Data Protection Handbook

Introduction

The New School supports the privacy rights of all those with whom it works, including, but not limited to, students, faculty, staff, visitors, alumni, and research participants and is committed to privacy by design and by default.

Purpose

This standard provides information about the factors that must be considered, and the actions that must be taken, to ensure that Processing of Personal Data by The New School meets the requirements of all applicable laws and regulations.

Scope

This standard applies to all Workforce Members and students in all cases where The New School is a Data Controller or a Data Processor of Personal Data. The standard applies in these cases regardless of who created the data, where it is held, or the ownership of the systems and software used in its Processing.

Definitions

Special terms used in this document will be Capitalized and underlined, signifying that they have special meaning. A comprehensive glossary of terms, with examples, can be found at https://ispo.newschool.edu/glossary/.

Requirements

Before embarking on any Processing of Personal Data, whether sharing Personal Data with a third party, using a new online tool, marketing a new program, or any other action that involves the use of Personal Data, consider the following questions:

• Is use of the data really necessary?
• Could Anonymized or pseudonymized data be used instead?
• Are there alternative ways the same objective(s) can be achieved without using or sharing Personal Data?
• Does The New School have a legal basis for the Processing (e.g., the Data Subject has given consent, or the data is needed to perform a contract)?
• Has the Data Subject been informed of the Processing (i.e., been provided with a privacy notice)?
• Will the data be secure throughout the Processing?
• Will the data be shared with a third party, or transferred outside the European Economic Area? If so, are the necessary safeguards and permissions in place?
• If new systems/processes are being created/established, have the principles of privacy by design and by default been followed, and has a Data Protection Impact Assessment performed?

If, having considered the points above, the Processing of Personal Data is deemed necessary, then the information in the sections below will provide more details about the factors that must be considered and the actions that must be taken to ensure the Processing meets the requirements of the GDPR and other applicable privacy laws and regulations.

Data security

The Information Security and Privacy Office (ISPO) is responsible for developing, implementing, maintaining, and operating the New School Information Security and Privacy Program. The ISPO encourages a risk-based approach to information security risks, built around the generally accepted principles of confidentiality, integrity, and availability. The ISPO is responsible for leading university information security initiatives, providing strategic advice on existing and emerging information security threats, and delivering security awareness training to support these activities.

The Information Security and Privacy Office website contains all the necessary policies, standards, and guidance to ensure that information is properly protected during Processing. The site also provides links to security and privacy training courses for faculty, staff, and students.

Privacy notices

The principle of lawfulness, fairness, and transparency requires The New School to provide Data Subjects with a privacy notice to inform them about how their Personal Data will be Processed.

A privacy notice must be:

• easily accessible,
• provided at the time data is collected, and
• written in a clear and concise manner.

The notice must provide the Data Subject with several specific pieces of information, including:

• Contact information for the university in its capacity as Data Controller, and, where applicable, the university’s representative in the European Union
• The purpose(s) of the Processing for which the data is intended, and the legal basis for the Processing
• The recipients (or categories of recipients) of the data (including New School organizational units, third-party service providers, government agencies, etc.)
• Were applicable, details of any transfer of the data to a country outside the European Economic Area
• The period for which the data will be kept, or the criteria used to determine that period
• The Data Subject’s individual rights to the data (access, rectification, erasure, restriction on processing, objection to processing, and portability)
• The Data Subject’s right to file a complaint with a supervisory authority
• What information is required to be provided (if any), and the consequences of not providing it
• Whether the data will be Profiled or automatically processed and the possible consequences for the Data Subject of such processing

The New School privacy notices can be found in the Policies➜Privacy Notices section of the IPSO website. Where Personal Data is Processed outside of situations covered by these notices, a separate consent form or privacy notice must be provided by the organizational unit or business function Processing the data. Examples are conference registrations, newsletters, and student applications directly to a School.

