General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR), took effect May 25, 2018, and affects organizations worldwide. Your privacy is important to Troy University. We endeavor to be transparent about how we collect, use and share information about you. We are bound by numerous U.S. statutes, best practices, and observe applicable principles of the GDPR.
To the extent that Troy University divisions collect, use or retain personal data from persons in the EU (e.g., prospective students, students, scholars, research subjects, others), the requirements of this regulation may affect you, even if those individuals are not EU citizens.
Recruiting, hiring, online courses, marketing and research involving persons in the EU, in particular, may trigger the GDPR’s requirements. This would include data that is stored or processed on equipment or servers that are housed in the EU. It would also apply if you or anyone in your area travels to the EU.
The GDPR defines personal data very broadly such that the term includes names, addresses, phone numbers, national IDs, IP addresses, profile pictures, personal health care data, educational data and any other data that can be used to identify an individual.
The key principles of GDPR require that data controllers processing personal data must follow - and be able to demonstrate that they are following - the data protection principles.
Under the GDPR, there are six principles. Personal data must be processed following these principles so that the data are:
- Processed fairly, lawfully and transparently - and only if there is a valid 'legal basis' for doing so
- Processed only for specified, explicit and legitimate purposes
- Adequate, relevant and limited
- Accurate (and rectified if inaccurate)
- Not kept for longer than necessary
- Processed securely - to preserve the confidentiality, integrity and availability of the personal data
An important aspect of complying with data protection legislation is being open and transparent with individuals about how their personal data will be used. The supply of this information - through documents variously known as 'privacy notices', 'data protection statements', 'data collection notices', 'privacy policies' and numerous other interchangeable terms - takes places in numerous targeted ways depending on the context of the interaction with the individual.
Under the GDPR, data subjects are given various rights:
- The right to be informed of how their personal data are being used - this right is usually fulfilled by the provision of 'privacy notices' as described above
- The right of access to their personal data - accessing personal data in this way is usually known as making a subject access request via firstname.lastname@example.org.
- The right to have their inaccurate personal data rectified
- The right to have their personal data erased where appropriate - known as the right to be forgotten
- The right to restrict the processing of their personal data pending its verification or correction
- The right to receive copies of their personal data in a machine-readable and commonly-used format - known as the right to data portability
- The right to object: to processing (including profiling) of their personal data that proceeds under particular legal bases; to direct marketing; and to processing of their data for research purposes where that research is not in the public interest
- The right not to be subject to a decision based solely on automated decision-making using their personal data
A response to a rights request needs to be sent within one month. However, nearly all of these rights are qualified in various ways and there are numerous specific exemptions (for example, nearly all the rights do not apply if the personal data are being processed solely in an academic research context). These rights build upon and strengthen rights previously given to data subjects under the DPA 1998.
Data protection legislation imposes certain accountability obligations on all data controllers. Under the GDPR, the main obligations for large data controllers include:
- Implementing policies, procedures, processes and training to promote data protection by design and by default
- Where necessary, carrying out systematic Data Protection Impact Assessments (DPIAs) on 'high risk' processing activities
- Having appropriate contracts in place when sharing personal data - especially when outsourcing functions that involve the processing of personal data and/or transferring the personal data outside the EEA
- Maintaining records of the data processing that is carried out across the organization
- Documenting and reporting personal data breaches both to the ICO and the affected data subjects
- Where necessary, appointing an independent Data Protection Officer to advise on and monitor compliance
One of the most important accountability obligations concerns personal data breaches - that is, personal data held by Troy University is lost, stolen, inadvertently disclosed to an external party, or accidentally published. If a personal data breach occurs, this should be reported immediately to appropriate staff within your Troy University division (e.g. senior administrative or IT staff), who should then inform:
- The Information Compliance Office (email@example.com) and/or
- If the breach is IT-related in any way, https://helpdesk.troy.edu
Remedial work can then be done so that the breach can be contained. On occasion, we need to report breaches to relevant external authorities, including the ICO, within a short timeframe.
Since 2016, Troy University has worked to develop a GDPR compliance effort. Representatives from across Troy University have participated in training, meetings and work sessions to define priorities and develop compliance efforts. Currently the group is working to:
- Develop a risk-based GDPR compliance strategy;
- Working to develop plans to comply with applicable principles of GDPR;
- Produce a GDPR information center and response mechanism for inquiries;
- Begin implementation of key, applicable GDPR principles;
- Make recommendations for ongoing GDPR efforts;
- Develop GDPR compliance resources for use by the TROY community, including privacy notices, consent documents, contract guidance and data mapping guidance.
Check back for updates to topics and presentation information.
