This document sets forth the Data Privacy Standards of the University of Texas at Austin (“University”) and provides information about the collection, maintenance and use of personal information or data provided to or otherwise collected or processed by the University.
The purpose of this policy is to establish a generally applicable University-wide data privacy standard and to provide interested persons with information about the University’s collection, maintenance and use of personal information or data regardless of the lawful bases under or legitimate purpose for which the information was obtained. Subject to state and federal law, the University intends for this policy to be compliant with the European Union’s (“EU”) General Data Protection Regulation (“GDPR”).
The Data Privacy Standard applies to all domains within the University Web and to any other University action or process concerning the collection, processing, analysis and other data processing of personal information regardless of the method by which such information came to be owned and/or controlled by the University.
The University, by and through its academic, research and administrative units and programs, owns, controls, operates and/or maintains websites under a number of domains (collectively, “University Web”). While this policy applies across campus, some University websites may have additional policies and practices regarding privacy that also must be observed. The University’s Data Protection Officer in consultation with the Chief Information Officer must approve any such “local” policies prior to the policy’s implementation.
The University’s Web may contain links to third party external websites over which the University has no control. The University disclaims any responsibility for the privacy practices or the content of external websites regardless of a link to such websites being displayed on the University Web.
For the purposes of the policy, “processing” means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including – organization, adaptation or alteration of the information or data, retrieval, consultation or use of the information or data, disclosure of the information or data by transmission, dissemination or otherwise making available, or alignment, combination, blocking, erasure or destruction of the information or data. A “data subject” is a phrase that refers to the person to whom the personal data relates.
4. Required Link
5. What is ‘personal information’ or ‘personal data’?
‘Personal information’ or ‘personal data’ means any information that relates to or identifies a person as an individual.
6. How Is Personal Information Collected and Processed by The University?
The University obtains personal information when a person fills out and submits an application to attend or work at the University along with any additional information the person submits to the University before or after they submit an application. Persons may also provide the University personal information when they apply for an EID from the University or seek financial aid or visit certain parts of the University Web or make use of University Health Services or similar student or employee services.
In addition to the application process or an individual requesting University services, the University may also acquire personal information when a person seeks to interact or do business with the University or to participate in research or other activities offered by the University. As discussed elsewhere in this policy, some University Web (as well as third party’s) webpages use “cookies” to collect information about the web user. University Web servers (“Web Server”) may also “collect” information about people by generating temporary logs that may contain the following information:
- Internet address (IP address) of computer being used
- Web pages requested
- Referring Web page
- Browser used
- Date and Time
- UIN (unique person identifier for EID-based services only)
The data collected on the University Web are used in aggregate by IT custodians to tune the University Web site for its efficiency and are not ordinarily associated with specific individuals. Raw data from the Web Server logs are only shared with the custodian of each University Web site. Summary reports produced from the logs help University Web publishers determine what University Web browsers and pages are most popular. For example, if the aggregate reports show that a particular University Web page is very popular or is used more by freshmen than by seniors, publishers might use this information to customize the content of that page and make it easier to find.
Individual data gathered through a specific process, such as the submission of an application to attend the University, related submissions, and subsequent interaction with admissions staff, will only be used for its intended purpose, such as the consideration of an applicant for admission or an employment decision, or for certain archiving, research, or statistical purposes described below. Personal information may also come from third parties that are authorized to provide personal information to the University.
The University may use personal data it collects for a specific purpose and further process that personal data for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes (“research purposes”). Processing for research purposes will be subject to appropriate safeguards, including the use of data minimization and pseudonyms when possible. The University will anonymize the personal data it uses for research purposes whenever the University can fulfill the purpose without the need of identification of the personal data subject. The University is not required to provide notice to data subjects when it further processes personal data for research purposes.
Further processing of personal data for research purposes is only permitted when the purpose of the processing is to support the University. Further processing of personal data by researchers for their own research purposes is not permitted unless the researcher follows the University’s processes for human subject research, if applicable, and the researcher provides any required notice to the data subjects.
Cookies are small pieces of data stored by the University Web browser. Cookies are often used to remember information about preferences and pages a person has visited. For example, when a person visits some sites on the University Web they might see a “Welcome Back” message. The first time the person visited the site, a cookie was probably set on their computer; when they return, the cookie is read again. A person can configure their web browser to refuse to accept cookies, to disable cookies, and to remove cookies from their hard drive as needed.
