Privacy Statement The University of Cincinnati (UC) recognizes the importance of privacy and is committed to protecting the personal data of our students, faculty, staff, alumni and guests. This Privacy Statement explains the type of personal data UC collects and how that data is used. Where UC Obtains Personal Data • From You Or At Your Direction • UC receives personal data from multiple sources, most often directly from you or from a third party whom you have directed to provide information to UC (e.g., application for admission to UC through the use of CollegeNet or the Common App). Publicly Facing Technology Services The university’s publicly facing technology services (ex.: websites, student information system, learning management system, and similar) collect personal information that you knowingly and voluntarily provide when completing applications and forms, sending emails, registering for classes or other programs, responding to surveys, or ordering merchandise. Your personal information can be used to provide you with the needed information, products or services, as well as helping to enhance your experience with the university’s resources and technology services. If you visit our websites, we automatically gather and store the following information about your visit so that we can track the use of our websites to make improvements. This automatically collected information is stored and used in the aggregate only, and is generally not used to contact you personally. Examples of the data stored and used to enhance your experience are: • The IP address from which you access our website • The name of the domain from which you access the Internet (for example, aol.com, if you are connecting from an America Online account) • The type of browser and operating system used to access our website • The date and time you access our site • The pages, files, documents, and links that you visit • The Internet address of the website from which you linked to this website Cookies Cookies are small pieces of data stored by the web browser on your local computer or mobile device, often used to remember information about preferences and pages you have visited. By setting preferences in your browser, you can refuse to accept cookies, disable cookies, and remove cookies from your hard drive. The university’s website uses cookies to personalize its content and enhance your experience accessing technology services. Linking Within our website there are links to third-party websites. When you link to third-party websites, you leave UC's website and no longer will be subject to our privacy policy. UC is not responsible for the privacy practices or the content of third-party websites, and such links are not intended to be an endorsement of those sites nor their content. How We Use Personal Data In order for UC to achieve its core mission, it is essential and necessary for UC to process personal data of its students, employees, applicants, research subjects, alumni and others involved in our educational, research, service and community programs. UC processes personal information for various lawful reasons, including, without limitation: • Academic admissions and enrollment • Student registration • Residence life • Delivery of classroom, on-line, and study abroad education programs • Administration and oversight of recreation programs • Student organizations • Student affairs activities • Distribution of grades, materials, and other communications by and among students, faculty, and staff • Research • Program development and analysis • Hiring and employment • Provision of clinic services or health insurance • Engagement with the community at-large • Compliance with its internal policies, procedures, and guidelines • Compliance with all applicable federal, state, and local laws Records retention Personal data that UC processes typically includes, but is not limited to, name, Social Security number, date of birth, address, email, phone number, transcripts, work history, financial information, information for payroll, research subject information, medical and health information (for admissions, student health services, travel, etc.) and donations. If you refuse to provide personal data that is required by UC in connection with one of UC’s lawful bases to collect and process the personal data, such refusal may make it impossible for UC to provide the requested or necessary service. Sharing of Personal Data UC shares personal data with other parties when one or more of the following conditions apply: • We have previously notified you that sharing the information is necessary • We have your consent to share the information • We need to share your information to provide the service or product you requested • We need to send your information to companies who provide a service or product to you on behalf of UC • The information is student directory information • To respond to subpoenas, court orders, or any other legal requirements • When it is necessary to protect and defend the legal rights and/or property of UC • To protect your safety and/or the public’s safety. As applicable to staff, faculty, applicants and students, common examples of UC’s sharing personal data include, but are not limited to: • Agencies of the State of Ohio and/or the United States Government (e.g. U.S. Citizenship and Immigration Services, U. S. Department of Education) • Your funders and/or lenders • The providers of any external/collaborative learning and training placements or fieldwork opportunities • External auditors, examiners and assessors • Relevant professional or statutory regulatory bodies • Relevant university student union(s) and student clubs and societies, in order to facilitate your membership of those bodies • Local authorities • Police and other law enforcement agencies • Affiliated entities (e.g., The University of Cincinnati Foundation) • Companies or organizations providing specific services to, or on behalf of, UC • Prospective and actual research funders or sponsors • External providers of any staff benefits or retirement plans • If applicable, staff or faculty unions • Others as may be required by the law We generally do not actively share personal information gathered from the university’s technology services such as our web servers. As UC is a public institution, some information collected from our websites, including information from our server logs, e-mails delivered to the UC, and information collected from digital forms, may be subject to the Ohio Public Records Act. In some cases, we may be required by law to release information gathered through and/or by UC technology services. UC complies with the Family Educational Rights and Privacy Act (FERPA), which prohibits the release of education records except in limited circumstances. UC also complies with the applicable provisions of the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA) where relevant and appropriate. UC will comply with its published data protection policies in the processing of your personal data, except for legally permitted exceptions. Please see UC’s Office of Information Security website for related policies and further detail. If you have specific questions regarding the collection and use of your personal data, please contact the Director of Privacy within the Office of General Counsel. Data Retention Generally, UC retains data it collects as specified in its General Records Retention Schedule. European Union General Data Protection Regulation (GDPR) The EU GDPR provides broad privacy protections to individuals physically located in the European Economic Area (EEA) (data subject(s)). Under certain circumstances, the GDPR may apply to UC activities in the EEA, for example, when a student attends a study abroad program in the EEA or when a faculty member is temporarily assigned to work on behalf of UC in the EEA. When subject to the GDPR, UC will comply with the regulation's core privacy principles. GDPR Lawful Bases for Processing Personal Data Under the GDPR, UC must have a lawful basis to process a data subject's personal data. Although there will be some instances where the processing of personal data will be pursuant to other lawful bases (e.g., processing necessary to protect the vital interests or safety of a data subject, processing related to legal action involving the university, etc.), the following lawful bases will apply to most UC data processing activities: • Processing for the purposes of the legitimate interests pursued by UC or by a third party; • Processing for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; • Processing for compliance with a legal obligation to which UC is subject; and • Processing pursuant to the consent of a data subject for one or more specific purposes. GDPR Individual Rights of the Data Subject Subject to all other applicable laws and regulations, including all laws of the United States and the State of Ohio, where legally applicable, certain data subjects have the following rights under the GDPR: • To access the personal data we maintain about you; • To be provided with information about how we process your personal data; • To correct or modify your personal data; • To have your personal data deleted; • To object to or restrict how we process your personal data; • To request your personal data to be transferred to a third party; and • To file a complaint. Please be aware that under certain circumstances, the GDPR or other applicable laws may limit a data subject's exercise of the above rights. To exercise the above rights, data subjects should contact Privacy@uc.edu. Please note that exercising these rights is not a guarantee of a requested outcome. Comments/Questions If you have questions about this Privacy Statement, or if you find UC Web pages that do not adhere to this statement, please email us at Privacy@uc.edu.