under the Data Classification and Protection Guide

Schools and divisions (“Data Custodians”) are responsible for reviewing and determining the types of Non-Public Information in their custody, by classifying it in accordance with the data classification principles, outlined in the Data Classification and Protection Guide.   

Data Custodians are required to report to the Privacy Office ([email protected]) if they have Regulated Information in their custody. 

Data Custodians are also responsible for implementing appropriate managerial, operational, physical, and role-based controls, in consultation with the Privacy Office and GW Information Technology, for access to, use of, transmission of, and disposal of Regulated Information, in compliance with the Data Classification and Protection Guide.

c. Disposal: the data processor shall securely dispose of all personal information, in any form, in accordance with the Records Management Policy and the Data Classification and Protection Guide or, for third-party data processors acting on behalf of the University, as otherwise may be mandated by the terms of the contract. 

In addition to the requirements set forth herein, third-party data collectors and data processors that provide services on behalf of the university, are also subject to the terms and conditions included in their respective service agreements. 

All members of the GW community, with access to GW systems and information, are responsible for reporting any suspected or actual unauthorized disclosures of personal information via email to the GW Privacy Office, or using the data incident reporting form.

If necessary, incident response procedures will be initiated which may ultimately include notifying appropriate parties. 


Personal Information: is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitutes personal information.  

Regulated Information: is information protected by local, national, or international statute or regulation mandating certain restrictions. If disclosed, altered, or destroyed, regulated information could cause a significant adverse effect to the university, its affiliates, or an individual. Refer to the Data Classification and Protection Guide for more information. 

Non-Public Information: is information that is classified as Regulated or Restricted in accordance with the data classification standard defined in the Data Classification and Protection Guide.  



Related Information


Contact Email Address
GW Privacy Office Email Us


Responsible University Official: Associate Vice President and Data Privacy Officer
Responsible Office: Privacy Office

Noncompliance with this policy can be reported through this website.