This policy addresses the collection, use, disclosure, and security of personal information that may be obtained when individuals visit The University of North Carolina at Greensboro (the “University” or “UNCG”) web applications or mobile app (UNCG Mobile) and describes UNCG’s data protection strategy to comply with multiple regulations, including the European Union General Data Protection Regulation (“EU GDPR”). The University is firmly committed to privacy and transparency, to maintaining data integrity, and to safeguarding personally identifiable information. Further information about the University’s commitment can be found in the Privacy Statement and the Privacy Notice.
The scope of this policy applies to all personal information collected by and provided to UNCG through web applications. It must be adhered to by all persons who access, use, process, control or otherwise deal with personal information on UNCG’s behalf. This policy applies to independent contractors and job applicants, as well as individuals who provide UNCG with personal information.
University web applications that are directly associated with research may expand beyond this policy to support the specific needs and concerns of performing research.
University web applications that are directly associated with community or grant funding partnerships may expand beyond the scope this policy to include the specific needs and concerns of targeted audiences.
3.Definitions and Roles and Responsibilities
Personal Information is information about an identifiable individual that is recorded in any form. This includes opinions and beliefs, financial information, birth dates and other identifying data not publicly available. The definition does not include the name, title or business address or telephone number of an employee of an organization. Business contact information (title, position, company name address, etc.) and certain publicly available information are excluded from the definition.
Collection is the act of gathering, acquiring, or obtaining personal information from any source, including third parties, by any means.
Disclosure is making personal information available to others outside the University.
Use refers to the treatment and handling of personal information within the University.
Consent is a voluntary agreement to the collection, use and disclosureof personal information for a stated purpose. Consent can be either express or implied.
Express Consent is permission that is explicitly sought and applied to the collection, use or disclosure of information, particularly for sensitive/personal information or when there has been a significant change from the original purpose for which information was collected. Express Consent is unequivocal and does not require any inference on the part of the organization seeking consent.
Implied Consent arises where consent to the collection, use or disclosure of information may reasonably be inferred from the action or inaction of the individual. For example, consent could be implied for using the return address on a donation check to send a receipt to the donor for income tax purposes.
Purpose Statement is the stated purpose for which personal information is being collected, used, or disclosed.
Web Applications are client-server software applications that run in a web browser via website or mobile app.
3.2Roles and Responsibilities
Chief Information Officer has the overall responsibility for the University’s Information Security Program.
Chief Information Security Officer has the responsibility for coordinating the implementation of privacy requirements, and for ensuring that the University’s information technology systems that handle private data meet privacy requirements, laws, and regulations.
Office of Institutional Integrity and General Counsel has the responsibility for providing legal advice and assistance on privacy laws and regulations.
Vice Chancellor for Strategic Communications has the overall responsibility of University communications, public relations, marketing/distribution, and social media.
4.1Information Collected and Stored Automatically
For all who choose to visit UNCG web applications to browse, read pages, submit forms, or download information, the University automatically collects and stores the following information:
- The Internet domain and IP address from which users access UNCG’s portal;
- The date and time users access the web application;
- The pages users visit within the web application;
- If users linked to the web application from another web application, the address of that web application;
- The type of browser and operating system used to access the web application;
- The search terms used to get to the web application, in addition to search terms used in the web application’s search engine;
- The type of device used to access the web application;
- How often users visit the web application; and
- The links made to other web applications through the web application.
UNCG uses this information to help make its web applications more useful to visitors, to learn about the number of visitors to its web applications and the types of technology visitors use.
UNCG utilizes Google Analytic service(s) to assist in tracking traffic to University web applications, measuring volume of traffic, determining utilization levels of pages and modules, as well as other data analysis.
UNCG may utilize digital marketing agencies to help promote the University through non-University web applications. These agencies will typically provide data on advertising/promotion effectiveness and, unless specifically shared and permission given by the consumer, will anonymize and aggregate the data provided to the University.
UNCG will not collect any personal information about users of its web applications, unless an individual chooses to provide that information to UNCG. UNCG will, however, collect statistical information that can be used to make its web applications more effective. Except for authorized law enforcement investigations, or as otherwise required by law, UNCG will not disclose any personal information it receives to anyone outside the University without written consent from the individual to whom the record pertains.
4.2Web Application Security
For web application security purposes and to ensure that its service remains available to all users, the University’s computer systems employ software programs to monitor network traffic to identify unauthorized attempts to upload or change information, or otherwise cause damage. Use of UNCG’s web applications constitutes Consent to such monitoring. Unauthorized attempts to upload information and/or change information on UNCG’s web applications are strictly prohibited and subject to legal action to include the Computer Fraud and Abuse Act of 1986.
