Personal Information and Privacy Policy

 

Policy Summary

The university is committed to maintaining the privacy of personal information. Throughout the performance of university operations, the university will safeguard the generation, collection, use, storage, disposal, and disclosure of personal information in accordance with best practices and as required by applicable laws and regulations. The responsibility for the protection of personal information is shared by all individuals who process such information on behalf of the university. 

Related Regulations

This policy helps promote compliance with the requirements of privacy laws and regulations, including but not limited to the Family Educational Rights and Privacy Act (FERPA), Gramm-Leach Bliley Act (GLBA), and the General Data Protection Regulation (GDPR).  

Who is Governed by this Policy

  • Staff
  • Faculty
  • Students
  • Contractors
  • Any persons or entities who generate, collect, use, store, or process personal information on behalf of the University

Policy

Information plays a critical role in the university’s educational, research, administrative, and public service activities. The university recognizes the importance of safeguarding personal information, in all formats, that is processed or shared within the university and with third parties on its behalf. 

This policy provides guidance to university faculty, staff, and students on the community’s responsibilities with respect to privacy and protection of personal information. 

Collection of Personal Information 

All university offices, contractors, and others that collect personal information on behalf of the university (each a “data collector”) are responsible for collecting only the minimum amount of such information necessary. Collecting no more information than is necessary minimizes the information that the university must secure and hold private. When collecting personal information from individuals, the following is required: 

a. Transparency: the data collector must inform the individual what information is being collected (both actively and passively). 

b. Lawful Basis: the data collector must establish a lawful basis for the collection of personal information. This may include obtaining consent, collection of information necessary to perform under a contract, a legal obligation, vital interest, public task, or a legitimate interest. 

c. Adherence with privacy notice: any information that is collected through a university webpage (gwu.edu), regardless of where it is hosted, must adhere to the website privacy notice. This also applies to contracted third parties that host marketing web pages on behalf of university academic programs.  

Use of Personal Information 

Any university office, contractor engaged to act on the behalf of the University, or other university-authorized persons or entities using or processing (each a “data processor”) personal information on behalf of the university is required to do the following: 

a. Notice: the data processor must make available a privacy notice detailing how personal information will be used and who to contact with any questions or concerns. 

b. Non-Public Information: the data processor using information collected on behalf of the university is prohibited from selling, sharing, or publicizing personal information. Personal information is to remain private and is considered “Non-Public Information,” as defined under the Data Management and Protection Standard

Schools and divisions (“Data Custodians”) are responsible for reviewing and determining the types of Non-Public Information in their custody, by classifying it in accordance with the data classification principles, outlined in the Data Management and Protection standard.   

Data Custodians are required to report to the Privacy Office ([email protected]) if they have Regulated Information in their custody. 

Data Custodians are also responsible for implementing appropriate managerial, operational, physical, and role-based controls, in consultation with the Privacy Office and GW Information Technology, for access to, use of, transmission of, and disposal of Regulated Information, in compliance with the Data Management and Protection Standard.

c. Disposal: the data processor shall securely dispose of all personal information, in any form, in accordance with the Records Management Policy and the Data Management and Protection Standard or, for third party data processors acting on behalf of the University, as otherwise may be mandated by the terms of the contract. 

In addition to the requirements set forth herein, third party data collectors and data processors that provide services on behalf of the university, are also subject to the terms and conditions included in their respective service agreements. 

Reports of suspected or actual unauthorized disclosures involving personal information should be emailed to [email protected]

If necessary, incident response procedures will be initiated which may ultimately include notifying appropriate parties. 

Definitions

Personal Information: is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal information.  

Regulated Information: is information protected by local, national, or international statute or regulation mandating certain restrictions. If disclosed, altered or destroyed, regulated information could cause a significant adverse effect to the university, its affiliates, or an individual. Refer to Data Management and Protection Standard for more information. 

Non-Public Information: is information that is classified as Regulated or Restricted in accordance with the data classification standard defined in the Data Management and Protection Standard.  

Procedures

Data Management and Protection Standard  

Forms

Data Subject Request Form

Related Information

Health Information Privacy Policy  

Privacy of Student Records (FERPA) 

Records Management Policy 

Social Media Policy 

Acceptable Use Policy for Computing Systems and Services  

Information Security Policy 

GW Email policy 

GW Web Content Policy 

Contacts

Contact Email Address
GW Privacy Office [email protected]

Responsible University Official: Associate Vice President and Data Privacy Officer
Responsible Office: Privacy Office

Last Reviewed: March 3, 2020

 

Non-compliance with this policy can be reported through this website.