Body

GDPR Regulation

European Economic Area Privacy Notice and General Data Privacy Regulation (GDPR)

Rice is committed to safeguarding the privacy of personal data. This European Economic Area (“EEA”) Privacy Notice outlines the collection, use, and disclosure of personal information provided to the University by individuals who are located in the EEA. When information is submitted to Rice, or you use the University's websites and other services, you consent to the collection, use, and disclosure of that information as described in this EEA Privacy Notice.

For purposes of this EEA Privacy Notice, “information” refers to information concerning a natural person that is created by or provided to Rice from or concerning individuals who are located in the EEA. “Sensitive information” refers to information concerning such a natural person’s race, ethnic origin, religious or philosophical beliefs, health data, sexual orientation and criminal convictions.

This EEA Privacy Notice is a supplement to the Rice University Privacy Notice, which also contains important information relevant to individuals in the EEA and GDPR, please visit www.privacy.rice.edu. {NOTE: this website is being updated, and will be back online shortly}

Throughout this document “Rice” or “we” or “our” refers to William Marsh Rice University, a not-for-profit institution of higher education with a main campus at 6100 Main Street, Houston, Texas 77005 USA, incorporated as a 501(c)3 in the State of Texas.

  1. WHO IS OUR DATA PROTECTION OFFICER, AND HOW DO I CONTACT THAT PERSON?

Rice has designated the Chief Information Security Officer as the Data Protection Officer for the purposes of GDPR. He can be contacted with questions or concerns at GDPR@rice.edu or at 1-713-348-5735, or by mail at:

Marc Scarborough, CISO, Office of Information Technology

Rice University - MS 119, P.O. Box 1892

Houston, TX 77251-1892 USA

  1. HOW DOES RICE COLLECT AND USE YOUR PERSONAL INFORMATION?

There are many ways that individuals may interact with Rice, and that will affect the data collected and how it is used. For the sake of clarity, most individuals will fall into one of these categories (each of which will be discussed below):

A) Prospective Students, Applicants, Admitted and Enrolled Students, and other Learners

B) Faculty and Staff

C) Individuals involved in research

D) Alumni, donors, and other community members

E) Visitors at Rice for specific purposes

  1. Information for Potential Students, Admitted Students, and other Learners

Rice may collect your personal data in a numbers of ways, including by you providing it to us through an application for admission or financial aid, email, phone call or in-person meeting. We may receive information about you from third parties acting on your behalf (such as high school guidance counselors, community organizations with which you are affiliated, or your parents). We may also receive information about you from third parties at our request (such as application or testing services).

The types of data we collect are mainly driven by the extent to which you either provide information to Rice, or to the extent you use Rice programs or services. As you attend Rice, in person or online, we may collect information about your participation and performance, including information such as the courses you take, your grade or performance in a course, and information about your attendance or participation.

If you use an online learning platform (such as Canvas, EdX, Coursera, OpenStax Tutor), information about your online activities will be associated with your log in, which may include what pages you visit, how long you were there, forum postings, and any correspondence with the instructor or other students.

If you use other Rice services or programs, we may collect personal information from you that is relevant to providing that service or program. Examples of these services and programs include academic advising, career services, financial aid, work study, health center or counseling, athletics, disability services, library, information technology, housing, dining, parking, wellness center, clubs and student activities, student judicial programs, equal opportunity or Title IX coordinators, police or emergency medical services.

Importantly, there are laws that affect how your data may be used or shared by Rice, and may provide you with additional rights. The primary law affecting student information is the Family Education Rights and Privacy Act (FERPA), which is a federal law designed to protect the privacy of and limit access to student educational records (as defined in that law). In some cases, FERPA allows certain information to be shared without your permission. More information about FERPA is available at https://registrar.rice.edu/ferpa.

  1. Information for Faculty and Staff

Rice may collect your personal data in a number of ways, including you providing it to Rice as part of an employment application or during the hiring process. Rice will also collect any information necessary to comply with the law and relevant regulations (e.g. Immigration Form I-9), or as required by our accreditors (e.g. degree or transcript information).

Rice uses a third party vendor to conduct background checks on designated prospective employees that may include things such as your criminal history.

If you use other Rice services or programs, we may collect personal information that you provide and that is relevant to providing that service or program (for example, if you obtain a parking pass, Rice will keep your license plate number; or if you purchase athletics season tickets Rice will keep information about the transaction). Other examples of these services or programs include payroll, library, human resources, disability services, information technology,, dining, parking, recreation center, equal opportunity or Title IX, police or emergency medical services.

Importantly, there are laws that affect how your data may be used or shared by Rice, and may provide you with additional rights.

In addition to this EEA Privacy Notice, you should be aware that Rice maintains the following university policies applicable to all Faculty and Staff that are related to privacy:

Protection of University Data and Information (Policy 808

✎ EditSign

)

Appropriate Use of Information Technology (Policy 832

✎ EditSign

)

  1. Information for individuals involved in research

Rice may collect your personal data in a numbers of ways, including by you providing it to us as part of an agreement to participate in research with Rice. Rice may also be provided your information by a third party with whom you have agreed to allow information to be shared.

