Initially approved: November 7, 2023
Policy Topic: Information Technology
Administering Office: Office of the CIO and Legal Counsel Office
Western Carolina University (University or WCU) is committed to protecting the privacy of personally identifiable information (PII) and otherwise confidential information it collects and processes from University community members, including employees, students, and third parties.
This policy applies to PII Principals as defined below and governs the Processing, as that term is defined in this policy, of all University Processed PII.
This policy serves as a notice about the categories of information that WCU processes and the general purpose of that processing. It also serves as a notice that WCU is the PII Controller for information collected; provides the methods for contacting WCU for additional information; and establishes the process for submitting privacy requests.
The phrases “Personal Information”; "Personally Identifiable Information”; or “PII" shall mean any information that obviously relates to a particular person and can be used to identify that person.
The terms “Process” and “Processing” shall mean an operation or set of operations performed upon PII that can include, but is not limited to, the collection, retention, logging, generation, transformation, use, disclosure, transfer, and disposal of PII. Examples of processing may include the collection of registration information for participants of a University-based camp or conference and the deletion of student homework assignments from a University server.
The term “Controller” shall mean the entity that determines the purpose and means for processing PII; defines why and how PII is processed; and is responsible for the implementation of privacy and security protocols to meet applicable legal standards.
The term “PII Principal” shall mean WCU students, employees, alumni, donors, and other community members who may utilize technologies where their PII may be required. For example, a person who purchases event tickets via a University maintained ticketing system would be considered a PII Principal.
The phrase “Directory Information” shall mean information contained in a student’s education record that would not generally be considered harmful or an invasion of privacy if disclosed. “Directory Information” is defined by University Policy 72 Family Educational Rights and Privacy Act.
1. WCU has provided PII Principals with certain information privacy rights as detailed in this policy. These include the following:
2. WCU reserves the right to deny a request made pursuant to paragraph 1 of this section for any reason, including, but not limited to, upon the advice of counsel or to comply with applicable laws, regulations, or policies.
WCU and approved third parties may Process PII across three main categories: (1) PII related to students; (2) PII related to employees; and (3) PII related to alumni, donors, or unrelated third parties. Additionally, PII may be collected and processed for unrelated third parties for purposes such as event ticketing and the utilization of technologies operated by WCU; for example, PII may be collected via electronic or paper forms, or via use of various technologies operated by WCU and approved third parties. Refer to WCU’s Web Privacy Statement for more details about PII potentially gathered via WCU web sites. It is the PII Principal’s responsibility to provide complete and accurate information where requested to ensure the quality of the PII that the University may Process.
1. WCU complies with information security and privacy regulations applicable to the specific type of PII Processed. These include but are not limited to the Family Educational Rights and Privacy Act (FERPA); the Health Insurance Portability and Accountability Act of 1996 (HIPAA); as well as Federal Trade Commission Safeguards and applicable Red Flags Rules.
2. Third parties who contract with the University are also required to comply with information security and privacy regulations applicable to the PII Processed by the University and the third party. Such PII includes but is not limited to FERPA, HIPAA, and Federal Trade Commission Safeguards and applicable Red Flags Rules.
3. WCU employees must comply with applicable laws, regulations, UNC policies, and University policy and procedures to safeguard the PII Processed, including but not limited to, University Policy 106: Protecting the Privacy and Security of Personally Identifiable Information.
4. WCU follows regulations and established incident response procedures to respond to data breaches involving PII Principals. Depending on the situation, notifications may come from WCU or our approved third party where the breach occurred.
As the PII Controller, WCU will Process the PII collected only for its stated and implied purpose(s). However, WCU reserves the right to use, provide or release any PII collected as it sees fit for purposes, including, but not limited to, the following:
A PII Principal may contact WCU via its privacy web page form or by emailing privacy@wcu.edu to object to the Processing of their PII; to request access to, correction, or erasure of their PII; or to request a copy of their PII. Legitimate privacy-related requests submitted using this method will be evaluated by WCU’s Core Privacy Team and will be forwarded to the department within WCU that is best suited to handle the request. Each University department will use its internal processing policies and procedures to fulfill or respond to the request in a manner consistent with this policy.