Principles & Practices
The Consortium of Universities of the Washington Metropolitan Area has an obligation and a responsibility to respect the privacy rights of individuals. Consequently, the Consortium strives to incorporate privacy practices into the design of all of its systems and processes based on “privacy by design” principles. This is put into practice through our commitment to define, communicate, and enact privacy policies and procedures consistent with the following standards for any information collected1 :
1. Notice and Awareness. The Consortium provides notice to individuals related to privacy policies and procedures, explaining the purpose for which the personal information2 is collected, used, retained, and disclosed. The privacy notice is visible, readily accessible, and dated to allow individuals to determine if the notice has changed. The Consortium respects and wants to protect your privacy and intellectual property. There is no secret data collection.
2. Choice and Consent. The Consortium acknowledges that each individual exercises choice about how visible they wish to be; therefore, choice is provided to the individual, including which personal information is initially collected and how and under what circumstances this information is provided to third parties. In the case of employment and payroll records, the specific data required to be collected and retained for verification of enrollment in an academic program or of employment and payroll will be explained. Information is used and retained for specific internal Consortium purposes and is not used for other purposes without appropriate notification or authorization. Specific enrollment- or employment-related information that is required to be shared with contracting organizations by law or regulations for purposes of permitting the individual to conduct their studies or work at those locations will be explained. The Consortium will make reasonable efforts to keep services as open as possible, and will inform individuals of the limitations of service that may result from their choices. Users have a choice on whether or not to provide personal information that is not required by law or regulations.
3. Clear Usage, Retention, and Disposal Practices. The Consortium’s use of personal information is limited to the purposes identified in the description of the service or process for which the individual has provided implicit or explicit consent. To the extent it occurs, personal information is collected in a manner that preserves the privacy of the individual and is retained for only as long as necessary or as required by law or regulations to fulfill the stated purposes. Such information is thereafter appropriately destroyed or discarded. If a person declines to provide the required personal information, the Consortium may be unable to provide a service, employment, or employment verification. The Consortium only collects the data needed, and only uses it as stated.
4. Access to Information. Access to information is limited to those with direct and expressed authorization to have access for those purposes for which the information was provided. The Consortium will periodically inform individuals about pertinent personal information being held and will provide the individual with means for review and update. The Consortium will never sell private information to third-party vendors, and will be clear about third-party website or transactional interactions where applicable, and how they are governed. Individuals have the right to review and correct personal information.
5. Integrity and Security for Privacy and Accountability Processes. The Consortium has the responsibility to protect private information, and will provide administrative, technical, and physical safeguards of the information, including periodic quality assessments and notification in the event of a security breach. The Consortium assumes the responsibility to protect the quality and security of information collected.
1 These privacy principles are based on widely used U.S. federal Trade Commissions’ five Fair Information Practices and Principles (FIPP): transparency, choice, information review and correction, information protection, and accountability. The Consortium has also reviewed the European Union general Data Protection Regulation (GDPR) standards regarding privacy notices, the concept of consent, data stored in the cloud, and security breach notification.
2 Personally identifiable information, as used in U.S. privacy law and information security, is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.
Consortium services and benefits are not designed nor intended for minors, and we do not knowingly attempt to solicit or receive any information from minors. To the extent that minors do use a Consortium website or app, and the Consortium is able to determine the age of the user(s) through their submissions to or communications with Consortium websites or apps, the Consortium will not knowingly collect information from such minors without their parent’s or guardian’s verifiable consent.
Collection and Use of Information
To fulfill its mission and goals, the Consortium collects information about those who are employed or work under the auspices of the Consortium and/or its member institutions, or are students in the various academic programs and professional development and employee training programs and about those who engage with us via email and/or visit our website(s) and access our apps. This information and the data derived or collected are used, in part, to improve the communication about the Consortium’s activities, to improve our programs, websites, and apps, and to serve the interests of our members through services, employment/payroll, and/or employment verification.
Once collected, the Consortium may use this information in a variety of ways, which may include:
-Communication with you about your inquiry, academic or employment training registration, or to communicate information about the Consortium.
-Providing prompt and effective customer service.
-Building higher quality and more useful services, such as by analyzing usage trends and interests regarding specific websites and apps.
-Conducting internal assessments of Consortium programs.
Consortium institutional members may add, correct, or update their information by sending the update to email@example.com. Employees and students may request to review or update information by following the process described in the subsequent section entitled “Access to and Ability to Correct Data”.