8. Third-party content on UT Websites
Some pages within the utexas.edu domain may contain content that is served from external third parties. For example, a utexas.edu web site might include a graphic logo or a script from a third party. Specifically, the following code within a utexas.edu page would represent an example of third party content:
<img src="/%3Ca%20href%3D"http://www.other-org.com/logo.gif">http://www.other-org.com/logo.gif" alt="Sample" />
In this example, logo.gif would be third party content served from a web server outside the utexas.edu domain (www.other-org.com in this case). Third party content in utexas.edu is not limited to graphics, but this is the most frequent use.
The University does not transmit any information to these third parties as part of such requests. However, when a person visits utexas.edu pages that contain third party content, information, such as their IP address, date, browser, and requested page, is transmitted from your computer to that third party.
9. Grounds for Processing Personal Data and How It is Used by the University
The University processes personal data for a number of reasons, including to meet its contractual obligations, the legitimate conduct of its business operations, and to comply with applicable law. Sometimes, consent will be the basis for processing personal data. In these cases, the University will ask the data subject for consent to process their personal data and to share that data with third parties. The processing of personal data provided to the University by a data subject or from authorized third parties, like their high school or a national testing service, enables the University to identify the data subject; engage in processing an application or other submission to the University; or verify information already provided to the University.
The University may also use or disclose personal data for the following statutory or public interest purposes: to prevent or detect fraud; to monitor equal opportunity; to better serve the needs of students with disabilities with reasonable accommodations; or for research and statistical purposes, the later purpose relying only on aggregate data.
Furthermore, the University processes personal data either necessary for the University to take steps with a view to creating a contractual relationship with a person (e.g. to assess an offer of services to the University) or for the purposes of a legitimate interest of the University pursued by the University (e.g. equal opportunity monitoring). The University requires persons to provide the University with certain information during the application process in order to assess their application properly except where providing personal information is marked as optional. Neither admissions nor employment decisions are automated.
10. Google Analytics
11. Security and Accuracy of Confidential Information
The University does its best to ensure that the personal information it has is accurate. Users with a UT EID can check and update personal information such as their address and email address at UT Direct.
Although no computer system is 100% secure, the University has deployed extensive security measures to protect against the loss, misuse, or alteration of the information under our control. These security measures and our systems are audited by certified independent security specialists. See Information Resources Use and Security Policy https://security.utexas.edu/policies/irusp#standard12
12. Plan to Respond to Data Breaches
The University has policies and procedures in place in case of a data breach or some other incident that places information held by the University in jeopardy. Any individual who believes a data breach has occurred must immediately notify the Chief Information Security Officer, who will investigate the alleged breach and, if necessary, consult with the University’s Data Breach Response Planning Group and the affected department to remediate the breach, including providing any required notices.
Please see the two policies below for the University’s full data breach policies (UT EID Required).
ISO Incident Management Procedures
Personally Identifiable Data Breach Notification Plan
In certain circumstances, the University may be required to provide notice to affected individuals or certain governing authorities if a data breach results in disclosure of personal data.
Several sites within the University Web enable users to pay for products or services online with a credit card. Unless otherwise noted, these transactions are encrypted. It is University policy to only use confidential information that a user enters during a transaction for the purposes described in that transaction, unless an additional use is specifically stated on that site.
14. Open Records Requests and Other Sharing of Information
Except for educational records governed by the Family Educational Rights and Privacy Act (“FERPA”) or information made confidential by other law, all information provided to and collected from the University Web, including the summary server log information, emails sent to the University Web, and information collected from University Web-based forms, along with any other form or type of document or other instrument containing personal information, may be subject to the Texas Public Information Act. Such information may also, in the legal context, be subject to discovery requests or other legal demand that personal data or information be released and made public. The same is true for any personal information obtained by the University through other means such as written submission or communications with previous schools or employers.
The University does, upon explicit request of users, share information with other parties and gather information from other private data providers. For example, the University receives test scores from testing agencies and will send transcripts to other schools. This is done only at the request of users.
As well as circulating application and related materials to the appropriate staff at the University and its various departments and colleges, the University will share personal information for the above purposes as relevant and necessary with:
- School/college or training organizations;
- Examination boards or testing services;
- In the case of international applicants, the appropriate state and federal agencies;
- Immigration authorities in order to act as a person’s sponsor for visa purposes;
- Governmental bodies, including local authorities; the Teachers’ Retirement System; UT Workers Compensation; and other agencies or private actors, such as health care providers, that circumstances require be privy to certain personal information
- Other Higher Education organizations, in order to assist with tracking and research into access to Higher Education; and
- Companies or organizations providing specific services to, or on behalf of, the University and/or one or more of its component colleges, schools, department or programs.
