Privacy & Data Protection Policy
Introduction
The New School is committed to privacy by design and by default and supports the privacy rights of individuals with whom it works including students, faculty, staff, visitors, alumni, donors, and research participants.
Definitions
Special terms used in this document will be Capitalized and underlined, signifying that they have special meaning. A comprehensive glossary of terms, with examples, can be found at ispo.newschool.edu/glossary.
Purpose
This policy establishes The New School’s approach to privacy and data protection based on the principle that handling Personal Data appropriately and in compliance with applicable laws and regulations:
- is the right thing to do,
- enhances trust, and
- protects the university’s relationship with its stakeholders.
This policy is intended to set forth the responsibilities of the university, its Workforce Members, and its students to comply with the provisions of applicable privacy and data protection laws and regulations. It is accompanied by a Data Protection Handbook (the “Handbook”) that provides information and guidance on different aspects of privacy and data protection. This policy and the Handbook form the framework that anyone Processing Personal Data at or on behalf of The New School should follow to ensure compliance.
The New School’s approach to privacy is guided by the National Institute of Standards and Technology (NIST) Privacy Framework, which has been widely adopted by both public and private sector organizations throughout the United States. The NIST Privacy Framework provides a framework for privacy risk management, including data processing identification, data processing safeguards, data management, data subject notification, and incident response. The university’s approach is also informed by the data protection policies and standards of European universities, which have operated under comprehensive data protection regulatory compliance frameworks for more than two decades.
Scope
This policy applies to all Workforce Members and students in all cases where The New School is a Data Controller or a Data Processor of Personal Data. The policy applies in these cases regardless of who created the data, where it is held, or the ownership of the systems and software used in its Processing.
Policy statement
When acting as a Data Controller The New School has a responsibility to implement and comply with applicable privacy and data protection laws and regulations. When Processing Personal Data, the university must abide by seven principles of data protection:
- lawfulness, fairness, and transparency;
- purpose limitation;
- data minimization;
- accuracy;
- storage limitation;
- integrity and confidentiality; and
- accountability.
Details of these principles can be found in the Data Protection Handbook.
Data security
All New School users of Personal Data must ensure that such data is always held securely and not disclosed accidentally, negligently, or intentionally to any unauthorized third party. The Information Security Policy, the Acceptable Use Policy, and the Standard for Handling Institutional Information must be read in conjunction with this Privacy and Data Protection Policy. See Data Protection Handbook - 1. Data Security for additional information.
Privacy notices
When The New School collects Personal Data from individuals, the requirement for “fairness and transparency” must be adhered to. See Data Protection Handbook - 2. Privacy Notices for additional information.
Conditions of processing / lawfulness
In order to meet the “lawfulness” requirement, the Processing of Personal Data must meet at least one the following conditions:
- the Data Subject has given consent to the Processing of their Personal Data for one or more specific purposes;
- the Processing is necessary for the performance of a contract to which the Data Subject is party;
- the Processing is necessary for compliance with a legal obligation to which The New School is subject;
- the Processing is necessary in order to protect the vital interests of the Data Subject or of another natural person;
- the Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in The New School; or
- the Processing is necessary for the purposes of the legitimate interests pursued by The New School or by a third party.
For Special Categories of Personal Data, at least one of the following conditions must also be met:
- the Data Subject has given explicit consent to the Processing of their Special Categories of Personal Data for one or more specific purposes;
- the Processing is necessary for the purposes of employment, social security, and social protection law;
- the Processing is necessary to protect someone’s vital interests;
- the Processing is carried out by a not-for-profit body;
- the Processing is manifestly made public by the Data Subject;
- the Processing is necessary for legal claims;
- the Processing is necessary for reasons of substantial public interest;
- the Processing is necessary for the purposes of medicine, the provision of health or social care or treatment, or the management of health or social care systems and services;
- the Processing is necessary for public health; or
- the Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes subject to certain safeguards.
See Data Protection Handbook - 3. Lawfulness for additional information.
Data retention
Personal Data must not be kept longer than necessary for the purposes for which it was originally collected. This applies to all Personal Data, whether held on core systems, local desktops, laptops or mobile devices, or held on paper. If the data is no longer required, it must be securely deleted or destroyed. See Data Protection Handbook - 4. Retention for additional information.
Privacy by design and by default
The New School has an obligation to consider the impact Processing activities may have on data privacy. This includes implementing appropriate technical and organizational safeguards to minimize the potential negative impact Processing can have on the Data Subjects’ privacy, both at the time of the determination of the means for Processing and at the time of the Processing itself. See Data Protection Handbook - 12. Policy by Design and by Default for additional information.