For more information on GDRP, please visit the links below:
- Homepage of the EU GDPR
- EU Data Protection (European Commission)
- The General Data Protection Regulation Explained (Educause)
- EU’s General Data Protection Regulation Resources (GDPR) (AACRAO)
- ICO Guide to the General Data Protection Regulation
Troy University GDPR Policy
EU General Data Protection Regulation Compliance Policy
The European Union has passed a data privacy regulation that is applicable throughout the entire European Union (“EU”), and to those who collect personal data about people in the EU. The European Union General Data Protection Regulation (“EU GDPR”) imposes obligations on entities, like Troy University, that collect or process personal data about people in the EU. The EU GDPR applies to personal data collected or processed about anyone located in the EU, regardless of whether they are a citizen or permanent resident of an EU country.
Troy University (“TROY” or the “Institution”) is an institute of higher education involved in education and community development. In order for Troy University to educate its foreign and domestic students both in class and on-line and provide community services, it is essential and necessary, and Troy University has a lawful basis, to collect, process, use, and/or maintain the personal data of its students, employees, applicants, research subjects, and others involved in its educational, research, and community programs. These activities include, without limitation, admission, registration, delivery of classroom, on-line, and study abroad education, grades, communications, employment, applied research, development, program analysis for improvements, and records retention.
Troy University takes seriously its duty to protect the personal data it collects or processes. In addition to Troy University’s overall data protection program, Troy University endeavors to comply with the applicable dictates of the EU GDPR. Among other things, the EU GDPR requires Troy University to:
- be transparent about the personal data it collects or processes and the uses it makes of any personal data
- keep track of all uses and disclosures it makes of personal data
- appropriately secure personal data
This policy describes Troy University’s data protection strategy to comply with the EU GDPR.
2.1 Lawful Basis for Collecting or Processing Personal Data
Troy University has a lawful basis to collect and process personal data. Most of Troy University’s collection and processing of personal data will fall under the following categories:
- Processing is necessary for the purposes of the legitimate interests pursued by Troy University or by a third party.
- Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
- Processing is necessary for compliance with a legal obligation to which Troy University is subject.
- The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
There will be some instances where the collection and processing of personal data will be pursuant to other lawful bases
2.2 Data Protection & Governance
Troy University will protect all personal data and sensitive personal data that it collects or processes for a lawful basis. Any personal data and sensitive personal data collected or processed by Troy University shall be:
- Processed lawfully, fairly, and in a transparent manner
- Collected for specified, explicit, and legitimate purposes, and not further processed in a manner that is incompatible with those purposes
- Limited to what is necessary in relation to the purposes for which they are collected and processed
- Accurate and kept up to date
- Retained only as long as necessary
2.3 Sensitive Personal Data & Consent
Troy University must obtain consent before it collects or processes sensitive personal data.
2.4 Individual Rights
Individual data subjects covered by this policy will be afforded the following rights:
- information about the controller collecting the data
- the data protection officer contact information (if assigned)
- the purposes and lawful basis of the data collection/processing
- recipients of the personal data
- if Troy University intends to transfer personal data to another country or international organization
- the period the personal data will be stored
- the existence of the right to access, rectify incorrect data or erase personal data, restrict or object to processing, and the right to data portability
- the existence of the right to withdraw consent at any time
- the right to lodge a complaint with a supervisory authority (established in the EU)
- why the personal data are required, and possible consequences of the failure to provide the data
- the existence of automated decision-making, including profiling
- if the collected data are going to be further processed for a purpose other than that for which it was collected
Note: Exercising of these rights is a guarantee to be afforded a process and not the guarantee of an outcome.
This policy applies to the personal data and sensitive personal data protected by the EU GDPR and all Troy University Units who collect or process personal data and sensitive personal data protected by the EU GDPR.
Collect or Process Data
Collection, storage, recording, organizing, structuring, adaptation or alteration, consultation, use, retrieval, disclosure by transmission/dissemination or otherwise making data available, alignment or combination, restriction, erasure or destruction of personal data, whether or not by automated means.
Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear Page 4 of 9 affirmative action, signifies agreement to the processing of personal data relating to him or her.
Under the EU GDPR:
- Consent must be a demonstrable, clear affirmative action.
- Consent can be withdrawn by the data subject at any time and must be as easy to withdraw consent as it is to give consent.
- Consent cannot be silence, a pre-ticked box or inaction.
- Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.
- Request for consent must be presented clearly and in plain language.
- Maintain a record regarding how and when consent was given.
The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Troy University Unit
A Troy University college, school, office or department.
Identified or Identifiable Person
An identified or identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity of that person.
