Privacy and Data Protection Policy

Introduction

The New School is committed to privacy by design and by default and supports the privacy rights of individuals with whom it works including students, faculty, staff, visitors, alumni, donors, and research participants.

Purpose

This policy establishes The New School’s approach to privacy and data protection based on the principle that handling Personal Data appropriately and in compliance with applicable laws and regulations:

• is the right thing to do,
• enhances trust, and
• protects the university’s relationship with its stakeholders.

This policy is intended to set forth the responsibilities of the university, its Workforce Members, and its students to comply with the provisions of applicable privacy and data protection laws and regulations. It is accompanied by a Data Protection Handbook (the “Handbook”) that provides information and guidance on different aspects of privacy and data protection. This policy and the Handbook form the framework that anyone Processing Personal Data at or on behalf of The New School should follow to ensure compliance.

The New School’s approach to privacy is guided by the National Institute of Standards and Technology (NIST) Privacy Framework, which has been widely adopted by both public and private sector organizations throughout the United States. The NIST Privacy Framework provides a framework for privacy risk management, including data processing identification, data processing safeguards, data management, data subject notification, and incident response. The university’s approach is also informed by the data protection policies and standards of European universities, which have operated under comprehensive data protection regulatory compliance frameworks for more than two decades.

Scope

This policy applies to all Workforce Members and students in all cases where The New School is a Data Controller or a Data Processor of Personal Data. The policy applies in these cases regardless of who created the data, where it is held, or the ownership of the systems and software used in its Processing.

Definitions

Special terms used in this document will be Capitalized and underlined, signifying that they have special meaning. A comprehensive glossary of terms, with examples, can be found at https://ispo.newschool.edu/glossary/.

Policy statement

When acting as a Data Controller The New School has a responsibility to implement and comply with applicable privacy and data protection laws and regulations. When Processing Personal Data, the university must abide by seven principles of data protection:

1. lawfulness, fairness, and transparency;
2. purpose limitation;
3. data minimization;
4. accuracy;
5. storage limitation;
6. integrity and confidentiality; and
7. accountability.

Details of these principles can be found in the Handbook.

Data security

All New School users of Personal Data must ensure that such data is always held securely and not disclosed accidentally, negligently, or intentionally to any unauthorized third party. The Information Security Policy, the Acceptable Use Policy, and the Standard for Handling Institutional Information must be read in conjunction with this Privacy and Data Protection Policy.

More information can be found in the Data security section of the Handbook.

Privacy notices

When The New School collects Personal Data from individuals, the requirement for “fairness and transparency” must be adhered to. More information can be found in the Privacy notices section of the Handbook.

Conditions of processing / lawfulness

In order to meet the “lawfulness” requirement, the Processing of Personal Data must meet at least one the following conditions:

1. the Data Subject has given consent to the Processing of their Personal Data for one or more specific purposes;
2. the Processing is necessary for the performance of a contract to which the Data Subject is party;
3. the Processing is necessary for compliance with a legal obligation to which The New School is subject;
4. the Processing is necessary in order to protect the vital interests of the Data Subject or of another natural person;
5. the Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in The New School; or
6. the Processing is necessary for the purposes of the legitimate interests pursued by The New School or by a third party.

For Special Categories of Personal Data, at least one of the following conditions must also be met:

1. the Data Subject has given explicit consent to the Processing of their Special Categories of Personal Data for one or more specific purposes;
2. the Processing is necessary for the purposes of employment, social security, and social protection law;
3. the Processing is necessary to protect someone’s vital interests;
4. the Processing is carried out by a not-for-profit body;
5. the Processing is manifestly made public by the Data Subject;
6. the Processing is necessary for legal claims;
7. the Processing is necessary for reasons of substantial public interest;
8. the Processing is necessary for the purposes of medicine, the provision of health or social care or treatment, or the management of health or social care systems and services;
9. the Processing is necessary for public health; or
10. the Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes subject to certain safeguards.

More information can be found in the Lawfulness section of the Handbook.

Data retention

Personal Data must not be kept longer than necessary for the purposes for which it was originally collected. This applies to all Personal Data, whether held on core systems, local desktops, laptops or mobile devices, or held on paper. If the data is no longer required, it must be securely deleted or destroyed.

More information can be found in the Retention section of the Handbook.

Privacy by design and by default

The New School has an obligation to consider the impact Processing activities may have on data privacy. This includes implementing appropriate technical and organizational safeguards to minimize the potential negative impact Processing can have on the Data Subjects’ privacy, both at the time of the determination of the means for Processing and at the time of the Processing itself.

More information can be found in the Privacy by design and by default section of the Handbook.

