University of Jamestown
Data Privacy Policy

I. Reason for the Policy

This policy outlines the general rules and expectations governing the University of Jamestown’s (UJ) rights to access data and its responsibilities to protect the data and privacy of its constituents.

II. Applicability of the Policy

This policy applies to (1) current faculty, staff, and students of the University of Jamestown; (2) individuals using IT resources or data provided by the University of Jamestown; and (3) other individuals or organizations specifically authorized by the University of Jamestown to access or use University of Jamestown IT data.

III. Policy Statement

The University of Jamestown recognizes that as faculty, staff and students create, use and store more information in electronic form, there is growing concern that information the user or creator considers private may be more vulnerable to invasion than information stored in more traditional media. This policy is intended to highlight some general principles that should help to define the expectations of privacy of those in the University of Jamestown community.

The University of Jamestown also has the legal responsibility to ensure that the IT resources it operates are used appropriately and efficiently. The data contained on University of Jamestown IT resources are presumed to be University of Jamestown property unless University of Jamestown’s rights are otherwise limited by law, policy, or contract. In any case, the data contained on those IT resources are subject to monitoring and/or copying by the University of Jamestown. That is, in order to meet its oversight obligations, the University of Jamestown, through individuals operating within the course of their legitimate job duties, may periodically, routinely, or for a specific purpose monitor activity on its IT resources. These individuals may include IT personnel and appropriate administrators and supervisors on each campus.

IV. Policy Details

A. Personal use of UJ IT resources may be permissible, but there is no guarantee that personal communications will remain private or confidential.

B. Consistent with existing UJ policy and State and federal laws, UJ reserves the right to access, review and release electronic information that is transmitted over or stored on UJ IT resources. In most situations, UJ’s need for information will be met by simply asking the owner for it. In some cases, information transmitted or stored on UJ’s IT resources will be accessed without the consent of the owner when there is a reasonable basis to believe such action:

1. Is necessary to comply with legal requirements including being subject to the open records laws of North Dakota.
2. May yield information necessary for the investigation of a suspected violation of law or regulations, or of an infraction of UJ policy.
3. Is needed to maintain the security, integrity, or functionality of UJ IT resources or to protect the UJ from liability.
4. Is needed to maintain the security, integrity, or functionality of UJ IT resources or to protect UJ from liability.
5. May yield information needed to deal with an emergency.
6. Will yield information that is needed for the ordinary business of UJ to proceed.

C. Except as otherwise provided by law, individuals will be notified of access to, or disclosure of, the contents of their email, voice mail, computer, or computer account. In cases where such notification might jeopardize an ongoing investigation, it may be delayed until the conclusion of the investigation.

D. UJ does not share restricted or private data with third parties except in the following situations:

1. When the owner of the data has given prior consent.
2. When third parties act as agents of UJ and adhere to data privacy standards that meet or exceed the UJ’s standards as well as applicable laws and/or regulations.
3. When participating in higher education data exchange consortia or research studies where providing such data is necessary and the parties receiving the data adhere to data privacy standards that meet or exceed the UJ’s standards as well as applicable laws and/or regulations.
4. When compelled to do so under the law with a valid legal request, such as a subpoena or court order.

E. Access to restricted and private data is limited to individuals with a business need for that information.

F. System administrators may have access to data as required for the maintenance and support of an IT resource. They may also have an additional layer of access that permits them to modify the IT resource itself on top of the data it contains. Administrative access rights to IT resources with restricted or private data must be limited to system administrators with a specific business reason for access and such access must be logged; any access rights must change if their university or status changes.

G. Individuals are prohibited from viewing, copying, altering, or destroying another individual’s electronic information without explicit permission (unless authorized or required to do so by law or regulation). The ability to access a file or other information does not imply permission to do so unless the information has been placed in a public area such as a web site.

H. The UJ website uses Google Analytics, a website traffic tracking and reporting service, and Google Custom Search, a tool designed to assist with searching for and finding information on the UJ website. These services help UJ better understand and improve the university website’s performance and user experience. UJ adheres to Google’s usage guidelines for this service, which prohibits the collection or association of personal information with Web analytics or site searches.

V. EU Citizens rights to their personal information

A. Legal rights to your data for EU citizens

Under data protection laws in the European Union, EU citizens have certain rights in relation to their personal information. Responses to exercise their rights will be provided within one month and generally, there is no fee for making these requests. If the request is particularly complicated we may extend the deadline for responding to three months, but we will let them know if this is the case.