Lawfulness

Whenever the university Processes Personal Data in any way, there must be a valid justification—a legal basis—for doing so. There are six legal bases for Processing Personal Data:

1. the Data Subject has given consent to the Processing of their Personal Data for one or more specific purposes;
2. the Processing is necessary for the performance of a contract to which the Data Subject is party;
3. the Processing is necessary for compliance with a legal obligation to which The New School is subject;
4. the Processing is necessary in order to protect the vital interests of the Data Subject or of another natural person;
5. the Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in The New School; or
6. the Processing is necessary for the purposes of the legitimate interests pursued by The New School or by a third party.

For Special Categories of Personal Data, at least one of the following conditions must also be met:

1. the Data Subject has given explicit consent to the Processing of their Special Categories of Personal Data for one or more specific purposes;
2. the Processing is necessary for the purposes of employment, social security, and social protection law;
3. the Processing is necessary to protect someone’s vital interests;
4. the Processing is carried out by a not-for-profit body;
5. the Processing is manifestly made public by the Data Subject;
6. the Processing is necessary for legal claims;
7. the Processing is necessary for reasons of substantial public interest;
8. the Processing is necessary for the purposes of medicine, the provision of health or social care or treatment, or the management of health or social care systems and services;
9. the Processing is necessary for public health; or
10. the Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes subject to certain safeguards.

Thus, for Special Categories of Personal Data, one legal basis from each of the two lists must be met.

A full description of these legal bases together with examples for their use can be found in the Legal Basis for Data Processing Guide.

Retention

In general, Personal Data should only be retained for as long as necessary. Just how long “necessary” is, however, can be difficult to determine. The answer may vary depending on the type of data, the purpose for which it is being Processed, and other factors. Not only must Data Subjects be informed in the privacy notice about how long their Personal Data will be kept, it is then critical to adhere to these stated retention periods. This means that data will have to be deleted, destroyed, or fully Anonymized at the end of the retention period, or archived appropriately in an official university archive designed for the purpose.

It is important to note that on the other hand, in some circumstances Personal Data must be kept indefinitely as destroying such data would constitute a Personal Data Breach (e.g., student records needed to provide transcripts or confirm dates of attendance).

When it comes to implementing record retention schemes, it is important to remember that Personal Data may be stored in many different locations, including:

• New School internal applications, databases, and file servers
• Servers (applications, databases, storage) operated by third-party providers
• Google G-Suite (Gmail, Docs, Sheets, etc.)
• Backup storage and backup tapes
• Paper files

and that record retention practices must be applied to all of them.

University records should always be stored in departmental filing schemes, rather than by individuals. Departmental file shares or Google Team Drives should be used to store electronic records, rather than storing them on a desktop or laptop computer’s local hard drive. Departmental filing cabinets should be used to store paper files rather than office desk drawers.

The university Record Retention Policy and record retention schedules can be found in the Institutional Policies and Procedures Manual.

Data sharing

From time to time, Data Owners may receive requests to share Personal Data. These requests may be internal, from colleagues in the same organizational unit or another unrelated unit, or external, from other organizations.

Internal data sharing

When Personal Data is shared internally with a New School organizational unit by another organizational unit, the following questions must be answered:

• Would Data Subjects reasonably expect their Personal Data toe be shared with the receiving organizational unit?
• Is the reason for sharing the data consistent with what Data Subjects were told in the original privacy notice?
• Will the receiving unit Process the data in a manner consistent with the original purpose for which it was collected?
• Will the original legal basis for Processing still apply?
• Will the original retention period still apply?

If the answer to any of the above questions is “no,” a new privacy notice must be communicated to the Data Subjects before the data may be shared.

Another question to ask is whether sharing the data will result in risks to the Data Subject. If so, a Data Protection Impact Assessment should be performed before the data is shared.

External data sharing

If a non-university organization requests that Personal Data be shared, the following questions must be answered:

• Will the sharing involve the transfer of data outside the European Economic Area?
• Will the third party be acting as a Data Processor for the university (i.e., acting under the instruction and on behalf of the university)?
• Is the third party requesting the Personal Data for its own use and purpose (in which case the third party is another Data Controller)?

