GDPR Policy

Help

European Union General Data Protection Regulation Policy

Definitions

The following definition of terms apply to this GDPR Policy:

Student - any person who attends or has attended Spring Hill College.

Personal Data - any record created in the European Union and transferred to Spring Hill College that is directly related to an identified or identifiable student, either directly or indirectly.  Examples of personal data include, but are not limited to, name, photo, email address, ID number, account number, user ID, address or other location data, IP address or other online identifier.

Directory Information under this GDPR Policy

Spring Hill College designates the following items as directory information: student name, address, telephone number, E-mail, photograph, date and place of birth, major, dates of enrollment, degrees conferred and dates of conferral, any graduation distinction, institutions attended prior to admission, participation in officially recognized activities and sports, and weight and height of members of athletic teams.  The College may disclose any of those items from personal data with written consent.

Procedures to Copy Personal Data

Students may obtain a copy of personal data that was processed by the College with their consent, or when the personal data was provided to the College to perform a contract with the student. The request for a copy should be made to the appropriate records custodian identified in the contract or the consent form.

Students should submit to the records custodian or an appropriate College staff person a written request that identifies as precisely as possible the personal data he or she wishes to copy, and any third party who the student authorizes to receive a copy. The College will provide a copy to a third party if technically feasible.

Spring Hill College reserves the right to refuse to permit a student to receive a copy of the following personal data:

  1. Personal data that contains the financial statement of the student's parents.
  2. Personal data that contains letters and statements of recommendation for which the student has waived his or her right of access, or which were maintained before May 25, 2018.
  3. Records which are excluded pursuant to the GDPR.

Procedures to Erase Personal Data

Students may request personal data be erased or destroyed when one of the following applies:

  1. Personal data is no longer necessary in relation to the purposes for which it was collected;
  2. Consent to use the personal data was obtained by the College and has been withdrawn by the student, and there is no other legal basis to permit the use of the personal data;
  3. The student objects to the use of his or her personal data and the student’s interest outweighs the legitimate interests of the College;
  4. The student objects to the use of the personal data for marketing or profiling related to direct marketing;
  5. The student’s data was unlawfully processed; or
  6. Destruction of the data is necessary to comply with EU or member state law.

Personal data is subject to the retention periods of applicable (1) federal law(s) and (2) College record retention schedule(s).  The College may not erase or destroy personal data until after the applicable retention period expires. In addition, the GDPR does not permit the College to erase or destroy personal data when the personal data is necessary for the exercise of the right to freedom of expression, to comply with a legal obligation under EU or member state law to which the College is subject, to establish, exercise or defend legal claims, to perform a task carried out in the public interest or in the exercise of official authority vested in the College, in the public interest in the area of public health, or for archiving purposes in the public interest, scientific, or historical research purposes or statistical purposes.

Procedures to Correct/Supplement Personal Data

Students have the right to ask to have personal data corrected or supplemented if complete. Following are the procedures for the correction or supplementation of personal data:

  1. A student must ask the appropriate official of Spring Hill College to amend personal data. In so doing, the student must identify the personal data to be corrected or supplemented and specify why the student believes it is inaccurate, misleading or incomplete.
  2. Spring Hill College may comply with the request or it may decide not to comply if the personal data is accurate, not misleading or complete. If it decides not to comply, Spring Hill will notify the student of the decision and advise the student of his or her right to a hearing to challenge the Spring Hill’s decision.
  3. Upon request, Spring Hill will arrange for a hearing and notify the student reasonably in advance, of the date, place and time of the hearing.
  4. The hearing will be conducted by a hearing officer who is a disinterested party; however, the hearing officer may be an official of the institution. The student shall be afforded a full and fair opportunity to present evidence relevant to the issues raised in the original request to amend the student's personal data. One or more individuals, including an attorney, may assist the student.
  5. Spring Hill College will prepare a written decision based solely on the evidence presented at the hearing. The decision will include a summary of the evidence presented and the reasons for the decision.
  6. If Spring Hill College decides that the personal data is inaccurate, misleading, or incomplete, it will amend the personal data and notify the student, in writing, that the personal data has been amended or supplemented.
  7. If Spring Hill College decides that the challenged personal data is not inaccurate, misleading, or incomplete, it will notify the student that he or she have a right to place in the record a statement commenting on the challenged information and/or a statement setting forth reasons for disagreeing with the decision.
  8. The statement will be maintained as a part of the student's personal data as long as the contested portion is maintained. If Spring Hill College discloses the contested portion of the personal data, it must also disclose the statement.