We will handle all requests in accordance with applicable law. However, depending on the right you wish to exercise, and the nature of the personal information involved, there may be legal reasons why we cannot grant your request. Further explanation of those rights and the exceptions to them are set out below.

Details of how to exercise your rights are set out in section B, “How can you exercise your legal rights and change how we use your data?

Your rights include the following:

• You may request us to stop sending you marketing.
• You may request us to stop using your personal information where we are doing so under legitimate interests unless it is needed for dealing with legal claims or we have other compelling legitimate reasons that override your rights.
• You may request us to stop processing of your personal information for marketing purposes including analytics for the purposes of targeted marketing.
• You may access the personal information we hold on you.
  • There are some limited exceptions to this right, such as information relating to others who have not consented to the disclosure of their information and information which is legally privileged. Please see “Accessing your personal information” which can be located within “How can you exercise your legal rights and change how we use your data?” for more details.
• You may ask us to correct your personal information (the ‘right of rectification’) if that information is inaccurate.
• You may ask for personal information which identifies you to be erased (or forgotten).
  • To do this we will remove the information that identifies you from the public data we hold in our active systems. However, restricted data will be kept for 7 years to meet the obligations we have to law enforcement, national authorities, accreditation bodies and legal proceedings.
  • Considerations:
    • We may need to retain certain elements that relate to your time as a student, employee, or donor to UJ because we need it for our own legal and auditing purposes.
    • A record of your request including the personal information you supplied will be retained in the application used to carry this out for 3 years.
    • In some circumstances, it may mean we will not be able to provide all or parts of the services you request from us in the future in relation to your previous relationship with the University of Jamestown.
    • We cannot erase your personal information if you are an active student, employee, or donor as we require this information to fulfill our daily academic and business operations. If you wish to proceed, you will need to withdraw from enrollment, resign from UJ employment, or fulfill any promised giving before we can move forward with erasure.

B. How can you exercise your legal rights and change how we use your data? –

1. Accessing your personal information – You may request a copy of any personal information about you held by the University of Jamestown within its Information Systems. There is no fee for this request.

The request must be in writing and must contain the following:

• Your name and postal address.
• Details of your request.
• A photocopy of your passport or driving license, so that we can verify your identity.
• Your signature and the date of the request.
• Phone number, in case further contact is needed to help with location of the information
• Any details that may help us locate the information, such as UJ ID number, officially recorded mailing address or telephone number.

If you wish the information to be provided to you in a machine-readable copy, please indicate that at the time of making your request.

Please send your request to: DPO@uj.edu

Alternatively, you can make a request by writing to:
Data Protection Officer 6035 College LN Jamestown, ND 58405

2. Request how we use your personal information for marketing – You may request how we use your information for marketing and mailings.

The request must have the following information:

• Your name and postal address.
• Details of your request.
• Your signature and the date of the request.
• Phone number, in case further contact is needed to help with location of the information

We will verify your identify via a communication to your email address of record before processing your request.

Please send your request to: DPO@uj.edu

Alternatively, you can make a request by writing to us, ensuring you mark the letter for Customer Permissions.

Customer Permissions
Data Protection Office 6035 College Ln Jamestown, ND 58405

VI. Definitions

Data
Information collected, created, maintained, transmitted, or stored by or for UJ to conduct business. It includes, but is not limited to, information in electronic, paper, video, and audio formats.

Information Technology (IT) resources
All UJ owned, operated, leased, or contracted systems and services including, but not limited to, computers, databases, storage, servers, networks, input/output connecting devices, telecommunications infrastructure and equipment, software, and applications.

Integrity
Maintaining and assuring the accuracy and consistency of data over its entire life-cycle.

Owner
The author or creator of information or an UJ employee who has administrative or operational responsibility for an IT resource and/or the information it contains.

Private Data
This is data that should not be available to the public. It is data that may be protected by federal or state laws, regulations, contracts, or policy.

Restricted Data
This is data that requires the highest level of protection. It is data protected by federal or state laws, regulations, contracts, or policy. The unauthorized disclosure of restricted data would typically require the university system to report the disclosure and/or provide notice to the individual whose data was inappropriately accessed.

Public Data
This is data that is not considered to be “Restricted” or “Private”. It is data that can generally be released to the public.

System administrator
The individual responsible for the technical operation of a particular IT resource.

VII. Effective Dates

Approved: July 12, 2021
Last Edited: July 12, 2021
Next Review Date: July 1, 2022

VIII. Contacts

UJ IT Network/System Admin
252-3467 ext 5312

UJ CIO/IPSA/DPO
252-3467 ext 5602

UJ IT Helpdesk
252-3467 ext 5611