The university is committed to maintaining the privacy of personal information. Throughout the performance of university operations, the university will safeguard the generation, collection, use, storage, disposal, and disclosure of personal information in accordance with best practices and as required by applicable laws and regulations. The responsibility for the protection of personal information is shared by all individuals who process such information on behalf of the university.
This policy helps promote compliance with the requirements of privacy laws and regulations, including but not limited to the Family Educational Rights and Privacy Act (FERPA), Gramm-Leach Bliley Act (GLBA), and the General Data Protection Regulation (GDPR).
Who is Governed by this Policy
- Any persons or entities who generate, collect, use, store, or process personal information on behalf of the University
Information plays a critical role in the university’s educational, research, administrative, and public service activities. The university recognizes the importance of safeguarding personal information, in all formats, that is processed or shared within the university and with third parties on its behalf.
This policy provides guidance to university faculty, staff, and students on the community’s responsibilities with respect to privacy and protection of personal information.
Collection of Personal Information
All university offices, contractors, and others that collect personal information on behalf of the university (each a “data collector”) are responsible for collecting only the minimum amount of such information necessary. Collecting no more information than is necessary minimizes the information that the university must secure and hold private. When collecting personal information from individuals, the following is required:
a. Transparency: the data collector must inform the individual what information is being collected (both actively and passively).
b. Lawful Basis: the data collector must establish a lawful basis for the collection of personal information. This may include obtaining consent, collection of information necessary to perform under a contract, a legal obligation, vital interest, public task, or a legitimate interest.
c. Adherence with privacy notice: any information that is collected through a university webpage (gwu.edu), regardless of where it is hosted, must adhere to the website privacy notice. This also applies to contracted third parties that host marketing web pages on behalf of university academic programs.
Use of Personal Information
Any university office, contractor engaged to act on the behalf of the University, or other university-authorized persons or entities using or processing (each a “data processor”) personal information on behalf of the university is required to do the following:
a. Notice: the data processor must make available a privacy notice detailing how personal information will be used and who to contact with any questions or concerns.
b. Non-Public Information: the data processor using information collected on behalf of the university is prohibited from selling, sharing, or publicizing personal information. Personal information is to remain private and is considered “Non-Public Information,” as defined under the Data Management and Protection Standard.
Schools and divisions (“Data Custodians”) are responsible for reviewing and determining the types of Non-Public Information in their custody, by classifying it in accordance with the data classification principles, outlined in the Data Management and Protection standard.
Data Custodians are also responsible for implementing appropriate managerial, operational, physical, and role-based controls, in consultation with the Privacy Office and GW Information Technology, for access to, use of, transmission of, and disposal of Regulated Information, in compliance with the Data Management and Protection Standard.
c. Disposal: the data processor shall securely dispose of all personal information, in any form, in accordance with the Records Management Policy and the Data Management and Protection Standard or, for third party data processors acting on behalf of the University, as otherwise may be mandated by the terms of the contract.
In addition to the requirements set forth herein, third party data collectors and data processors that provide services on behalf of the university, are also subject to the terms and conditions included in their respective service agreements.
All members of the GW community, with access to GW systems and information, are responsible for reporting any suspected or actual unauthorized disclosures of personal information via email to the GW Privacy Office, or using the data incident reporting form.
If necessary, incident response procedures will be initiated which may ultimately include notifying appropriate parties.
Personal Information: is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal information.
Regulated Information: is information protected by local, national, or international statute or regulation mandating certain restrictions. If disclosed, altered or destroyed, regulated information could cause a significant adverse effect to the university, its affiliates, or an individual. Refer to Data Management and Protection Standard for more information.
Non-Public Information: is information that is classified as Regulated or Restricted in accordance with the data classification standard defined in the Data Management and Protection Standard.
|GW Privacy Office
Responsible University Official: Associate Vice President and Data Privacy Officer
Responsible Office: Privacy Office
Non-compliance with this policy can be reported through this website.