Data Protection Impact Assessment
When contemplating new Processing activities or setting up new procedures or systems that involve Personal Data, privacy issues must always be considered at the earliest stage and a Data Protection Impact Assessment (DPIA) must be performed. The DPIA is a mechanism for identifying and examining the impact of new initiatives and putting in place measures to minimize or reduce risks during the design stages of a process and throughout the life cycle of the initiative. This will ensure that privacy and data protection control requirements are not an afterthought. More information can be found in the Data Protection Impact Assessment Guide.
Anonymization and pseudonymization
To further reduce the risks associated with handling Personal Data, Anonymization or Pseudonymization should be applied to the data. Wherever possible, Personal Data must be Anonymized or, where that is not possible, Pseudonymized. More information can be found in the Anonymization & Pseudonymization guidance.
Data subject rights
The New School, when acting as a Data Controller, endeavors to provide Data Subjects with privacy rights that include:
- the right of access;
- the right to rectification;
- the right to erasure (“right to be forgotten”);
- the right to Restriction of Processing;
- the right to be informed;
- the right to data portability;
- the right to object; and
- the right not to be subject to a decision based solely on automated Processing, including Profiling.
Additional information on the below data subject rights may be found in Data Protection Handbook - 8. Data Subject Rights.
Data subject access requests and the right to data portability
Individuals have the right to request to see or receive copies of any Personal Data The New School holds about them, and in certain circumstances to have that data provided in a structured, commonly used and machine readable format so it can be forwarded to another Data Controller.
Workforce Members receiving a data subject access request must follow the data subject access request procedures contained in Data Protection Handbook - 8. Data Subject Rights.
Right to erasure, to restrict processing, to rectification, and to object
In certain circumstances Data Subjects have the right to have their Personal Data erased. This only applies
- where the data is no longer required for the purpose for which it was originally collected, or
- where the Data Subject withdraws consent, or
- where the data is being Processed unlawfully.
In some circumstances, Data Subjects may not wish to have their Personal Data erased but rather have any further Processing of the data restricted.
If Personal Data is inaccurate, Data Subjects have the right to require The New School to rectify inaccuracies. In some circumstances, if Personal Data is incomplete, the Data Subject can also require the university to complete the data, or to record a supplementary statement.
Data Subjects have the right to object to specific types of Processing such as Processing for direct marketing, research, or statistical purposes. The Data Subject must demonstrate grounds for objecting to the Processing relating to their particular situation except in the case of direct marketing, where it is an absolute right.
Workforce Members receiving any of these requests should not act or respond but instead should contact the Information Security and Privacy Office immediately.
Rights in relation to automated decision making and profiling
In the case of automated decision making and Profiling that may have significant effects on Data Subjects, they have the right to either have the decision reviewed by a human being or to not be subject to this type of decision making at all. These requests must be forwarded to the Information Security and Privacy Office immediately.
Data sharing
When Personal Data is transferred internally from one New School organizational unit to another, the receiving unit must only Process the data in a manner consistent with the original purpose for which it was collected. If Personal Data is shared internally for a new and different purpose, a new privacy notice must be provided to the Data Subjects.
When Personal Data is transferred externally, a legal basis must be determined and a data sharing agreement between the university and the third party must be signed, unless disclosure is required by law or the third party requires the data for law enforcement purposes. See Data Protection Handbook - 5. Data Sharing for additional information.
Transfers of personal data outside the EEA
Personal Data may only be transferred out of the European Economic Area when there are safeguards in place to ensure an adequate level of protection for the data. For transfers of Personal Data to a receiving party in the United States, the Privacy Shield Agreement between the European Union and the United States of America provides sufficient protection. Before transferring data, the Privacy Shield website should be consulted to determine whether the receiving party is on the Privacy Shield List.
If the receiving party is not on the Privacy Shield list, then the contract between the receiving party and The New School must include a Data Processing Addendum that incorporates the European Commission’s Standard Contractual Clauses for data transfers between EU and non-EU countries (either the controller-to-controller or controller-to-processor clauses, as appropriate).
Workforce Members involved in transferring Personal Data to other countries must ensure that appropriate safeguards are in place before agreeing to any such transfer. See Data Protection Handbook - 7. Data Transfer Outside the European Economic Area (EEA) for additional information.
Direct marketing
Direct marketing covers not only the communication of material about the sale of products and services to individuals, but also the promotion of aims and ideals. For The New School, this includes notifications about events, fund raising, and offering of goods or services regardless of whether a payment by the Data Subject is required. Marketing covers all forms of communications, such as contact by post, fax, telephone, and electronic messages. The university must ensure that it always complies with relevant legislation every time it undertakes direct marketing and must cease all direct marketing activities if an individual requests it to stop. See Data Protection Handbook - 13. Direct Marketing for additional information.
Websites
All websites and web applications operated by or on behalf of The New School must include:
- A prominent link, on every page, to a privacy notice that describes how the website collects Personal Data and how that data is used, stored, transferred, and protected.