To establish a relationship with an outside organization that will involve the transfer of Personal Data, a contract must be put in place that contains specific terms and conditions to ensure that adequate protection is given to the information so that the university meets its privacy and data protection obligations and protects the rights of the individuals involved. The standard terms and conditions of most cloud service providers, for example, are not normally sufficient.

The Office of the General Counsel and/or the Information Security and Privacy Office can provide template agreements to meet the needs of different transfer arrangements.

Note

Only senior managers of the university (president, provost, executive vice president, deans, and officers) have the authority to sign contracts and related documents, and then only after they have been reviewed and approved by the Office of the General Counsel.

Third party requests

The university often receives requests for the personal information of its students and staff from third parties.

Requests from parents, friends or relatives of a student

Information may not be released without the student’s consent.

It is acceptable to advise the requesters that we will accept a message for the student and, if having checked our records and such a person exists, will pass it on. This avoids disclosing any information about the student, including whether or not they are at the university.

More guidance can be found on the Office of the Registrar’s Student Records Privacy web page.

Requests from organizations providing financial aid

The university routinely notifies the National Student Clearinghouse of changes to a student’s status. This information is available to financial aid lenders at the beginning of each academic term. These disclosures are covered in our privacy notices and records of processing activities.

The Office of the Registrar has documented solutions to enable students to respond to requests for enrollment or degree verification they receive from third parties.

Requests from law enforcement officials

The university is not legally obligated to provide information to the police or other law enforcement agencies unless presented with a court order or legally enforceable subpoena. Any request made by a law enforcement officer or government official, or the presence of a law enforcement officer or government official on campus, should be reported immediately to Campus Safety.

Any attempt to serve a subpoena or other court order should be declined, and the servicer directed to the Office of the General Counsel.

Requests related to the citizenship status of individuals

In November 2016, The New School’s Board of Trustees passed a resolution affirming that the university will “welcome, admit and support students without regard to their citizenship status.” This resolution includes a commitment to protect undocumented students by withholding records that may disclose citizenship status to any law enforcement authority without a court order or a legally enforceable subpoena. The resolution also endorses the university’s position to not permit law enforcement authorities without legal mandates “to enter onto any premises the university owns or controls for the purpose of detaining any student, staff or faculty solely based on immigration status for the purpose of possible deportation.”

Memorandum from New School President David Van Zandt, September 20, 2017

With policies regarding DACA and undocumented immigrants continuing to be a significant topic in the news, we want to take this opportunity to remind all members of the university’s faculty and staff about guidelines in place to protect student information. In particular, we want to underscore appropriate steps to take in the unlikely event that you receive a request or visit from an official from a law enforcement or government agency such as Immigration and Customs Enforcement (ICE). While we do not expect that government agents will make information requests at The New School, this general reminder is part of our efforts to err on the side of caution in protecting members of our community who may feel threatened amid potential changes in U.S. immigration laws and related enforcement efforts.

Fundamentally, protecting the privacy of our students and employees is our priority. In particular, the university does not request, retain, or provide information about students’ citizenship status. The university has in place practices and procedures that govern the release of student and employee records. These practices and procedures are in line with existing privacy laws.

The guideline is simple: Faculty and staff should not respond to requests from any entity, including law enforcement or other government officials, related to the citizenship status of students, faculty, or staff.

• Any inquiry regarding students should be directed to our registrar, Rebecca Hunter (hunter@newschool.edu).
• Requests for information about faculty or staff should be directed to Human Resources (Leah Bautista, bautistl@newschool.edu).

This guideline applies whether the request is made in writing or in person.

An additional important reminder: Any request made by a law enforcement officer or government official, or the presence of a law enforcement officer or government official on campus, should be reported immediately to Campus Security.

As we believe that the protection of confidential information is extremely important to ensuring that every member of our community feels respected and well informed, we will be reinforcing these protocols throughout campus. If you have questions about the university’s information privacy policies, please contact Keila Tennent-DeCoteau at tennentk@newschool.edu or 212-229-5432 x4934.

