Type of Policy
Administrative
Effective Date:
Review Date:
Policy Owner
Ethics, Compliance & Legal Affairs
Contact Name
Sally Robertson
Contact Title
Senior Counsel, Privacy
Contact Email
sally.robertson@carnegie.gatech.edu
Reason for Policy

This Personal Information Privacy Policy supports the mission and vision of the privacy program to further innovation and legitimate business needs while balancing the privacy of the individuals who entrust their personal data to Georgia Tech. It also supports compliance with University System of Georgia ("USG”) requirements.

Policy Statement

Individuals with access to Georgia Tech’s personal data assets are responsible for ensuring such information is collected, maintained, and used by Georgia Tech only for purposes that are relevant and necessary to perform the job or task that reasonably serves a legitimate Georgia Tech function. Such collection, maintenance and use must also comply with applicable laws and regulations, Georgia Tech policies, and USG requirements governing privacy of information.

Management and Access to PII
Individuals with responsibility for Records containing Personally Identifiable Information (PII) should only Process or seek to access such PII as appropriate in the performance of their assigned role or duties for Georgia Tech and in accordance with all applicable laws and regulations, Georgia Tech policies, and USG requirements. Access to PII as part of an individual’s assigned responsibilities or role does not constitute authority to release such information to other employees, students, parents or guardians, or third parties.

Both units and individuals are responsible for protecting PII against accidental or intentional misuse or improper disclosure or exposure within or outside of Georgia Tech. For more information concerning safeguarding Institute Records and PII, see the Cyber Security Policy, the Protected Data Practices resource, and the Security Procedures and Standards resource. Concerns regarding the security and safeguarding of PII can be reported to the Georgia Tech Cyber Security Teamhttps://security.gatech.edu/report-incident.

Georgia Tech shall not use social security numbers, driver’s license numbers, passport numbers or other governmental-issued numbers or designations as an official Institute personal identifier unless required by applicable law or reviewed and approved by the Risk Panel.

Processing PII

Individuals with responsibility for Processing PII must be able to identify and articulate the following:

  • whose PII is being Processed (what group or population of individuals)
  • why the PII is being Processed (the purpose(s) or business need for the Processing),
  • how that Processing will take place (the Processing activity),
  • and who has access to the PII being Processed.

This includes Processing within Georgia Tech as well as external to Georgia Tech (third parties such as vendors and contractors).

Where appropriate and practicable, persons Processing PII should implement the principle of Data Minimization, and if possible, Disassociate and De-identify datasets that include PII.

Scope

This policy applies to all parties, both internal and external to Georgia Tech, that are Processing Administrative Data that contains PII generated or collected by Georgia Tech.

Policy Terms

Administrative Data
Administrative data includes Organizational Data that is administratively or operationally generated, owned or managed, by or on behalf of, Georgia Tech.

Examples of Administrative Data include, but are not limited to, data about students or employees, finance, facilities, technology, student life, Campus Services and Professional Education.

It also includes Administrative Data about research (such as financial components of research and grants and contracts details), as well as research of Administrative Data (such as research on student success, work force demographics, campus network traffic and facilities data.)

Data Breach
The unauthorized acquisition or exposure of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a data collector. Breaches do not include good faith acquisitions of personal information by an employee or agent of the entity that is collecting data for a legitimate business purpose—so long as the personal information is not used for a purpose unrelated to the entity’s business or is subject to further unauthorized disclosure.

Data Subject
Any person whose PII is being Processed.

De-Identify
The method used to prevent a Data Subject’s personal identity from being revealed. For example, data produced during human subject research might be de-identified to preserve privacy for research participants.

Organizational Data
As defined in the Data Governance and Management Policy, Organizational Data is “Data generated, owned, or managed, by or on behalf of, Georgia Tech including all data to which Georgia Tech has been granted stewardship by third parties. Organizational Data record facts, statistics, or information, which is read, created, collected, used, updated, reported, shared, stored, transferred, or deleted by Georgia Tech units. Data may be in any form, including electronic or physical. Organizational Data may reside in an Information System hosted by Georgia Tech or a third party.*

Personally Identifiable Information (PII)
Any information about an individual that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name or biometric records; and any other information that is linkable to an individual, such as medical, educational, financial and employment information.

Process or Processing
Data life cycle operations, including, but not limited to, collection, creation, sharing, dissemination, transmission, storage, use, retention and disposal.

Record
Record is defined by USG.

Risk Panel
A group of Georgia Tech stakeholders, from areas including but not limited to privacy, cyber security, data governance, and enterprise risk management, that will gather to review the risk associated with Processing Administrative Data, on an asneeded basis.

Security Incident
A security incident is an event, as determined by Georgia Tech Cyber Security, that violates an applicable law or Institute policy including the violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices. An incident could also be established based on the potential for harm to the confidentiality, integrity, or availability of Georgia Tech IT resources.

Procedures

Report an Incident
If an individual believes a Security Incident or a Data Breach of PII has occurred, the individual should report the suspicion immediately to the Georgia Tech Cyber Security Team at https://security.gatech.edu/report-incident. Incidents relating to individuals can also be reported to the Ethics Hotline.

GDPR Data Subject Requests
Any individual wishing to exercise their rights under the EU GDPR should visit the EU GDPR website for more information and additional instructions.

Institute Personal Identifier Requests
If an individual wishes to utilize social security numbers, driver’s license numbers, passport numbers or other governmentalissued number or designation as an official Institute personal identifier, the individual must receive approval from the Risk Panel. All requests should be sent to privacy@gatech.edu.

Responsibilities

Senior Privacy Officer
The Senior Privacy Officer oversees and manages the Georgia Tech Privacy Program. The Georgia Tech Privacy Program monitors, helps to verify compliance with, and provides guidance on privacy laws and regulations. It also provides oversight and maintenance of any privacy policies, procedures, training and awareness, or engagement activities.

Data Management Committee
The Data Management Committee (“DMC”) is a sub-committee of the broader Data Governance Committee. It is comprised of a selection of Georgia Tech leaders (including faculty, staff, and student representatives) and is responsible for recommending and advising on various matters including privacy related policy and procedures and providing guidance and support for Institutional privacy efforts.

Units
Units include various departments, offices, colleges/schools, and other groups across Georgia Tech that Process PII. Each unit should abide by the terms of this policy in how it Processes that PII. This includes taking into consideration which unit members should have access to the PII based on their role and regularly checking and removing access provisions as necessary. Units should also consider whether the PII being Processed requires any additional training or knowledge about a specific privacy law, regulation, or policy. Examples might include FERPA, HIPAA, or GDPR.

Employees Processing PII
Employees may need to Process PII in their assigned role at Georgia Tech. All employees should abide by the terms of this policy in how they Process that PII. Employees should have access only to the PII needed to accomplish the duties within their assigned role and should complete any additional training necessary to properly Process the PII.

Enforcement

Georgia Tech, the University System of Georgia, the state of Georgia, the federal government, or another regulatory agency may periodically audit compliance with this policy. To report suspected instances of noncompliance with this policy, please contact the Privacy Program at: privacy@gatech.edu.