Introduction
The University of Alabama in Huntsville (UAH) is an institution of higher education involved in education, research, and community development. For UAH to educate its students in person and online, engage in world-class research, and provide community services, it is essential and necessary that UAH collect, process, use, and maintain data of its students, employees, applicants, research subjects, and others involved in its educational, research, and community programs.
The EU General Data Protection Regulation (GDPR) broadly applies to data about people who reside in the EU or data about living individuals when it is transferred from the EU. The EU GDPR limits when and how personal data can be collected, processed, used, disclosed, retain, and disposed. It also provides these individuals with certain rights related to their personal data, including notice or consent, rights of access, and in some cases, requests for deletion.
UAH may be a data “controller” or “processor” with regard to certain activities as defined under the EU GDPR. While UAH is committed to protecting the rights of individuals in compliance with the EU GDPR, such efforts do not constitute an admission that the EU GDPR is enforceable against UAH.
Definitions
Data controller
Data controllers are responsible for decisions about the collection, use, and protection of personal data.
Data processor
Data processors are responsible for processing, analyzing, storing, and deleting personal data on behalf of the data controller.
Data subject
An identified or identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
Personal data
Under the EU GDPR, personal data is defined as any information relating to an identified or identifiable natural person. An identifiable natural person is an actual person (not a corporation or other business entity) who can be identified, directly or indirectly, by reference to:
- Any identifiers, such as name, ID numbers, location data, online identifier; or
- Factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.
Special Categories of Personal Data
- Data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership.
- Patient healthcare data sufficient to uniquely identify a natural living person.
- Genetic data or biometric data sufficient to uniquely identify a natural living person.
- Data concerning a natural person’s sex life or sexual orientation.
Lawful Basis for Collecting and Processing of Personal Data
UAH has lawful basis to collect, process, use, and maintain data of its students, employees, applicants, research subjects, and others involved in its educational, research, and public service programs. The lawful basis for processing personal data includes, without limitation: admission; registration; delivery of classroom, online, and study abroad education; grades; communications; employment; applied research; development; program analysis for improvements; and records retention.
EU GDPR, Article 6, “Lawfulness and processing,” stipulates that at least one of the following apply:
- The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- Processing of personal data is necessary for the performance of a contract in which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;
- Processing is necessary to comply with a legal obligation that the controller is subject;
- Processing is necessary to protect vital interests of the data subject or another natural person;
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- Processing is necessary for purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Most of UAH’s collection and processing of personal data will fall under the following categories:
- Processing which is necessary for the purposes of the legitimate interests pursued by UAH or third parties in providing education, employment, research and development, and public service.
- Processing which is necessary for the performance of a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into a contract.
- Processing which is necessary for compliance with a legal obligation to which UAH is subject.
- Processing for which the data subject has given consent for UAH to use his or her personal data for one or more specific purposes.
There will be some instances where the collection and processing of personal data will be pursuant to other lawful bases. This basis will be identified for each application.
Types of Personal Data Collected and How it Will be Used
UAH collects a variety of personal data to meet one of its lawful basis, as referenced above. Most often the data is used for academic admissions, enrollment, educational programs, job hiring, provision of medical services, participation in research, development, and public service.
The information we hold about you may include the following:
- Personal details such as name, title, address, telephone number, email address, marital status, nationality, date of birth, photograph, household income, parental status, details of dependents;
- Emergency contact information;
- National Insurance number (where you have voluntarily provided it);
- Education and employment information (including the school(s), college(s), and other educational locations you have attended; places where you have worked; the courses you have completed; dates of study and examination results);
- Other personal background information collected during the admissions process, e.g. your socioeconomic classification, and details of your parents’ occupation and education;
- Examination records (including records relating to assessments of your work, details of examinations taken, and your predicted and actual examination grades);
- Information captured in your student record, including progression, achievement of milestones and progression reports;
- Visa, passport, and immigration information;
- Fees and financial support record (including records relating to the fees paid, student loan information and financial support, scholarships, and sponsorship);
- Supervision, teaching, and tutorial activities; and training needs analysis and skills acquisition records;
- Placement and internship record or study at another institution as an established component of your course of studies, or career development opportunity;
- Information about your engagement with University support services or University facilities;
- Information about your use of library facilities, including borrowing and fines;
- Information about disciplinary actions (including academic misconduct), dispensations from regulations, and about any appeals and complaints raised;
- Attendance at University degree and award ceremonies and other on-campus events;
- Information about your use of our information and communications systems, including security cameras, security equipment, and building access information;
We may also process the following "special categories" of more sensitive personal data:
- Information about your sex and gender identity;
- Information about your race or ethnicity and religious beliefs;
- Information about your health, including any disability and/or medical condition;
- Information about criminal convictions and offenses, including proceedings or allegations.
If you have specific questions regarding the collection and use of your personal data, please contact the UAH Office of Risk Management and Compliance at 256.824.6899 or privacy@uah.edu.
Where UAH Acquires Personal Data
UAH receives personal data from multiple sources. Most often, UAH acquires this data directly from the data subject or under the direction of the data subject who has provided it to a third party.
Rights of the Data Subject Under the EU GDPR
If you are an individual data subject under the EU GDPR, you may obtain the following information and exercise the following rights:
- the identity and the contact details of the data controller and, where applicable, the data controller’s representative;
- the contact details of UAH’s Office of Risk Management and Compliance, responsible for EU GDPR compliance efforts;
- an explanation of the purposes and legal basis/legitimate interests of the data collection/processing;
- the identification of the recipients of the personal data;
- notice if UAH intends to transfer personal data to another country or international organization;
- notice of the time period that the personal data will be stored;
- the right to access personal data, rectify incorrect personal data, erase personal data, restrict or object to processing, and the right to data portability;
- the right to withdraw consent at any time, if processing is based on consent;
- the right to lodge a complaint with a supervisory authority (established in the EU);
- an explanation of why the personal data are required, and possible consequences of the failure to provide the data;
- notice of the existence of automated decision-making, including profiling; and
- notice if the collected data are going to be further processed for a purpose other than that for which the information was collected.
