European Union General Data Protection Regulation
Welcome to The University of Tennessee’s GDPR Resource Webpage. The University regularly handles a large amount of personal data, and it takes data privacy very seriously. Accordingly, the University works to ensure that its policies and processes are up-to-date. The introduction of the European Union’s General Data Protection Regulation (“GDPR”) in May 2018 provides the University an opportunity to further strengthen the way it protects personal data.
What is the GDPR?
The GDPR is a broad privacy regulation adopted by the EU that applies to “controllers” and “processors” of “personal data” received from individuals that are physically located in the EU. Such individuals are referred to as “data subjects” under the GDPR. The GDPR requires organizations that are “controllers” or “processors” to put significant safeguards in place regarding the collection, use, and processing of personal data of EU data subjects.
The GDPR applies to all organizations located within the EU. It also applies to other organizations, regardless of where they are located, that “control” or “process” the “personal data” of EU data subjects. This includes organizations that offer goods or services to people in the EU or collect data on or monitor people in the EU.
A university, as the entity who either directly collects or processes data from EU data subjects (for a variety of purposes including admissions, education, etc.) or indirectly collects or processes data via third parties, falls under the definition of a data “controller.” As such, a university is responsible for the actual data collection as well as any subsequent processing, storage – or anything else related to the data – regardless of whether the action is taken internally or externally.
The GDPR becomes effective on May 25, 2018. As with all privacy laws, the University takes seriously its compliance obligations under GDPR. University employees should become familiar with the University’s compliance obligations and make every reasonable effort to implement the appropriate steps for compliance in their duties as a University employees.
Where can I get more information about the GDPR?
Official text of the GDPR: http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN
The General Data Protection Regulation Explained (from Educause): https://er.educause.edu/articles/2017/8/the-general-data-protection-regulation-explained
European Commission’s Article 29 Working Party: http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN
United Kingdom’s Information Commissioner’s Office – Guide to the General Data Protection Regulation: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
What is UT doing to comply with the GDPR?
The University has been working diligently to prepare for the GDPR. Among other activities, each campus and institute and the University’s system administration have appointed a Data Protection Officer to manage GDPR compliance. Those individuals are working with other University employees, including representatives of the Office of General Counsel and Institutional Compliance, to begin implementing the University’s compliance efforts under the GDPR.
The working group has prepared model consent forms, model contract language, and model privacy notices that should be used for GDPR compliance purposes. Links to those documents, and summaries of how and when they should be used, are provided below:
This consent form should be used anytime you are collecting personal information from an individual that is physically located in the EU at time the individual provides the personal data. It should be revised as appropriate to reference the specific personal data that the University is collecting and the specific purpose(s) for which the University will use the data. The consent form should be signed/executed by the individual prior to the University collecting the personal data at issue.
Many of the University’s contractors and vendors are already incorporating GDPR language into their contracts. Any new contract or contract amendment containing GDPR provisions should be processed and reviewed according to the University’s Contract Policy.
If the University is negotiating with a contractor or vendor that will be holding or processing “personal data” for the University, as defined under the GDPR, and that contractor or vendor does not offer GDPR contract language, the University should ask that this model GDPR contract language be added to the parties’ contract.
The GDPR applies to the processing of personal data that is collected from individuals in the EU when they visit University websites. It also applies to the monitoring of people located in the EU though University website and cookies. If your department’s website collects personal data about visitors, including the IP addresses, you should add this GDPR privacy notice in an easily visible location on the website.
As with any new law, it will take some time for organizations around the world to sort through, understand, and determine the full implications of the GDPR requirements, and to determine how best to meet them. Watch for more information on this webpage as UT’s GDPR working group continues its work. Additional documents and resources will be posted on the GDPR resource webpage, so please visit it often if you work in an office that interacts with individuals located in the EU.
Are the activities of my office/department subject to the GDPR?
If you collect personal data from individuals when they are located in the EU, then those activities are likely subject to the GDPR. Such activities and functions may include, but are not limited to, the following: study abroad activities; operation of campuses and programs in the EU; admissions and financial aid; online learning and distance education; online sales of University merchandise; research activities; procurement and contracting with entities in the EU; development; and alumni relations. Also, University websites and cookies may be subject to the GDPR when visited by individuals in the EU.
What is “personal data” under the GDPR?
“Personal data” means “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
Is my office at UT “controlling” or “processing” personal data?
“Processing” means “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”
What do I need to do if my office is subject to the GDPR?
If your activities are subject to the GDPR, there must be a “lawful basis”
- The University has written consent of the data subject (means “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”).
- The University has a contract with the data subject.
- The collection or processing is necessary in order to protect “vital interests” of the data subject or another natural person (i.e., risk to life or serious harm).
Who are UT’s Data Protection Officers?
- UT Knoxville: Joel Reeves, Associate Vice Chancellor and CIO
- UT Chattanooga: Richard Brown, Executive Vice Chancellor for Administration and Finance
- UT Martin: Amy Belew, Chief Information Officer
- UT Health Science Center: Melanie Burlison, Assistant Vice Chancellor for Compliance and Special Projects
- UT Institute of Agriculture: Sandy Lindsey, Chief Information Security Officer
- UT Institute for Public Service: Scott Gordy, Chief Information Security Officer
- UT Foundation: Michael Carter, Assistant Vice President of Advancement Services
- UT System Administration: Robert Ridenour, Chief Information Security Officer
Who can I contact with questions or to request more information?
If you have questions about the GDPR, you should contact the Data Protection Officer for your campus or institute at firstname.lastname@example.org or the Office of General Counsel.