Examples of identifiers include but are not limited to: name, photo, email address, identification number such as Student ID#, Account (User ID), physical address or other location data, IP address or other online identifier
Processing of personal data shall be lawful only if and to the extent that at least one of the following applies:
- The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- Processing is necessary for compliance with a legal obligation to which the controller is subject; Page 5 of 9
- Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.
Processing of personal data is lawful if such processing is necessary for the legitimate business purposes of the data controller/processor, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
Any information relating to an identified or identifiable person (the data subject).
A natural or legal person, public authority, agency or other body who processes personal data on behalf of the controller.
Sensitive Personal Data
Special categories of personal data that require consent by the data subject before collecting or processing are:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic, biometric data for the purposes of uniquely identifying a natural person
- Health data
- Data concerning a person’s sex life or sexual orientation
5.1 Data Governance
Document Lawful Basis for Collection or Processing
All Troy University Units who collect or process personal data protected by the EU GDPR must document the lawful basis for the collection or processing of personal data and sensitive personal data they collect or process, why they collect it, and how long they keep it using the online Troy University EU GDPR Lawful Basis Form not a link (Pending Review).
All data at Troy University shall be kept in compliance with University Policy, State and Federal Statute, or, departmental policy.
5.2. Privacy Statement
Troy University’s Privacy Statement
Troy University’s Privacy Statement to data subjects must specify the lawful basis for Troy University to collect or process personal data and include:
- whether their personal data are being collected or processed and for what purpose
- categories of personal data concerned
- to whom personal data is disclosed
- storage period (records retention period)
- existence of individual rights to rectify incorrect data, erase, restrict or object to processing
- how to lodge a complaint
- the source of the personal data (if not collected from the data subject)
- the existence of automated decision-making, including profiling
A link to the Troy University Privacy Statement is available on the footer of all Troy University websites – “Privacy Statement”: https://troy.edu/privacy-statement.html
[NOTE: Troy University Privacy Statement will be in final form by May 25, 2018]
Troy University Units Privacy Notice
Each Troy University Unit that collects or processes personal data protected by the EU GDPR must create and publicly post a privacy notice that meets the requirements (a) through (h) set forth above.
Documentation of Consent
Troy University Units must obtain affirmative consent before it collects or processes sensitive personal data.
Troy University EU GDPR Model Consent Form:
EU GDPR Model Consent Form not a link (Pending Review)
Withdrawal of Consent
Troy University must have a process for individuals who request to withdraw their consent.
5.4 Individual Rights
Exercise of Rights
Any individual wishing to exercise their rights under this policy should contact Information Technology Compliance Office at firstname.lastname@example.org.
5.5 Data Protection
Security of Personal Data
All personal data and sensitive personal data collected or processed by any Troy University Units under the scope of this policy must comply with the security controls and systems and process requirements and standards of NIST Special Publication 800-171 as set forth in the Troy University Data Classification Policy found here: https://www.troy.edu/epolicy/800-technology.html#804.1
Any Troy University Unit that suspects that a breach or disclosure of personal data has occurred must immediately notify Troy University Cyber Security at email@example.com.
EU GDPR Lawful Basis Form not a link (Pending Review)
EU GDPR Model Consent Form not a link (Pending Review)
Frequently Asked Questions:
For Frequently Asked Questions about EU GDPR compliance at Troy University, see the Information Technology website.
8.1 Responsible Party:
Troy University Units
To document the lawful basis for personal data or sensitive personal data collected or processed pursuant to this policy.
To cooperate with Information Technology when individuals inquire about their personal data or sensitive personal data collected or processed pursuant to this policy (See Section 2.3).
To immediately notify (24/7) and cooperate with Troy University Cyber Security relating to any data breach at firstname.lastname@example.org.
8.2 Responsible Party:
To field inquiries about personal data or sensitive personal data collected from individuals while in the EU (See Section 2.4).
To coordinate with Troy University Unit responding to inquiries about personal data or sensitive personal data collected from individuals while in the EU.
8.3 Responsible Party:
To answer questions about and review data security measures.
To handle data breach notification for the Institute.
Violations of the policy may result in loss of system, network, and data access privileges, administrative sanctions (up to and including termination or expulsion) as outlined in applicable Troy University disciplinary procedures, as well as personal civil and/or criminal liability.
To report suspected instances of noncompliance with this policy, please contact Information Technology at: email@example.com or visit Troy University’s Support
Enforcement of the EU GDPR shall be carried out by the appropriate Data Protection Authority within the European Union.
EU General Data Protection Regulation (EU GDPR)
Troy University Privacy Statement
Troy University Security Policy
NIST Special Publication 800-171
State of Alabama Records Policy