Data Protection Impact Assessment

When contemplating new Processing activities or setting up new procedures or systems that involve Personal Data, privacy issues must always be considered at the earliest stage and a Data Protection Impact Assessment (DPIA) must be performed. The DPIA is a mechanism for identifying and examining the impact of new initiatives and putting in place measures to minimize or reduce risks during the design stages of a process and throughout the life cycle of the initiative. This will ensure that privacy and data protection control requirements are not an afterthought.

More information can be found in the Data Protection Impact Assessment Guide.

Anonymization and pseudonymization

To further reduce the risks associated with handling Personal Data, Anonymization or Pseudonymization should be applied to the data. Wherever possible, Personal Data must be Anonymized or, where that is not possible, Pseudonymized.

More information can be found in the Anonymization & Pseudonymization guidance.

Data subject rights

The New School, when acting as a Data Controller, endeavors to provide Data Subjects with privacy rights that include:

1. the right of access;
2. the right to rectification;
3. the right to erasure (“right to be forgotten”);
4. the right to Restriction of Processing;
5. the right to be informed;
6. the right to data portability;
7. the right to object; and
8. the right not to be subject to a decision based solely on automated Processing, including Profiling.

Data subject access requests and the right to data portability

Individuals have the right to request to see or receive copies of any Personal Data The New School holds about them, and in certain circumstances to have that data provided in a structured, commonly used and machine readable format so it can be forwarded to another Data Controller.

Workforce Members receiving a data subject access request must follow the data subject access request procedures contained in the Data subject rights section of the Handbook.

Right to erasure, to restrict processing, to rectification, and to object

In certain circumstances Data Subjects have the right to have their Personal Data erased. This only applies

• where the data is no longer required for the purpose for which it was originally collected, or
• where the Data Subject withdraws consent, or
• where the data is being Processed unlawfully.

In some circumstances, Data Subjects may not wish to have their Personal Data erased but rather have any further Processing of the data restricted.

If Personal Data is inaccurate, Data Subjects have the right to require The New School to rectify inaccuracies. In some circumstances, if Personal Data is incomplete, the Data Subject can also require the university to complete the data, or to record a supplementary statement.

Data Subjects have the right to object to specific types of Processing such as Processing for direct marketing, research, or statistical purposes. The Data Subject must demonstrate grounds for objecting to the Processing relating to their particular situation except in the case of direct marketing, where it is an absolute right.

Workforce Members receiving any of these requests should not act or respond but instead should contact the Information Security and Privacy Office immediately.

More information can be found in the Data subject rights section of the Handbook.

Rights in relation to automated decision making and profiling

In the case of automated decision making and Profiling that may have significant effects on Data Subjects, they have the right to either have the decision reviewed by a human being or to not be subject to this type of decision making at all. These requests must be forwarded to the Information Security and Privacy Office immediately.

More information can be found in the Data subject rights section of the Handbook.

Data sharing

When Personal Data is transferred internally from one New School organizational unit to another, the receiving unit must only Process the data in a manner consistent with the original purpose for which it was collected. If Personal Data is shared internally for a new and different purpose, a new privacy notice must be provided to the Data Subjects.

When Personal Data is transferred externally, a legal basis must be determined and a data sharing agreement between the university and the third party must be signed, unless disclosure is required by law or the third party requires the data for law enforcement purposes.

More information can be found in the Data sharing section of the Handbook.

Transfers of personal data outside the EEA

Personal Data may only be transferred out of the European Economic Area when there are safeguards in place to ensure an adequate level of protection for the data. For transfers of Personal Data to a receiving party in the United States, the Privacy Shield Agreement between the European Union and the United States of America provides sufficient protection. Before transferring data, the Privacy Shield website should be consulted to determine whether the receiving party is on the Privacy Shield List.

If the receiving party is not on the Privacy Shield list, then the contract between the receiving party and The New School must include a Data Processing Addendum that incorporates the European Commission’s Standard Contractual Clauses for data transfers between EU and non-EU countries (either the controller-to-controller or controller-to-processor clauses, as appropriate).

Workforce Members involved in transferring Personal Data to other countries must ensure that appropriate safeguards are in place before agreeing to any such transfer.

More information can be found in the Data transfer outside the EEA section of the Handbook.

Direct marketing

Direct marketing covers not only the communication of material about the sale of products and services to individuals, but also the promotion of aims and ideals. For The New School, this includes notifications about events, fund raising, and offering of goods or services regardless of whether a payment by the Data Subject is required. Marketing covers all forms of communications, such as contact by post, fax, telephone, and electronic messages. The university must ensure that it always complies with relevant legislation every time it undertakes direct marketing and must cease all direct marketing activities if an individual requests it to stop.

More information can be found in the Direct marketing section of the Handbook.

Websites

All websites and web applications operated by or on behalf of The New School must include:

1. A prominent link, on every page, to a privacy notice that describes how the website collects Personal Data and how that data is used, stored, transferred, and protected.
2. A prominent message, displayed when a user first visits the site and every time thereafter until the user affirmatively acknowledges it, seeking the user’s consent to store “cookies” on the user’s computer.

