Privacy of Personal Information Policy
Policy Summary
The George Washington University ("GW" or "university") is committed to maintaining the privacy of personal information processed during the course of its operations. Its collection and use of personal information is based on compliance with applicable privacy laws and regulations and follows best practices concerning data privacy and protection. This policy also establishes the individual responsibilities of GW Community Members to safeguard and respect privacy when collecting, using, and processing personal information in the operation of the university, and on behalf of the university.
Related Regulations
The Family Educational Rights and Privacy Act (FERPA), Gramm-Leach Bliley Act (GLBA), the General Data Protection Regulation (GDPR), and other applicable privacy laws and regulations.
Who is Governed by this Policy
- This policy applies to all university faculty and staff and other individuals and entities including, but not limited to contractors, temporary employees, sponsored researchers, affiliates, and visitors (“GW Community Members”).
Policy
Personal Information plays a critical role in the university's educational, research, administrative, and public service activities. The university recognizes the importance of maintaining the privacy of the personal information it collects, has access to, uses, and processes.
In its collection, use, and processing of personal information, the university commits to the following privacy principles to promote a culture that values privacy, to create a foundation from which the university can operationalize privacy at GW, and to comply with obligations that may be imposed by law, regulation, or agreement:
Lawfulness
Collect, use, and process personal information only when (i.) there is a customary and reasonable interest that serves legitimate business purposes (for example, processing employee personal information to manage payroll, or processing student personal information to provide education services), (ii.) the individual’s consent is obtained (iii.) it is in response to an individual’s request with regard to their own information, (iv.) it is an obligation under an established contract, or (v.) there is a legal obligation.
Transparency
Be transparent by providing clear and candid notice that describes in clear terms what personal information is collected, how that information will be used, and how the individual can exercise their privacy rights. The university’s Statement of Privacy Practices describes how personal information is collected, both directly and indirectly, and used on behalf of, and for university operations.
Choice and Control
When required by applicable laws and regulations, provide individuals with choice and control as to how their information will be used and disclosed. The university has established procedures to receive and address individuals’ requests to exercise their privacy rights, under applicable privacy laws.
Minimum Necessary
Limit the collection, use, and processing of personal information to the minimum that is necessary and relevant to accomplish the specified purpose.
Responsible Use
Use personal information only for the specific purpose for which it was collected, unless subsequent explicit consent of the individual is obtained for another use, or the use is required by law.
Accuracy
The university will take reasonable measures to update, timely correct, or erase inaccurate personal information processed on behalf of the university.
Retention
Retain personal information for only as long it is needed (as outlined in GW’s Records Retention Schedule), or as required by law or agreement, and securely delete it when no longer needed.
Confidentiality and Security
Maintain the confidentiality and security of the personal information held, used, and processed in the course of operations, including taking reasonable steps to protect against unauthorized or unlawful access, accidental loss, and destruction of personal information.
It is an expectation that GW Community Members involved in the collection, use, and processing of personal information for or on behalf of the university to assist in meeting its commitment to these privacy principles.
In addition to the privacy principles outlined above, GW Community Members who collect, have access to, use, and otherwise process personal information, are expected to:
- Comply with the university’s Privacy Policies addressing the privacy and protection of personal information.
- Understand the specific responsibilities and obligations imposed by applicable data privacy laws, regulations, or agreements, with respect to their collection, use, and/or processing of personal information within their activities, and be able to demonstrate compliance as needed.
- Complete privacy trainings assigned or recommended by the GW Privacy Office, participate in promoted privacy trainings, and seek guidance and advice from the GW Privacy Office, as needed.
- Implement appropriate managerial, operational, physical, and role-based controls to maintain the security and confidentiality of personal information, and comply with the university’s Data Classification and Protection Guide, Cybersecurity Risk Policy, and Acceptable Use of IT Resources Policy.
- Understand and follow the university’s requirements and processes for sharing data internally to the university, and externally, with third parties.
Not sell or otherwise publicize personal information processed on behalf of the university.
Cooperate with the GW Privacy Office to timely and adequately address individuals’ requests to exercise their privacy rights in compliance with privacy law and regulatory requirements.
Promptly report any suspected or actual data incident to the GW Privacy Office and to GW Information Security via the Data Incident Report Form and/or via email to incident
gwu [dot] edu (incident[at]gwu[dot]edu). Supervisors: Promote and communicate the principles of this policy with their units, and administer appropriate steps and training to help ensure compliance.
Social Security Numbers
GW Community Members must be attentive to the collection and use of Social Security Numbers (SSNs). SSNs may only be collected, retained, and used, in whole or in part, as permitted or required by law or deemed essential for university purposes. Examples of permitted use include tax reporting, financial aid, human resource purposes, and law enforcement. Refer to the Appropriate Use of Social Security Numbers at GW for a list of appropriate uses of SSNs by the university. Any collection or use of SSNs for a purpose not outlined in the guidance must be submitted for review to the GW Privacy Office.
Definitions
- Data Incident: Loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or similar term referring to situations where persons other than authorized individuals, and for other than an authorized purpose gain access to university data where the privacy, confidentiality, integrity, and/or availability of personal information of individuals may be affected.
- Data Processing: All operations performed on personal information, including collection, access, recording, organization, storage adaption or alteration, retrieval, use, disclosure by transmission, and erasure, or destruction of personal data.
- Personal Information (Personally Identifiable Information or Personal Data): As defined under applicable privacy laws is any information that relates to an identified or identifiable individual. This includes any information that can be used to identify a person and it can range from basic and standard information, such as an individual’s name, address, and date of birth, to more sensitive types of information. Sensitive Personal Information includes racial, or ethnic origin, political opinions, religious or philosophical beliefs, union membership, financial information, genetic data, biometric data (where used for identification purposes), data concerning health, data concerning a person’s sex life, data concerning a person’s sexual orientation.
Different pieces of information, which, when collected together, can lead to the identification of a particular person, also constitute personal information.
Forms
- Data Subject Access Request Form
- Data Incident Reporting Form
- Submission of Privacy Questions or Concerns
Related Information
- Acceptable Use of IT Resources Policy
- Cybersecurity Risk Policy
- Appropriate Use of Social Security Numbers at GW
- Health Information Privacy Policy
- Privacy of Student Records (FERPA) Policy
- Records Management Policy
Contacts
| Contact | Email Address |
|---|---|
| GW Privacy Office | privacygwu [dot] edu (Email Us) |
Responsible University Official: Associate Vice President and Data Privacy Officer
Responsible Office: GW Privacy Office
Origination Date: September 1, 2004
Last Material Change: July 17, 2024
Next Scheduled Review: August 2025
To provide feedback on this policy, please contact the Responsible Office(s) listed above or the Office of Ethics, Compliance, and Risk. More information describing university policies is outlined in the University Policy Principles.
Noncompliance with this policy can be reported through this website.