Exercising of these rights is a guarantee to be afforded a process and not the guarantee of an outcome.
Any data subject who wishes to exercise any of the above-mentioned rights may do so by submitting an online request, available at https://uah.edu/privacy/DSAR
Information We May Collect Automatically
To the extent permitted by law, UAH and our third-party vendors may supplement the information we collect from and about you with information from other sources, such as publicly available information about your online and offline activity from social media services, commercially available sources, and information from other business partners.
- IP Address and Other Identifiers: When you access and interact with our website or programs, UAH and our third-party vendors may collect information about your visits in order to permit you to connect to and obtain the services and to understand the frequency with which specific visitors visit various parts of our site. For example, we may collect your Internet Protocol (IP) address, which identifies the computer or third party that you use to access our services, or information about your browser type, authentication identifiers, and other software and hardware information. If you access the UAH website through a mobile or other device, we may collect your mobile device identifier, geolocation data (including your precise location), or other transactional information for that device. We may combine this information with other information that we have collected to make our services and our communications to you more targeted to your interests.
- Social Media Information and Content: If you access or log in to our site through a social media service or connect a service to a social media service, the information we collect may also include your user ID and/or user name associated with that social media service, any information or content you have permitted the social media service to share with us, such as your profile picture, email address or friends lists, and any information you have made public in connection with that social media service. When you access our sites through social media services or when you connect a service to social media services, you are authorizing UAH to collect, store, and use such information and content in accordance with this statement and UAH’s Online Privacy Statement.
- Cookies and Other Tracking Technologies: Our services may also use cookies. Cookies are small text files that are stored on a user’s computer and allow websites to remember information about users. UAH and our third parties use cookies for a variety of purposes in order to enhance the quality of our sites. We use transient (also called “session ID”) cookies to provide continuity from page to page. A session ID cookie expires when you close your browser. We also use persistent cookies. Persistent cookies allow your browser to be recognized when you return after your first visit to that part of our site. Cookies allow us to personalize your return visits to our site. You have the choice to set your browser to accept all cookies, reject all cookies, or notify you when a cookie is set. (Each browser is different, so check the "Help" menu of your browser to learn how to change your cookie preferences.) It is up to you whether to allow us to send you cookies. Please note that by blocking any or all cookies, you may not have access to certain features, content, or personalization available through our site.
- Web beacons and other tracking technologies: The site may use other tracking tools, including so-called “pixel tags,” “web beacons,” “web bugs,” “clear GIFs,” etc. (collectively “Web Beacons”) to collect user activity information about your activities on our site. These are small electronic images embedded in web content (including online ads) and email messages and are ordinarily not visible to users. Like cookies, web beacons enable us to track pages and content (including ads) accessed and viewed by users. Also, when we send HTML-formatted (as opposed to plain text) emails to you, web beacons may be embedded in such emails to allow us to monitor readership levels so that we can identify aggregate trends and individual usage to provide our audiences with more relevant content or offers. Web beacons in emails may recognize activities such as when an email was opened, how many times an email was forwarded, which links in the email were clicked on, etc. Web beacons cannot be declined when delivered via a regular web page. However, web beacons can be refused when delivered via email. If you do not wish to receive web beacons via email, you will need to disable HTML images or refuse HTML (select Text only) emails via your email software.
- Third Party Tracking: Third parties that support UAH by serving advertisements or providing services, such as allowing you to share content or tracking aggregate usage statistics of our site, may also use these technologies to collect similar information when you interact with our services (such as websites and emails). These third parties may also use these technologies, along with activity information they collect, to recognize you across the devices you use, such as a mobile device and a laptop or other computer. UAH does not control these third-party technologies and their use is governed by the privacy policies of third parties using such technologies.
Information Contained in User Content
Some parts of our site may allow users to post or transmit messages, comments, screen names, computer files, and other materials. You should be careful about what personal information you choose to make public through these services.
Information from Other Sources
To the extent permitted by law, UAH and our third-party vendors may supplement the information we collect from and about you with information from other sources, such as publicly available information about your online and offline activity from social media services, commercially available sources, and information from other business partners.
Security of Personal Data Subject to the EU GDPR
UAH is committed to ensuring the security of your information. We have put in place reasonable physical, technical, and administrative safeguards designed to prevent unauthorized access to or use of the information collected online. All personal data collected or processed by UAH under the scope of the EU GDPR will comply with UAH’s security controls, systems, process requirements, and standards.
Sharing Your Information
UAH will not share your information with third parties except as necessary to meet one of UAH’s lawful purposes, including, but not limited to:
- legitimate interest;
- contract compliance;
- pursuant to consent provided by you;
- as required by law;
- as necessary to protect UAH’s interests; or
- with third parties acting on our behalf who have agreed to protect the confidentiality of the data.
Data Retention
To the extent applicable, the retention schedule for data collected by UAH is specified by the Public Universities of Alabama Functional Analysis & Records Disposition Authority Revision (RDA), 2017 edition.
Changes to this Privacy Notice
UAH may, in its discretion, update this EU GDPR Privacy Notice.
Additional Information
UAH has an Office of Risk Management and Compliance to support its requirements and to assist with questions or complaints. If you need assistance, would like to make a request, or file a complaint, contact the Office of Risk Management and Compliance at privacy@uah.edu or 256.824.6899.
Information concerning UAH privacy statements is available at https://www.uah.edu/privacy.