More information can be found in the Websites section of the Handbook.

Training

Any individual within the scope of this policy must complete the Privacy and Data Protection Training.

Breaches

The New School is responsible for ensuring appropriate and proportionate security for the Personal Data that it holds. This includes protecting the data against unauthorized or unlawful Processing and against accidental loss, destruction, or damage. The university makes reasonable efforts to avoid privacy and data protection incidents, however, it is possible that incidents will occur on occasion. For example, Personal Data Breaches might occur through:

• Unauthorized or accidental disclosure, modification, or deletion
• Theft or loss of data or equipment
• Unauthorized access
• Hacking attack
• Human error

If a Personal Data Breach occurs, the university may be required to notify relevant authorities in a timely manner. Any member of the university community who encounters something they believe may be a Personal Data Breach must report it immediately to IT Central and the Information Security and Privacy Office.

Details of how to report a breach and the information that will be required are included in the Personal Data breaches section of the Handbook.

Roles and responsibilities

The Information Security and Privacy Office and the Privacy and Security Compliance function within the Information Technology department monitor and advise on compliance with applicable privacy and data protection laws and regulations. However, responsibility for compliance and the consequences of any breaches remains with the President’s Leadership Team and the Data Owners in individual organizational units. Information and advice can be obtained from the Information Security and Privacy Office and the Office of the General Counsel.

President’s Leadership Team

The members of the President’s Leadership Team are accountable for exercising due diligence in protecting Personal Data used within their area of responsibility by ensuring compliance with this policy and applicable privacy and data protection laws and regulations. They are also accountable for compliance in any subsidiary unit within their management (e.g., institutes, centers, research groups, and multi-disciplinary organizations).

Data Owners

Data Owners are responsible for maintaining the protection of datasets containing Personal Data by ensuring compliance with this policy and applicable privacy and data protection laws and regulations, and by developing and encouraging good information handling practices among their datasets’ communities of users.

Data users

All users of Personal Data within the university have a responsibility to ensure that they Process the data in accordance with the principles of data protection and the other conditions set forth in applicable privacy and data protection laws and regulations.

Handling research data

Before beginning any research that will involve obtaining or using Personal Data and Special Categories of Personal Data, researchers must give proper consideration to this policy and the guidance contained in the Handbook and how these will be properly complied with. Researchers must ensure that the fairness, transparency, and lawfulness principle is adhered to and that privacy by design and by default is applied. This means, among other things, that wherever feasible, research data must be Anonymized or Pseudonymized at the earliest possible time.

More information can be found in the Research section of the Handbook.

Handling of research data by students

The use of Personal Data by students is governed by the following:

• Where a student collects and Processes Personal Data in order to pursue a course of study with the university, and this course of study is not part of a university-led project, the student rather than the university is the Data Controller for the Personal Data used in the research. If the data are extracted from a database already held by the university, the university remains the Data Controller for the database, but the student will be the Data Controller for the extracted data.
• Once a thesis containing Personal Data is submitted for assessment, the university becomes the Data Controller for that Personal Data.
• Where a research student Processes Personal Data while working on a project led by a university research group, the university is the Data Controller.

Academic and academic-related staff must ensure that students they supervise are aware of the following:

• A student should only use Personal Data for a university-related purpose with the knowledge and express consent of an appropriate member of academic staff (normally, for a postgraduate, this would be the supervisor, and for an undergraduate the person responsible for teaching the relevant class/course).
• The use of university-related Personal Data by students should be limited to the minimum consistent with the achievement of academic objectives. Wherever possible data should be Anonymized so that students are not able to identify the Data Subjects.

More information can be found in the Student research section of the Handbook.

References

• National Institute of Standards and Technology. NIST Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management. January 16, 2020. Available from https://www.nist.gov/system/files/documents/2020/01/16/NIST%20Privacy%20Framework_V1.0.pdf.
• European Parliament and the Council of the European Union. Regulation (EU) 2016/679 of the European Parliament and the Council of the European Union of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing directive 95/46/EC (General Data Protection Regulation). Adopted April 27, 2016. Effective May 25, 2018. Available from https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN.

Compliance and review

Failure to comply with this policy or its supporting standards, whether deliberate or due to careless disregard, will be treated as serious misconduct and may result in actions including (but not limited to) disciplinary action, dismissal, and civil and/or criminal proceedings.

This policy is reviewed on a periodic basis and updated as necessary by the Information Security and Privacy Office to ensure it remains accurate, relevant, and fit for purpose.

Document history

Date	Author	Description
Jun 2020	D. Curry	Initial publication
Nov 2020	D. Curry	Added section on websites

Parts of this policy are adapted from the University of Edinburgh’s data protection policy, the contents of which are used with permission.