The University conducts public business in a transparent manner that is consistent with federal and state laws and regulations and effectively applies any relevant qualifying statutes or laws related to confidentiality, professional privilege, and personal use to all records generated in the course of University business. In accordance with University policy and the North Carolina Public Records Act (N.C. Gen. Stat. Chapter 132), the University will, as promptly as possible, provide responses to public records requests.
With respect to confidentiality, it is the policy of the University to comply with various state and federal laws and to provide for the confidentiality of certain records protected by law, including, but not limited to, the Family Educational Rights and Privacy Act (FERPA), the Health Insurance Portability and Accountability Act (HIPAA), the State Personnel Act, and the North Carolina Public Records Act.
If individuals send the University personal information via email, by filling out a form, or using any other communication methods on any of its web applications, the University may use that information in responding to their request. Individuals are advised to send only the information that is necessary to answer their question or process their request. Emails from individuals may be forwarded to the University employee who can best answer their questions.
The University does not disclose, give, sell, or transfer any personal information provided by visitors to UNCG’s web applications, unless required by law enforcement or statute. All communications are subject to the North Carolina Public Records Act.
A persistent cookie is generally defined as a piece of data that is stored on the user’s hard drive. The University does not use persistent cookies on its web applications; however, the University engages with advertising agencies that may request the University load tracking into our analytics.
Temporary or session cookies are used on all uncg.edu web application pages. These cookies are stored in memory and are only available during an active browser session. Session cookies are also used by some of the applications deployed on UNCG’s web applications to temporarily save information entered by a user as long as the user’s browser is open. These cookies do not collect personal information on users, and they are erased as soon as users close their web browser. No personal information about users is maintained as a result of a temporary or session cookie.
Users can configure their web browser to accept or decline cookies, or to alert them when cookies are in use. Users do not have to accept cookies from UNCG, but if a user chooses not to, some of the functions on UNCG’s web applications may not be available to that user.
4.6Accuracy and Security of Personal Information
UNCG does its best to reasonably ensure that the personal information obtained from visitors to its web applications is accurate, and related to those unique visitors. Visitors may review the information they saved or submitted via UNCG’s web applications at any time up to the point when it is purged. In the event that there is an error in a visitor’s personal information, the University will correct the information upon request by that visitor.
The University has put in place reasonable physical, technical, and administrative safeguards designed to prevent unauthorized access to or use of the personal information provided via its web applications. While the University strives to protect visitors’ personal information by encryption and other means, it cannot guarantee or warrant the security of the information visitors transmit to it, and if visitors choose to use UNCG’s web applications, they do so at their own risk.
Please keep in mind that any information, including personal information, disclosed on UNCG’s web applications can be collected and used by visitors to the web applications. If individuals post any information within a public forum on any UNCG web application that information is considered public.
4.7Interaction with Children or Minors
UNCG is committed to the protection of children’s online privacy. UNCG does not knowingly collect personal information from children or minors as defined by the Children’s Online Privacy Protection Act (COPPA).
4.8Links to Other Web Applications and Social Media
Where the University manages a presence on social media web applications to share UNCG information and engage with its audience, it does not collect any personal information through those web applications. If an individual submits a question or comment to UNCG via a social media tool or platform, UNCG may reply directly to the individual via that platform, but UNCG does not track or record any information about individuals who use or interact with UNCG via those platforms.
4.9UNCG Mobile app
The UNCG Mobile app is available in both the Apple (iOS) and Google (Android) operating systems for mobile devices. This policy applies to UNCG Mobile where the technology and capability is similar to web applications.
All information provided in UNCG’s web applications is believed to be accurate and reliable; however, UNCG assumes no responsibility for the use of this information. Please note that other web applications that do not have this privacy statement in the footer may contain additional or different privacy statements.
5.Compliance and Enforcement
Any violation of this policy by a University student is subject to the Student Code of Conduct in the Student Policy Handbook. For employees, any violation will be subject to disciplinary action in accordance with policies pertaining to the classification of the employee.
If violation of this policy also results in a violation of law, the violation may also be referred for criminal or civil prosecution.
Violations of this policy may result in termination or suspension of access, in whole or in part, to University information systems at the discretion of Information Technology Services where such action is reasonable to protect the University or the University’s information infrastructure.
Portions of this policy were informed by the language found in multiple regulations, including the ISO/IEC 27002:2013 Standard and the EU GDPR.
The Chancellor is responsible for approval of this policy.
6.4Contacts for Additional Information and Reporting
Responsible Executive: Vice Chancellor for Information Technology Services and Chief Information Officer (CIO)
Responsible Administrator: Chief Information Security Officer (CISO)