General Data Protection Regulation (GDPR) Policy
The University of Arkansas is committed to safeguarding the privacy of all personal data provided by students, employees, alumni, and other constituents, as well as contractors (collectively “data subjects”).
Effective May 25, 2018, the European Union (“EU”) General Data Protection Regulation (“GDPR”) places additional obligations on organizations that control or process personally identifiable information about persons in Europe. The GDPR is designed to protect the privacy of data concerning a natural person that is collected or processed in or transferred out of the EU, and to regulate the data privacy practices of entities that offer goods or services in the EU. In its capacity as a data controller, the University collects, uses, and discloses data subjects’ information according to the following policy.
The GDPR applies to entities both inside and outside the EU. In addition, the regulations apply to data about anyone present in the EU, regardless of whether they are a citizen or permanent resident of an EU country; for example, GDPR includes U.S. persons when their personal data is collected, stored and used in the EU or transferred from the EU.
The GDPR defines “personal data” as follows:
“…any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (including information that is manually or automatically read, such as an IP address) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
This policy describes the University’s measures to manage and protect personal data that may be subject to the GDPR.
Categories of Data
To provide services to students and employees, administer its programs, and perform contractual obligations, the University may collect, process, and transfer various types of personal data, including but not limited to: name; application information; attendance; academic records; employment records; contact information, including phone numbers, email addresses, and mailing addresses; and date of birth.
The GDPR requires personal data to be processed lawfully, fairly and in a transparent manner, limited only to the data which is necessary, maintained for accuracy, stored only for the length of time required or needed, and safeguarded for unauthorized disclosure. Processing includes performing a task with the personal data such as collection, recording, storage, alteration, retrieval, disclosure by transmission, dissemination, or otherwise making the data available.
The legal bases under the GDPR which permit the University to collect and process personal data include, but are not limited to, the following: (1) the data subject has given consent to the processing for a specific purpose; (2) the processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract; (3) the processing is necessary for compliance with a legal obligation to which the University, as controller of the data, is subject; (4) the processing is necessary in order to protect the vital interests of the data subject or another natural person, (5) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the University; or (6) processing is necessary for the legitimate interests pursued by the University or by a third party, except where such interests are overridden by the interest of the fundamental rights and freedoms of the data subject which require protection of the personal data.
Special Categories of Data
Personal data revealing ethnic origin, health, criminal convictions and offenses, and certain other sensitive matters (collectively “Sensitive Data” as defined by the GDPR) may be requested by the University. With the exception of criminal convictions, data subjects are not obligated to provide Sensitive Data and do so on a voluntary basis. The University makes every effort to process Sensitive Data only with data subjects’ consent. In some circumstances, health information may be required under state or federal law in order for the University to provide services, or in the interest of public health and safety. Subject to the above limitations, data subjects may revoke their consent regarding Sensitive Data at any time.
Data Subject Rights
Subject to limitations established by legal requirements, University of Arkansas Policies, and regulatory guidelines, data subjects have the right to:
- Access their personal data that we process;
- To rectify inaccuracies in personal data that we hold about them;
- To have their details removed from systems that we use to process their personal data;
- To restrict the processing of their personal data in certain ways;
- To obtain a copy of their personal data in a commonly used electronic form;
- To object to certain processing of their personal data by us; and
- To request that we stop sending them direct marketing communications.
The University will act to fulfill such rights as promptly and as fully as possible.
Data Security Measures
The University maintains and implements policies designed to protect confidentiality and security of personal data and addressing records retention. Relevant policies include but are not limited to:
Academic Policy Series
UA Board of Trustees Policies
When necessary to conduct its functions, University may transfer personal data outside of the EU and may share personal data with third party organizations within and outside of the EU. Where we share personal data, we will require that there are appropriate safeguards in place to protect the personal data. Safeguards include but are not limited to: requiring third parties to be members of the U.S. Privacy Shield, data security contract provisions, and anonymization of data.
Retention of Personal Data
Personal data will be retained by the University in accordance with applicable federal and state laws, regulations, and accreditation guidelines, as well as University policies. Personal data will be destroyed when no longer required for University services and programs, upon request or after the expiration of any applicable retention period, whichever is later. The manner of destruction shall be appropriate to preserve and ensure the confidentiality of information given the level of sensitivity, value and critical importance to the University.
In the event that there is a data breach involving covered personal data of students, employees, alumni, or venders, the University will notify the appropriate supervisory authorities within 72 hours, where feasible, after becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of data subjects. Furthermore, the University will also notify individual data subjects of a data breach regarding their personal data if the breach is likely to result in a high risk to their rights and freedoms. The notification to data subjects will include the nature of the breach and recommended steps the data subject should take in order to mitigate potential adverse effects. Initial notification may be general in nature and supplemented as additional information becomes known.
In addition to contacting the offices that maintain the relevant records, data subjects may contact the UA following offices with questions they have regarding the University’s policies and to exercise their rights:
General questions regarding the University’s GDPR policies and compliance:
Dr. Curt Rom
Associate Dean for International Education
Mr. Stephen Tycer
Chief Information Security Officer
Student Academic Records
Mr. Dave Dawson
Ms. Debbie McLoud
Associate Vice Chancellor for Human Resources
University’s Rome Center Records
Mr. Davide Vitali
Additional Information Regarding GDPR
- The University’s General Data Protection Regulation web page
- The text of the GDPR
- Data subjects can also contact the appropriate Data Protection Authorities regarding GDPR