Unless specifically required under public information requests filed under the Texas Public Information Act or otherwise compelled by lawful means, or as a party to a legal action, it is against University policy to release confidential information gathered through the University Web, such as pages visited, or personalized preferences. For example, the University’s portal, UT Direct, enables users to customize the content they see on their personal page. This information cannot be shared with external third parties, unless required by law.
Consistent with FERPA and other applicable privacy law, the University does not release personal student information, other than public directory information, to other parties unless the University receives explicit written consent, is required to do so by law, or for other legitimate ends of the University. University students can read more about directory information in the University’s General Information Catalog. Examples of directory information include first and last name, address, and date of birth. Enrolled students can restrict release of their directory information by contacting the Office of the Registrar.
15. Public Forums
The University makes some public chat rooms, forums, message boards, and news groups available to its users. The University does not ordinarily log public chat sessions; however, any information that users disclose in these areas becomes public information, so users should exercise caution when deciding to disclose confidential information in such places.
Academic chat sessions and discussion forums, such as those in Canvas, may be logged. However, FERPA generally prohibits disclosure of these educational records.
16. Online Surveys
The University is a research institution. At any time, the University is conducting numerous online surveys on the University Web. It is University policy only to use personal information gathered in these online surveys for the research purposes indicated in the survey. Unless otherwise noted on the specified survey, answers are confidential and individual responses will not be shared with other parties unless required by the Texas Public Information Act or as otherwise compelled by law. Aggregate data from surveys may be shared with external third parties.
17. Who will process my personal information?
The University will internally share the personal information it receives from applications and other information submitted to the University in accordance with the University’s policy and practice. Various university staff and faculty may be involved in processing personal data for the purposes for which the University obtained the data. In some instances, a third-party vendor employed by the University to assist in data processing might process personal data. Data subjects have the right to be notified of such third party processing of their personal information.
18. What personal information will be processed?
For students, the University will use the details provided on their application, together with any supporting documents or other forms of information that an applicant may provide with their application. For the purposes of this policy the “application” includes the online application, application fee, an essay, three short answer prompts, your high school transcripts, any college transcripts, test scores, major-specific items, resume, letters of recommendation (not required) and, if applicable, permanent residence card, student information form, course work form and residency affidavit. Different application forms may apply depending on citizen/residency status.
In addition to the application form, the University will use the details in a transcript from every senior college the applicant has attended. Where the applicant seeks entry into the graduate Accounting and Nursing programs, University will make use of information from an applicants’ transcripts from all junior and/or community colleges attended as well as past test scores. The individual graduate programs have additional requirements that may require the University to use additional materials. The same applies to any letters of recommendation that are received. The University may also rely on personal information that arises from student conduct investigations or hearings.
For faculty and staff, the University will process personal information received in an application for employment or through an interview as well as other means, formal and informal, and maintain records of employees. For example, a faculty member may wish to participate in certain health care/insurance programs offered by third party vendors, who have a contract with the University to provide such things. Enrollment in these programs may require sensitive date to be shared with the relevant third party, such as an insurance carrier. The University will also make use of testing or evaluations to assess various aspects of faculty and staff performance. Such information could arise as part of a grievance or disciplinary process.
19. What rights do I have related to my personal information?
Data subjects have the right to access the personal information that the University holds about them. Data subjects also have the right to ask the University to correct any inaccurate personal information the University holds about them. In some cases, data subjects may request that the University delete personal information, request that the University restrict processing their personal information, or object to the University processing their personal information.
There are several laws, including FERPA and the Health Insurance Portability and Accountability Act (“HIPAA”) that give data subjects certain rights so far as it pertains to their personal information.
FERPA provides the right to correct one’s personal data and have access to personal information kept about them. https://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html
Also, as a general rule but subject to certain exceptions, schools must have written permission from the parent or adult student in order to release any part of the student’s education records.
