主要内容
首页 - GDPR隐私政策

罗伯茨卫斯理学院GDPR隐私政策

学院承认通用数据保护条例(GDPR)和欧盟公民的权利,其信息可能驻留在其数据处理系统中,并积极努力表明这些欧盟公民个人信息数据处理的合规性. 本文件包含的信息显示了学院在为欧盟公民处理个人数据方面的准备和努力.

数据对象(s)

The college identifies “Data Subjects” as any natural person to whom personal data relates. Within the context of the college the data subjects fall into the following categories:

  • 学生(准学生、在校生、校友).
  • 员工(申请人,现在,过去)
  • 其他联系人(代理商、合作伙伴、供应商等.)

个人资料

根据GDPR的定义,与自然人(数据主体)直接或间接相关的任何数据. Personal data includes any identifiable personal data that can connect personal data to a data subject e.g. 名字, 公民身份证, 电话号码, 电子邮件地址, 性别, 国籍, address, 利益, 职业详情等.

敏感个人资料

The College may, from time to time, be required to process sensitive personal data. Sensitive personal data includes data relating to medical information, 性别, 宗教, 比赛, 性取向, 工会会员资格、刑事记录和诉讼.

处理个人资料

The College shall so far as is reasonably practicable make all efforts to ensure all personal data is:

  • 公平合法地处理
  • 为合法目的而处理的
  • 适当、相关且不过度
  • 准确和最新
  • 根据数据主体的权利进行处理
  • 安全
  • 然而,目前没有数据转移到其他国家, 如果将来有需要的话, the college will take adequate precautions that data is not transferred to other countries without adequate protection

处理数据的合法依据

GDPR要求处理个人数据有合法依据. 学院存放个人资料以供识别, process and communicate with its data subjects of prospective students, 当前的学生, 未来的员工, 在职员工和校友. The processing of this data is lawful and necessary and falls into one or more of the following categories:

(一)同意: 美高梅mgm平台在处理与潜在学生和潜在员工沟通的数据时使用个人信息. While we do not have an implied contract with these data subjects at this point, 数据主体通过填写一份申请表格表示有意来美高梅mgm平台学院学习,从而暗示美高梅mgm平台同意与他们进行沟通. (学生,空单继刚).

(b)合同: 美高梅mgm平台在处理学院与个人签订的默示合同所必需的数据时使用个人信息.g.

  • 学生的学术处理;
  • 处理员工的工资、财务和税务.

(c)法律义务: 美高梅mgm平台将与公司共享个人信息, organizations or individuals outside of the College if we have a good-faith belief that access, 使用, preservation or disclosure of the information is reasonably necessary to:

  • meet any applicable law, regulation, legal process or enforceable governmental request e.g. 这是学院遵守美国联邦法律以及纽约州和联邦报告要求所必需的.
  • enforce applicable Terms of Service, including investigation of potential violations;
  • detect, prevent, or otherwise address fraud, security or technical issues;
  • 保护权利不受损害, 学校的财产或安全, 美高梅mgm平台的用户或公众在法律要求或允许的情况下.

 (d)公共任务: 对于学院执行公共利益任务或作为纽约州和美国私立学院的官方职能来说,处理是必要的, 该任务或职能具有明确的法律依据. 这些例子有:

  • Providing student statistical information to the National Student Clearingho使用.
  • 爱浦多报道.

机密数据

Any information which falls under the definition of personal data and is not otherwise exempt, will remain confidential and will only be disclosed to third parties with appropriate consent.

美国FERPA, GLBA和HIPAA法律

学院还必须根据美国法律保护个人数据,并根据这些法律向州和联邦当局提供信息. The college complies with data requirements under the United States FERPA (《美高梅mgm平台》, GLBA (The Gramm-Leach-Bliley Act) and HIPAA ( (Health Insurance Portability and Accountability Act of 1996).  Our compliance to these US Laws and regulations takes precedence over GDPR. 

数据控制器,数据处理器和外部数据处理器

The College acts as a Data Controller for all the personal data of its data subjects. 数据由双方处理.

  1. 学院作为自己的数据处理器,使用内部学院拥有的系统来处理学院的数据.
  2. 在某些情况下, data is transferred to external vendors who process the data on the College’s behalf. 学院指定的GDPR团队拥有学院目前将个人数据传递给的当前外部数据处理器组织的列表, 谁代表学院处理个人资料. The college will make every reasonable effort to get its external data processors to comply with this policy.
  3. 学院将尽一切合理努力处理其内部和外部处理者批准的所有个人数据更改请求.  

获取信息的权利

Data subjects have the right of access to information held by the College. Any data subject wishing to access their personal data should put their request in writing to the RCM identified below.