These agreements are often contained in an “Informed Consent” document that you sign with Rice or with a third party. This Informed Consent document will contain additional important information about how your data may be used.

For any research that involves human subjects, Rice follows the principles outlined in the Belmont Report, the U.S. “Common Rule,” and other applicable law.

Rice may also receive your information as part of a research collaboration with federal, state, or local governmental authorities.

Importantly, there are laws that affect how your data may be used or shared by Rice, and may provide you with additional rights.

  1. Information for Alumni, Donors, and other Community Members

Rice may collect your personal data in a numbers of ways, including by you providing it to us as part of alumni outreach efforts, by making a contribution to Rice, by participating in Rice sponsored events or by personal knowledge or recommendation of other alumni, students, faculty, or staff. Rice may also receive your personal information from third parties that Rice has contracted with to provide information about alumni or potential donors.

This data is used by Rice to provide you with information about our programs, opportunities for collaborations and engagement, and to foster involvement between current Rice students, alumni, and the community.

Development and Alumni Relations does not lend, sell or rent your personal information to any third party. Your name, address, phone number and credit card information will not be used outside of our organization. If you have comments or questions regarding Rice University’s Donor Privacy Policy, please contact Constituent Relations at 713-348-4615 or e-mail stewardship@rice.edu.

More information is available at:

http://giving.rice.edu/donor-resources/donor-privacy-bill-of-rights

Importantly, there are laws affect how your data may be used or shared by Rice, and that may provide you with additional rights.

  1. Information for Visitors at Rice

Rice may collect your personal data in a numbers of ways, including if you give it to Rice as part of participating in a campus function or event, purchasing tickets, making donations, or using Rice services.

If you use Rice certain programs or services such as the recreation center, library, disability services, parking, police or emergency medical services we may collect personal information from you that is relevant to providing that program or service. This information may also be used to contact you regarding other Rice activities or outreach efforts.

Additionally, for visitor services related to academic collaboration, information technology, some library services, and physical access privileges, you may be asked to submit additional information via our visitor information portal (http://visitor.rice.edu/). Information obtained from this form will be used to administer the services you are requesting.

If you are involved in an activity that involves interactions with minors, Rice may conduct a background check on you that may include things such as your criminal history. Rice ordinarily uses a third party vendor to conduct such background checks.

Importantly, there are laws that affect how your data may be used or shared by Rice, and may provide you with additional rights.

  1. OTHER POTENTIAL THIRD PARTY USES OF SENSITIVE INFORMATION

We may disclose your Sensitive Information and other Information as follows:

  • Consent: We may disclose Sensitive Information and other Information if we have your consent to do so.
  • Emergency Circumstances: We may share your Information, or your Sensitive Information, when necessary to protect your interests and when you are physically or legally incapable of providing consent.
  • Employment Necessity: We may share your Sensitive Information when necessary for administering benefits in accordance with applicable law and subject to the imposition of appropriate safeguards to prevent further unauthorized disclosure.
  • Charitable Organizations: We may share your Information with other not-for-profit organizations in connection with charitable giving subject to the imposition of appropriate safeguards to prevent further unauthorized disclosure.
  • Public Information: We may share your Information and Sensitive Information if you have manifestly made it public.
  • Archiving: We may share your Information and Sensitive Information for archiving purposes in the public interest, and for historical research, and statistical purposes.
  • Performance of a Contract: We may share your Information when necessary to administer a contract you have with the University.
  • Legal Obligation: We may share your Information when the disclosure is required or permitted by international, federal, or state laws and regulations.
  • Service Providers: We use third parties who have entered into a contract with the University to support the administration of University operations and policies. In such cases, we share your Information with such third parties subject to the imposition of appropriate safeguards to prevent further unauthorized disclosure.
  • University Affiliated Programs: We may share your Information with parties that are affiliated with the University for the purpose of contacting you about goods, services, charitable giving or experiences that may be of interest to you.
  • De-Identified and Aggregate Information: We may use and disclose Information in de-identified or aggregate form without limitation.
  1. LEGAL BASIS UNDER GDPR

Rice will only process your information for lawful purposes under the GDPR. In most cases the lawful basis to collect and process your information is because it is necessary for the performance of a contract with you (e.g. to provide you with education services).

In many cases, the lawful basis will be the legitimate interests of Rice. In cases where “legitimate interest” is the legal basis, Rice will apply a balancing test to determine if our interest outweighs your fundamental rights in protecting such data.

Where neither of these two bases are appropriate, or if we are collecting sensitive information (what the GDPR refers to as “special categories of personal data”) then Rice will obtain your prior consent.

  1. SECURITY

We implement appropriate technical and organizational security measures to protect your information when you transmit it to us and when we store it on our information technology systems.