Privacy Policy

PRIVACY NOTICES

OVERVIEW

Vanderbilt University (“VU”) handles a substantial amount of data and information about people. It is important that individuals have trust and confidence that VU will protect their privacy. VU recognizes the concerns of individuals regarding privacy and online data. VU strives to respect and protect the privacy expectations of the individuals who entrust the University with their personal information.

In principle, VU strives to:

  • Collect, store and use the minimum amount of personal information that is necessary for its legitimate business purposes, and to comply with applicable legal obligations.
  • Take reasonable steps to ensure the personal information VU manages is accurate and up-to-date.
  • Limit access to the personal information we hold to only those who need it for a legitimate, specific purpose.
  • Protect personal information through appropriate physical and technical security measures tailored to the sensitivity of the personal information.
  • Communicate with faculty, staff, students, contractors, post-doctoral fellows, temporary employees, and volunteers (collectively “VU Community Members”), campus and website visitors and others about how VU normally uses personal information.
  • Provide individuals opportunities to control their personal information, as permitted by applicable United States and international laws.
  • Consider privacy principles in the design of our projects or activities that involve the use of personal information (“privacy by design”).

SCOPE

VU’s Privacy Policy is generally applicable to activities that involve the collection or use of personal information by VU. It is meant to give a broad overview of these activities and VU’s approach to protecting privacy.

VU is a large organization, and it is difficult to provide a detailed picture of all the personal information collected and used by the institution. You may find more detailed information in specific privacy notices provided by the schools, departments, units, or groups with which you interact.

Personal information may be held by third parties on behalf of VU, or on cloud infrastructure. VU prioritizes information security/privacy controls in the evaluation of third-party contracts.

DEFINITIONS

Information includes electronic, optical, and paper formats, as well as textual and audio-visual communications.

Data means information held in a structured, logical format, in files, or in a database. Data may be held on local devices, on premises in managed IT infrastructure, or in the cloud.

Personal information is any information that relates to an identified or identifiable individual.

POLICY

Categories of Personal Information VU Collects and Uses

In general, VU collects and uses the following categories of information at an institutional level. These lists are not exhaustive but exemplary.

  • Student applicants: personal and family information related to the application and financial aid process, including supporting documentation, identification and contact information, information related to ethnic origin, if the prospective student chooses to disclose such information.
  • Students: information submitted as prospective students, information related to their academic record or academic performance, information about their activities on campus, disciplinary records, health records, biometric identifiers, security camera footage.
  • Faculty and staff applicants: contact information, biographic/application information.
  • Faculty and staff: contact information, biographic information, security video footage, information related to remuneration, to benefits, to family members, or to performance at work.
  • Visiting scholars and exchange students: contact information, biographic information, information related to visa status.
  • Subjects of research projects: as needed, contact information together with all information that is produced and observed in relation to the subject as part of the research project. More detail is provided to research subjects through the process of informed consent.
  • Alumni, donors, volunteers, and supporters: contact information, biographical information, events attendance and engagement, donor information.
  • Website visitors: the internet domain from which a visitor accesses the website, the IP address assigned to the visitor’s computer, the type of browser the visitor is using, the date and time of visit.
  • Network users: geolocation, device information
  • Minors: information to support child care center activities and programs, research studies involving minors, health records, operational programs for youth, admissions applicants, and information on matriculated students under 18.

How VU Uses Personal Information

VU only uses your personal information for legitimate and specific purposes and to facilitate the various operations of the University.

Broadly, VU uses personal information in the following ways:

  • To facilitate admission and provide higher education services for our current, former, and prospective students.
  • To manage the employment of our faculty members and staff.
  • To facilitate visits to our campus for visiting scholars and exchange students.
  • To deliver course material, facilitate engagement, and track attendance and completion for subscribers to our online courses.
  • To facilitate the attendance of persons who register for conferences, symposia, and other events.
  • To keep alumni and friends engaged in our community.
  • To enable participation of individuals who take part in our research projects and to support research findings.
  • To support website performance and enhance user experience .
  • To ensure our Community Members’ and visitors’ security and to protect our property.

Where VU gets Personal Information

VU receives personal information from multiple sources. Most often, VU gets this data directly from the data subject or under the direction of the data subject who has provided it to a third-party (for example, application for admission to VU through use of the Common App).

For more information on the data we collect when you visit our websites, read our website privacy notice.

Who Has Access to Your Information

VU employees may have access to your personally identifiable information for legitimate, specific purposes to facilitate the various operations of the University, as outlined above.

VU does not sell your information to third parties and but may use it to support the legitimate interests and operations of the University. VU may share information that does not personally identify you without restriction.

VU uses a variety of third-party services to help fulfill the University’s business. VU strives to be diligent with confidentiality, privacy, and security standards in conjunction with VU service providers, and we require them to ensure that they only use your personal information for the purposes of providing those services.

How VU Secures Your Information

VU recognizes the importance of maintaining the security of the information it collects and maintains, and we endeavor to protect information from unauthorized access. VU strives implement reasonable and best practice security measures are in place, including physical, administrative, and technical safeguards to protect your personal information.

Data Retention

VU strives to keep personal information in our records only as long as is necessary for the purposes they were collected and processed. Retention periods vary and are established considering our legitimate interests and all applicable legal requirements.