- A prominent message, displayed when a user first visits the site and every time thereafter until the user affirmatively acknowledges it, seeking the user’s consent to store “cookies” on the user’s computer.
See Data Protection Handbook - 14. Websites for additional information.
Training
Any individual within the scope of this policy must complete the Privacy and Data Protection Training.
Breaches
The New School is responsible for ensuring appropriate and proportionate security for the Personal Data that it holds. This includes protecting the data against unauthorized or unlawful Processing and against accidental loss, destruction, or damage. The university makes reasonable efforts to avoid privacy and data protection incidents, however, it is possible that incidents will occur on occasion. For example, Personal Data Breaches might occur through:
- Unauthorized or accidental disclosure, modification, or deletion
- Theft or loss of data or equipment
- Unauthorized access
- Hacking attack
- Human error
If a Personal Data Breach occurs, the university may be required to notify relevant authorities in a timely manner. Any member of the university community who encounters something they believe may be a Personal Data Breach must report it immediately to IT Central and the Information Security and Privacy Office.
Details of how to report a breach and the information that will be required may be found in the Data Protection Handbook - 19. Personal Data Breaches.
Roles and responsibilities
The Information Security and Privacy Office and the Privacy and Security Compliance function within the Information Technology department monitor and advise on compliance with applicable privacy and data protection laws and regulations. However, responsibility for compliance and the consequences of any breaches remains with the President’s Leadership Team and the Data Owners in individual organizational units. Information and advice can be obtained from the Information Security and Privacy Office and the Office of the General Counsel.
President’s Leadership Team
The members of the President’s Leadership Team are accountable for exercising due diligence in protecting Personal Data used within their area of responsibility by ensuring compliance with this policy and applicable privacy and data protection laws and regulations. They are also accountable for compliance in any subsidiary unit within their management (e.g., institutes, centers, research groups, and multi-disciplinary organizations).
Data Owners
Data Owners are responsible for maintaining the protection of datasets containing Personal Data by ensuring compliance with this policy and applicable privacy and data protection laws and regulations, and by developing and encouraging good information handling practices among their datasets’ communities of users.
Data users
All users of Personal Data within the university have a responsibility to ensure that they Process the data in accordance with the principles of data protection and the other conditions set forth in applicable privacy and data protection laws and regulations.
Handling research data
Before beginning any research that will involve obtaining or using Personal Data and Special Categories of Personal Data, researchers must give proper consideration to this policy and the guidance contained in the Handbook and how these will be properly complied with. Researchers must ensure that the fairness, transparency, and lawfulness principle is adhered to and that privacy by design and by default is applied. This means, among other things, that wherever feasible, research data must be Anonymized or Pseudonymized at the earliest possible time. See Data Protection Handbook - 9. Research for additional information.
Handling of research data by students
The use of Personal Data by students is governed by the following:
- Where a student collects and Processes Personal Data in order to pursue a course of study with the university, and this course of study is not part of a university-led project, the student rather than the university is the Data Controller for the Personal Data used in the research. If the data are extracted from a database already held by the university, the university remains the Data Controller for the database, but the student will be the Data Controller for the extracted data.
- Once a thesis containing Personal Data is submitted for assessment, the university becomes the Data Controller for that Personal Data.
- Where a research student Processes Personal Data while working on a project led by a university research group, the university is the Data Controller.
Academic and academic-related staff must ensure that students they supervise are aware of the following:
- A student should only use Personal Data for a university-related purpose with the knowledge and express consent of an appropriate member of academic staff (normally, for a postgraduate, this would be the supervisor, and for an undergraduate the person responsible for teaching the relevant class/course).
- The use of university-related Personal Data by students should be limited to the minimum consistent with the achievement of academic objectives. Wherever possible data should be Anonymized so that students are not able to identify the Data Subjects.
See Data Protection Handbook - 10. Student Research for additional information.
References
- National Institute of Standards and Technology. NIST Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management. January 16, 2020. Available from nist.gov/system/files/documents/2020/01/16/NIST%20Privacy%20Framework_V1.0.pdf.
- European Parliament and the Council of the European Union. Regulation (EU) 2016/679 of the European Parliament and the Council of the European Union of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing directive 95/46/EC (General Data Protection Regulation). Adopted April 27, 2016. Effective May 25, 2018. Available from eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN.
Compliance and review
Failure to comply with this policy or its supporting standards, whether deliberate or due to careless disregard, will be treated as serious misconduct and may result in actions including (but not limited to) disciplinary action, dismissal, and civil and/or criminal proceedings.
This policy is reviewed on a periodic basis and updated as necessary by the Information Security and Privacy Office to ensure it remains accurate, relevant, and fit for purpose.