Scope
This policy applies to all content owners and site managers of university web sites that are created or maintained either by or for academic, administrative, or auxiliary units of Indiana University, regardless of whether or not the sites are hosted on university servers or external servers. This includes web sites of professional associations and publications that are formally hosted, maintained, or operated by faculty or staff of the university.
This policy applies to visitor information that is collected either actively or passively, as defined in the glossary.
All other web sites that may be hosted on university servers, such as personal home pages and student organizational web sites, are encouraged to adhere to the terms of this policy as well. However, Indiana University is not responsible for the content of these sites or for their practices regarding the privacy of their visitors.
This policy does NOT apply to university web sites that support web-based research, as “research” is defined in federal law and in university policy governing human subjects-based research. Sites engaged in research must have prior review and approval by the campus Institutional Review Board (IRB) or Human Subjects Committee (HSC), and will follow procedures concerning the collection, use, and sharing of site visitor information established in accordance with that review and approval.
Reason for Policy
A web site privacy notice (or privacy statement) is a public description of an organization’s information management practices with respect to information collected by the organization’s web site. Such notices have two purposes: visitor education and institutional accountability. Notification of privacy practices is a basic principle of good information management, and builds visitor confidence. Furthermore, the process of creating and maintaining a privacy notice requires site owners and managers to understand their data-handling practices and may reveal potential issues to be addressed. This policy outlines Indiana University’s philosophy concerning the use of web site privacy notices.
Policy Statement
Indiana University respects the privacy of visitors to its web sites. Therefore, content owners and site managers of university web sites must:
- Evaluate what visitor information is being collected by their sites, how that information is used, and what practices are followed for handling and protecting that information;
- Comply with all applicable laws and institutional policies regarding visitor privacy;
- Develop a privacy notice that explains what information is collected and what practices are followed with respect to that information;
- Post a readily visible link to the privacy notice on at least the home page of the site and on any page that actively solicits visitor information (such as through a form); and
- Update the privacy notice as needed
Procedures
Privacy practices for web site content owners and managers must include, and web site privacy notices must describe, procedures covering the following topics:
- Notice
Describe what personal information is collected, how it is used, how long it is retained, and under what circumstances, if any, it may be disclosed. Also, describe how visitors will be notified of changes to privacy practices. - Choice
Describe how a site visitor implicitly or explicitly indicates consent to the collection, use, and disclosure of his or her personal information, particularly if that information is to be used for a secondary purpose or disclosed to a third party. - Access
Describe whether/how an individual may access his or her personal information to review or change that information. - Redress
Describe procedures for monitoring compliance with stated practices and for resolving visitors’ complaints and disputes regarding the site’s use and disclosure of personal information. - Security
Describe how personal information collected by or provided to the site is secured.
Thus, if a web site asks or requires visitors to provide information, that site must, as appropriate:
- Detail the scope of applicability for the site privacy notice by indicating the domain or subdomain to which it applies.
- State that different units at the university may collect and use visitor information in different ways and that visitors should review the privacy notices for the particular sites they visit.
- State what types of visitor information may be requested, why visitor information is requested, and how it will be used.
- Use the information only as outlined in the privacy notice, for the stated purpose(s), and retain the information only as long as necessary to fulfill the stated purpose(s).
- State whether the information will be shared with any external party(ies) and under what circumstances.
- As appropriate, make a copy of a visitor’s information available to the visitor on his or her request.
- As appropriate, state that a visitor may contact the site’s designee to obtain, modify, or delete information the visitor has provided, and provide contact information for doing so.
- As appropriate, state that providing the requested information is wholly voluntary, and indicate how not providing the requested information (or subsequently asking that the data be removed) will affect the delivery of products or services for which the information is needed.
- State that the university is not responsible for the content of web sites or for the privacy practices of web sites outside the scope of this policy.
- Provide these statements in such a way that visitors can easily view and read them before actively submitting any requested information.
Safeguards
Once the university receives visitor information, the university will employ reasonable safeguards to maintain the security of that information on university systems. Units that maintain university web sites are expected to maintain those sites, and supporting systems and databases, at a security level consistent with prevailing industry standards and commensurate with the sensitivity of the data being stored.
Privacy Expectations
Due to the rapidly evolving nature of information technologies, no transmission of data over the Internet can be guaranteed to be completely secure. While Indiana University is committed to protecting the privacy of our visitors, the university cannot guarantee the security of any information visitors transmit to university sites, and visitors do so at their own risk. All web site privacy notices developed pursuant to this policy must include a statement to this effect.
Laws
Web sites covered by this policy must comply with all applicable laws regarding the privacy and security of visitor information. If web site content owners and managers have questions regarding the applicability of certain laws to their operations, they must seek appropriate guidance from relevant university officials.
Links to non-university web sites: University sites may provide links to other, non-university sites. Indiana University is not responsible for the availability, content, or privacy practices of those sites. Non-university web sites are not bound by this web site privacy notice policy and may or may not have their own privacy policies. All web site privacy notices developed pursuant to this policy must include a statement to this effect.
Tools
Links will be posted as supporting tools are created.
Sanctions
Indiana University will handle reports of misuse and abuse of information and information technology resources in accordance with existing policies and procedures issued by appropriate authorities. Depending on the individual and circumstances involved this could include the offices of Human Resources, Dean of Faculties (or campus equivalent), Dean of Students (or campus equivalent), Office of the General Counsel, and/or appropriate law enforcement agencies. See policy IT-02, Misuse and Abuse of Information Technology Resources for more detail.
Failure to comply with Indiana University information technology policies may result in sanctions relating to the individual’s use of information technology resources (such as suspension or termination of access, or removal of online material); the individual’s employment (up to and including immediate termination of employment in accordance with applicable university policy); the individual's studies within the university (such as student discipline in accordance with applicable university policy); civil or criminal liability; or any combination of these.
Related Information
- IT-07 Privacy of Electronic Information and Information Technology Resources
- Data Management Policies and Guidelines
- Best Practices for Securing IT Resources
- Best Practices for Handling Electronic Institutional and Personal Information
- Guidelines for Handling Electronic Institutional and Personal Information
- Standard Terms and Conditions for Doing Business With IU
- Children’s Online Privacy Protection Act (COPPA)
- Other related documents can be found in the Information Security and Privacy Program.
- Definitions can be found in the Information Security and Privacy Program Glossary.
Campuses, schools, colleges, departments, and other administrative units may have local policies and standards governing the appropriate use of information technologies deployed specifically in support of that unit's activities. Managers of information technology services may have issued service-level polices and standards governing the appropriate use of their services. All such policies and standards must be consistent with this policy. In order to understand and adhere to any such additional requirements, users of these resources are responsible for consulting with appropriate unit or service staff.
Responsible Organization
Office of the Vice President for Information Technology
University Information Policy Office
Policy History
- Posted as draft: October 31, 2009