Sharing with Third Parties
The Consortium will occasionally mail or email a notice or survey on behalf of another organization or contract with a third party to assist in contacting selected individuals at member institutions and others who may have interest in receiving the notice or survey, when such material is deemed to be beneficial to those being contacted. Such mailings and emails are subject to the review of Consortium staff and board members, depending upon the nature of the message.
The Consortium reserves the right to disclose information, including personal information obtained through its websites and apps, when disclosure is required by law, regulations, or in a good-faith belief that such action is necessary to: (a) conform to legal requirements or regulations, or comply with legal processes served on the Consortium; (b) protect or defend the rights or property of the Consortium; or (c) protect the personal safety of Consortium officers, staff, students, contractual organizations, or members of the public in appropriate circumstances.
Opt In/Opt Out
The Consortium reserves the right to offer either an opt in or an opt out option depending on the situation and the type of information being collected. Any individual may decline to provide information requested by the Consortium. In this case, the Consortium may be unable to provide services or employment for which such information is needed for security and/or identity purposes.
Access to and Ability to Correct Data
Upon request via postal mail, email, telephone, or voicemail, the Consortium will respond to an inquiry from an individual regarding their right to review and correct personal data. Once a request has been received, the Consortium will contact the individual making the request and require identity verification prior to providing the individual with a summary of any personally identifiable information retained by the Consortium regarding the individual making the request. Individuals may then modify, correct, change, or update personally identifiable information that the Consortium has collected through its website(s), apps, or other means (including, but not limited to paper forms) and/or may initiate the removal of their personal record from the Consortium’s database by contacting Erin Pate at the Consortium by phone at (202) 331-8080 x110 or by email at firstname.lastname@example.org. As noted, identity verification will be required for this process to occur. Individuals are reminded that removal of information required by law or regulations may be impermissible or may result in the Consortium being unable to provide services, employment/payroll, and/or employment verification. Questions about this process may be submitted by email to email@example.com.
Keeping Data about Individuals Secure
Personal data are stored on a secure server, in locked filing cabinets, or in a secure offsite location. Procedures have been employed at the Consortium and through our information technology partners to safeguard the security and integrity of your information. Although the Consortium takes these measures to safeguard against unauthorized disclosure of a person’s data or personal information, the Consortium cannot control internet transmissions and cannot guarantee or warrant that data or personal information transmitted to the Consortium will be uncompromised in all circumstances.
The Consortium follows all federal, state, and local laws and regulations regarding data retention. In situations not covered by federal, state, or local law or regulations, if historical activity pertaining to Consortium business needs is present, the information may be kept indefinitely. Individuals may request an anonymization of their record by contacting Erin Pate at the Consortium by phone at (202) 331-8080 x110 or by email at firstname.lastname@example.org. Identity verification will be required for this process to occur. Individuals are reminded that anonymization of information required by law or regulations may result in the Consortium being unable to provide services or employment/payroll and employment verification.
Cookies and Other Technologies
A “cookie” is a file that a website stores in a user’s computer for future reference. Individuals may set their browsers to reject cookies. Information supplied through a Consortium cookie is used only by the Consortium to help enhance services provided and is not shared with others.
Cookies and beacons may also be utilized by the third parties we contract with to provide certain functions. You may block or disable cookies and other trackers by changing the settings on your browser, but doing so may prevent you from accessing certain functionalities or impair your experience in interacting with the website(s).
Commitment to GDPR Compliance
The Consortium is committed to complying with the terms and spirit of the General Data Protection Regulation (GDPR), the comprehensive European Union data privacy law effective May 25, 2018. We are committed to communicating the steps the Consortium is taking to ensure GDPR compliance.
The GDPR’s requirements have many implications, and the Consortium is conscientiously working to ensure that our services and contractual commitments are brought into compliance. Among the measures the Consortium is taking are:
-Reviewing vendors and contracts to ensure that the appropriate measures are in place, and updating contracts as needed;
-Auditing lists (e.g., email distribution lists) to determine how consent was granted and taking appropriate steps accordingly;
-Ensuring we can support international data transfers and communications;
-Employing privacy tools and utilities for data portability and management; and
-Continuing to invest in our security infrastructure and practices.
Third Party Websites and Services
Intellectual Property Rights and Protection vs. Personal Privacy
Protection of intellectual property is the responsibility of individuals. The Consortium has policies and practices in place to help support this protection. Violation of intellectual property rights are legally covered through intellectual property laws, not privacy laws.
Changes to Policy