HIPAA provides certain personal data rights to patients who receive healthcare services at covered entities. The University is a hybrid entity, which means that certain departments at the University, including, but not limited to, University Health Services (“UHS”) and Dell Medical School, are subject to HIPAA. Each University department that is subject to HIPAA will provide a Notice of Privacy Practices to patients detailing their rights under HIPAA, including their personal data rights. For example, a data subject may find the Notice of Privacy Practices provided by UHS at the following link: https://healthyhorns.utexas.edu/images/pdf/privacypractices.pdf.
Texas Public Information Act
The Texas Public Information Act, with a few exceptions, gives a person the right to be informed about the information that the University collects about them. It also gives a person the right to request a copy of that information, and to have the University correct any of that information that is wrong. Requests to receive and review any of that information, or request corrections to it, may be made by contacting the University’s Public Information Officer, Office of Financial Affairs, PO Box 8179, Austin, Texas, 78713 (email: email@example.com).
The GDPR is the EU General Data Protection Regulation that went into effect May 25, 2018. The GDPR’s intent is to regulate the gathering, use and maintenance of personally identifiable information about a natural person and providing certain rights to the data subject, such as the right to erasure and the right to object to the use of personal data. This law applies to any person, citizen or not, who at the time of the data collection is located in the European Union. It does not require an entity, like the University, to be located or acting within the EU for jurisdiction to attach; however, a non-EU entity like the University must process personal data related to the offering of goods or services in the EU or to the monitoring of a person’s behavior in the EU for jurisdiction to attach.
You have the right to request access to, a copy of, rectification, restriction in the use of, or erasure of your information in accordance with all applicable laws. The erasure of your information will be subject to the retention periods of applicable federal and state law and the University’s Record Retention Schedule. If you have provided consent to the use of your information, you have the right to withdraw consent without affecting the lawfulness of the University’s use of the information prior to receipt of your request. A Data Subject may exercise their rights by contacting the University’s Data Protection Officer.
If you feel the University has not complied with applicable foreign laws regulating such information, you have the right to file a complaint with the appropriate supervisory authority in the European Union.
The State of Texas and the United States also have laws that address privacy generally and the use of certain types of records, such as educational and health records (described above), that contain personally identifiable information. Texas has laws that govern records retention and finally, under US/Texas law, the University may have good reason to keep the information despite a conflict with the GDPR.
As a general rule, in cases where Texas or Federal law conflict with the laws of other countries in regard to the processing, use or maintenance of a data subject’s personal information, including provisions of the GDPR, the University will treat Texas and Federal law as controlling.
University employees who receive a request by a Data Subject to have their data forgotten or who have other questions regarding the rights of Data Subjects provided by the GDPR should contact the University’s Data Protection Officer.
20. How long is my information kept?
The University is an agency of the state of Texas and must follow a records retention schedule, which may be found at: https://financials.utexas.edu/hbp/part-20/2-1-records-management-services-documents. Generally, the University will keep records of applicants for admission or employment for the following periods of time:
- Applicants for admission who do not matriculate into the University: one year after the semester during which an individual applies for admission to the University;
- Applicants for admission who matriculate into the University: five years after graduation or the last day of attendance;
- Applicants for employment who are not hired: two years from the end of the fiscal year during which the individual applies for employment; and
- Applicants for employment who are hired: five years after the end of employment.
Some departments may be subject to other laws that require the department to keep certain personal information for a prescribed period.
Please see the records retention schedule for more information. The University may update the records retention schedule from time to time.
21. Who can I contact for assistance or to complain?
Students with questions about how their personal information is used, or who wish to exercise any of their rights, may consult this policy and contact the Dean of Students, an ombudsperson https://ombuds.utexas.edu/, or the office that oversees their primary area of study (major). They may also contact the Registrar’s office. https://registrar.utexas.edu/
Faculty may seek assistance from the chair of their department, the Dean of their college or equivalent position, a representative on the Faculty Council or the Provosts’ office or an ombudsperson https://ombuds.utexas.edu/.
An employee, should contact their immediate supervisor first, and then if necessary proceed up the chain of command. Employees are also free to contact the Ombuds office https://ombuds.utexas.edu/.
For further assistance, please contact University Compliance Services at Compliance@austin.utexas.edu or call 512-232-7055, the University’s Data Protection Officer, Chris Hutto, firstname.lastname@example.org, or the appropriate college, office or department.
22. Are changes made to this webpage?
This webpage was last updated in June 2018. It is reviewed when necessary and at least annually. The University will publish changes here and may provide notification to users via this webpage and/or by email.