Procedures to Restrict the Processing of Personal Data

Students have the right to restrict the use of data when one of the following applies:

  1. The accuracy of personal data is contested for a defined period that is measurable by Spring Hill;
  2. The processing of the personal data is unlawful and the student opposes erasure;
  3. Spring Hill no longer needs the personal data but the student needs the personal data to establish, exercise or defend a legal claim; or
  4. The student demonstrates Spring Hill does not have a legitimate interest in the personal data.

If Spring Hill receives a request for restriction under the GDPR, Spring Hill will discontinue processing the student’s personal data for any purpose other than storage unless the student provides consent.  Spring Hill will also notify the recipients of the student’s personal data of the restriction(s) imposed.

Time to Respond

Spring Hill will respond within one month of receipt of a request to correct, supplement, erase, restrict, copy and object to use of personal data.  This time period may be extended by up to two additional months depending upon the complexity of the request and number of requests.  Spring Hill will notify the student in writing of the extension needed and the reason why.  If the College does not respond to the student within one month of receipt of request, the student will be notified of his/ her right to file a complaint with the applicable EU supervisory authority and seek a judicial remedy.

Fees for Copies of Records

A copy of personal data is provided free of charge unless the request is unfounded or repetitive; in such cases the College may either refuse to respond to the request or charge a reasonable fee to reimburse it for the cost of the copying.

Custodians of Educational Records

ADD TABLE FROM OTHER JICS HERE

Disclosure of Educational Records

Spring Hill College will disclose information from a student's educational records only with the written consent of the student, except that records may be disclosed without consent when the disclosure is:

  1. To school officials who have a legitimate educational interest in the records. A school official is:
    1. A person employed by the College in an administrative, supervisory, academic or research, or support staff position, including health or medical staff
    2. A person elected to the Board of Trustees.
    3. A person employed by or under contract to the College to perform a special task, such as an attorney or auditor.
    4. A person who is employed by the Spring Hill College Police Department.
    5. A student serving on an official committee, such as a disciplinary or grievance committee, or who is assisting another school official in performing his or her tasks.
    6. A school official has a legitimate educational interest if the official is:
    7. Performing a task that is specified in his or her position description or contract agreement.
    8. Performing a task related to a student's education.
    9. Performing a task related to the discipline of a student.
    10. Providing a service or benefit relating to the student or student's family, such as health care, counseling, job placement, or financial aid.
    11. Maintaining the safety and security of the campus.
  2. To officials of another school, upon request, in which a student seeks or intends to enroll. All records will be forwarded upon request by the student and with the student’s consent, with the understanding that the student has made the request and intends to enroll at another institution.
  3. To certain officials of the U. S. Department of Education, the Comptroller General, and state and local educational authorities, in connection with audit or evaluation of certain state or federally supported education programs.
  4. In connection with a student's request for or receipt of financial aid to determine the eligibility amount, or conditions of the financial aid, or to enforce the terms and conditions of the aid.
  5. For degree and enrollment verification wherein the consulting and reviewing institutions are considered school officials with a legitimate educational interest.
  6. To state and local officials or authorities if specifically required by a state law that was adopted before November, 19, 1974.
  7. To organizations conducting certain studies for or on behalf of the College.
  8. To accrediting organizations to carry out their functions.
  9. To parents of an eligible student who is claimed as a dependent for income tax purposes.
  10. To comply with a judicial order or a lawfully issued subpoena.
  11. To appropriate parties in a health or safety emergency.
  12. To individuals requesting directory information so designated by the College and in accordance with the eligible student.
  13. The results of any disciplinary proceeding conducted by the College against an alleged perpetrator of a crime of violence or non-forcible sex offenses.
  14. Alcohol or controlled substance. To parents or legal guardian of a student under the age of 21 in connection with use or possession of alcohol or a controlled substance in violation of federal, state or local law or of any institutional rule or policy.