  • The College will endeavour to respond to any such written requests within 30 days.
  • The college will need to verify the identity of the data subject making the request.
  • 一旦数据主体的身份得到验证, 学院将根据现行法规或资料当事人与学院之间的合同义务,决定是否可以执行该要求,或者学院是否必须拒绝该要求.
  • 如果请求被批准, the request will be processed within the college’s internal and external data processing areas.
  • If case the request is ref使用d, the data subject will be notified as to why the request was denied.  

豁免

Certain data is exempted from the provisions of the 获取信息的权利 under GDPR. 下面是一些例外的例子:

  • 国家安全和预防或侦查犯罪
  • 税评税任何税或关税的评税
  • Where the processing is necessary to exercise a right or obligation conferred or imposed by law upon the College
  • 可能侵犯他人隐私的数据
  • 有关豁免的更多信息,请联系RCM.

精度

书院会尽一切合理努力,确保所持有的有关所有资料当事人的个人资料均属准确. Data subjects must notify the relevant college department of any changes to information held about them.

未成年人数据

学院致力于保护儿童的隐私,因此学院不会故意收集或处理16岁以下儿童的数据 除符合儿童在线隐私保护法规定外. 相应的, 16岁以下的儿童只有在父母的许可和监督下才能使用学院提供的服务和项目. 另外, 学院的教师和部门在课堂上为16岁以下的儿童提供课程和服务时,必须根据适用法律获得这些儿童父母的明确同意, prior to permitting such children to access or 使用 the services or programs.

与监管部门的合规性和合作

如果个人认为学院没有遵守本政策或采取与GDPR不同的行动, 该人员应联系RCM并以书面形式提交投诉,并利用学院的申诉程序.

学院定期审查美高梅mgm平台遵守本政策的情况. We value your feedback so we may contact you to ask for more information or to follow up. 美高梅mgm平台将与相关监管机构合作, 包括当地数据保护机构, 解决美高梅mgm平台无法直接与资料当事人解决的有关个人权利或个人资料转移的任何投诉.

数据安全

学院非常重视数据安全,并采取了多层行业适当的步骤,以确保学院委托的个人数据的保护和安全. The college 使用s multiple industry standard solutions and processes to detect, 报告和调查个人数据泄露.

We work hard to protect the College and our data subjects from unauthorized access to or unauthorized alteration, 披露或销毁美高梅mgm平台所掌握的信息. 特别是:

  • We encrypt our services where possible using SSL, in transit and at rest.
  • 美高梅mgm平台审查美高梅mgm平台收集的信息, 存储和处理实践, 包括物理安全措施, 防止对系统的未经授权访问.
  • We restrict access to personal information to those of the College authorized staff, and third parties who need to know that information in order to process it for us, 他们有严格的合同保密义务,如果不履行这些义务,可能会受到纪律处分或被解雇.

The college has a Security Incident Response Team (SIRT) that is part of the college’s Emergency Response Team. 该团队使用安全事件响应计划(SIRP). The plan is designed to be enforced in case a data security breach is detected or reported to the college.

GDPR规定,所有组织都有义务向ICO报告某些类型的数据泄露,在某些情况下也有义务向受影响的个人报告. 如果数据泄露属于这些类别, the college with help from the SIRT will make the appropriate reports.

GDPR员工培训

The college provides several layers of data security training to its employees on a regular basis. 5月25日起, 2018年起, 与欧盟公民互动的员工和办公室也将包括GDPR定义的个人数据以及如何确保有效保护这些数据的培训.

安全的破坏

当根据此策略保存的数据被销毁时, it must be destroyed securely in accordance with best practice at the time of destruction.

资料的保留

学院可以根据法规或最佳实践的要求,为不同的目的保留数据的不同时期, individual departments incorporate these retention times into the processes and manuals. 其他法定义务, legal processes and enquiries may also necessitate the retention of certain data. 学院可能会存储一些数据,如寄存器, 照片, 考试成绩, 成就, 书籍、作品等. 无限期地保存在档案中.

数据主体联系点

学院风险与合规经理(RCM)将作为中心人员接受数据主体的个人数据权利请求.   

  • 如果个人认为学院没有遵守本政策或采取与GDPR不同的行动, 有关人士应联络投诉专员,并以书面提出投诉.
  • 学院任命了一个跨职能的GDPR团队,管理与GDPR合规性相关的所有文件,并监督RCM从数据主体收到的所有请求的处理.
  • GDPR团队和RCM确保来自数据主体的所有请求在这些请求的30天规定期限内得到解决.
  • The GDPR Team is assisted in these responsibilities by the Department of Registration, 信息技术部, the Department of Enrollment Management and the Department of Human Resources.

学院位置

学院位于西侧大道2301号, 纽约罗切斯特, USA and all its lead data protection supervisory authority operates from this location.