Privacy Policy Changes

This privacy policy may be updated from time to time. VU will post the date of last update.

Whom to Contact with Questions or Concerns

If you have any concerns or questions about how your personal information is used, please contact our Data Governance Office at privacy@vanderbilt.edu 

FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT (FERPA)

FERPA is a federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.

For more information about FERPA and your student data privacy, please visit our University Registrar site.

CHILDREN’S ONLINE PRIVACY PROTECTION ACT (COPPA)

Persons under the age of 13 or their parents or guardians

COPPA imposes legal and regulatory requirements on certain operators of websites or online services directed to children under 13 years of age, and on certain operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age. The Federal Trade Commission, United States’ consumer protection agency, enforces COPPA, which spells out what operators of websites and online services that are subject to COPPA must do to protect the privacy and safety of children under the age of 13 online when COPPA applies. VU, and the third parties with whom we work, sometimes collect data from children under the age of 13 or share such information with one another. The sharing and collection of such information is done in accordance with all applicable law, including COPPA to the extent it applies under the circumstances.

EUROPEAN UNION GENERAL DATA PROTECTION REGULATION (GDPR)

Persons within the European Union or other countries with national data privacy laws

In the context of data transfers, VU may be a data “controller” or “processor” with regard to certain activities as defined under the GDPR  as well as other international privacy laws. VU is committed to protecting the rights of individuals in compliance with the GDPR and other international privacy laws.

Lawful Basis for Collecting and Processing of Personal Information

Vanderbilt University is an institution of higher education involved in education, research, and public service. In order for VU to educate its students both in class and online, engage in research, and provide public service, it is essential, necessary, and VU has lawful bases to collect, process, use, and maintain data of its students, employees, applicants, research subjects, and others involved in its educational, research, and public service programs. The lawful bases include, without limitation, admissions, registration, delivery of classroom, on-line, and study abroad education, grades, communications, employment, applied research, development, program analysis for improvements, and records retention.

Examples of data that VU may need to collect in connection with these lawful bases are: name, email address, IP address, physical address or other location identifier, photos, as well as some sensitive personal information obtained with prior consent.

Most of VU’s collection and processing of personal information will fall under the following categories:

  • Processing which is necessary for the purposes of the legitimate interests pursued by VU or third parties in providing education, employment, research and development, and public service.
  • Processing which is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
  • Processing which is necessary for compliance with a legal obligation to which VU is subject.
  • Processing for which the information subject has given consent for VU to use his or her personal information for one or more specific purposes.

There will be some instances where the collection and processing of personal information will be pursuant to other lawful bases.

VU AND THE GDPR

Types of Personal Information collected and how it will be used

VU collects a variety of personal information to meet one of its lawful basis, as referenced above. Most often the data is used for academic admissions, enrollment, educational programs, job hiring, provision of medical services to students, participation in research, development, and public service. Data typically includes name, address, transcripts, work history, information for payroll, research subject information, medical and health information (for student health services, or travel), and donations. If you have specific questions regarding the collection and use of your personal information, please contact VU’s Data Protection Officer.

If a data subject refuses to provide personal information that is required by VU in connection with one of VU’s lawful basis to collect such personal information, such refusal may make it impossible for VU to provide education, employment, research, or other requested services.

Rights of the Data Subject under the GDPR

If you are an individual data subject under the GDPR, you may obtain the following information and exercise the following rights:

  • the identity and the contact details of the controller and, where applicable, the controller’s representative;
  • the contact details of VU’s Data Protection Officer;
  • an explanation of the purposes and legal bases/legitimate interests of the data collection/processing;
  • the identification of the recipients of the personal information;
  • notice if VU intends to transfer personal information to another country or international organization;
  • notice of the time period that the personal data will be stored;
  • the right to access personal information, rectify incorrect personal information, erase personal information, restrict or object to processing, and the right to data portability;
  • the right to withdraw consent at any time, if processing is based on consent;
  • the right to lodge a complaint with a supervisory authority (established in the EU);
  • an explanation of why the personal information is required, and possible consequences of a failure to provide the data;
  • notice of the existence of automated decision-making, including profiling; and
  • notice if the collected data are going to be further processed for a purpose other than that for which it was collected.

Any data subject, to whom GDPR applies, who in good faith and reasonably intends to exercise any of the above-mentioned rights may do so by submitting such request to VU’s Data Protection Officer.

Data Protection Officer (DPO)

VU’s Data Protection Officers is Masood Sidiqyar.
The DPO can be contacted at DPO@vanderbilt.edu.

Security of Personal Information Subject to the GDPR

VU is committed to ensuring the security of your information. We have put in place reasonable physical, technical, and administrative safeguards designed to prevent unauthorized access to or use of the information collected online. All personal information collected or processed by VU under the scope of the GDPR will comply with the security controls and systems and process requirements and standards as set forth in VU’s Information Technology Policies.

Sharing your information

VU will not share your information with third parties except:

  • as necessary to meet one of VU’s lawful purposes, including but not limited to:
    • its legitimate interest,
    • contract compliance,
    • pursuant to consent provided by you,
    • as required by law.
  • as necessary to protect VU’s interests; or
  • with service providers acting on our behalf who have agreed to protect the confidentiality of the data.

RELATED DOCUMENTS/POLICIES

CONTACTS

ContactEmail
Data Governance Officeprivacy@vanderbilt.edu