Disclosures required by law

There are circumstances where the university is obliged to disclose information about an individual to a third party if this is required by law, enactment, or court order:

Third Party	Authorization
(to be determined)	(to be determined)

With such requests, any legal obligation (details of legislation and relevant section) must be correctly described by the requestor in writing.

Data transfer outside the European Economic Area

Note

This section only applies when Personal Data that is collected and/or stored in a European Economic Area (EEA) country (e.g., by Parsons Paris, or at a conference or event held in Europe) is sent to an organization, company, or individual that is based in a non-EEA country (including The New School in the United States).

Transfers of Personal Data from a European Economic Area (EEA) country to a non-EEA country are not prohibited. However, before the transfer can occur, it must be ensured that adequate safeguards are in place to protect the information. The GDPR provides a list of these safeguards, one of which must apply:

• Adequacy of the country: The European Union (EU) has assessed the third country to have an adequate level of protection. These countries are then treated as though they were an EU member state and data can be transferred there without the need for any further safeguards. The European Commission publishes a list of these countries that is updated as new countries are added.
• Transfers to the USA: For data transfers to the USA, the company or organization receiving the data has joined the U.S. Privacy Shield. A list of these can be found here: Privacy Shield List.
• Contract clauses: If a contract exists with the organization receiving the data, it must include specific data protection contract clauses. Information and templates of these clauses for insertion into the contract can be obtained from the Information Security and Privacy Office and/or the Office of the General Counsel.
• Court orders: The New School has received a court order requiring the transfer.
• Consent: The Data Subject has given explicit consent to the transfer, having been informed of the possible risks of such transfers due to the absence of an adequacy decision and appropriate safeguards.
• Contract with the Data Subject or in the interest of the Data Subject: The transfer is necessary for performance of a contract between the Data Subject and the university, for example when non-EEA students at Parsons Paris ask for their Personal Data to be sent to an organization (e.g., a financial aid lender) in their home country.
• Public interest: The transfer is necessary for important reasons of public interest. Examples for this are crime prevention and detection, or national security.
• Lawsuits: The transfer is required for a lawsuit.
• Medical emergencies: The transfer is necessary for a medical emergency.

Staff authorizing transfers of Personal Data outside the EEA are responsible for ensuring that one of the above requirements is met and ensuring that a record is kept of which safeguard is in place. Where transfers are done on the basis of consent, evidence of the consent and when it was obtained should be kept.

More information about transfers of Personal Data outside the EEA can be found in the Guidelines for International Data Transfers.

Data subject rights

The New School offers all members of its community specific Data Subject rights over who collects their Personal Data, how the information is used, and for how long. Under this policy, Data Subjects have the right to:

• Be informed
• Access
• Erasure (to be forgotten)
• Rectification
• Portability
• Object to Processing
• Restrict Processing
• Object to automated processing and/or Profiling

The university must act on requests to exercise these rights from Data Subjects covered by the GDPR within one month of receipt of the request. This period may be extended by two further months when necessary, taking into account the complexity and number of requests. The university must inform the Data Subject of any such extension within one month of the request, along with the reasons for the delay.

The university will act on requests to exercise these rights from Data Subjects not covered by the GDPR in a timely manner, but depending on the complexity and number of requests, may follow a less stringent schedule than that required by the GDPR.

See the Guidelines for Handling Data Subject Access Requests for more information.

Contact the ISPO for assistance

Any Workforce Member who receives a request for erasure, rectification, portability, restriction, or an objection to Processing should immediately contact the Information Security and Privacy Office for help in responding.

Right to be informed

The right to be informed is complied with by issuing a privacy notice.

Right to access

The purpose of the right to access is to allow individuals to obtain a copy of any Personal Data The New School holds about them, confirm its accuracy, and check the legal bases cited for Processing it to allow them to exercise their rights of correction or objection if necessary.

Right to erasure (“right to be forgotten”)

Data Subjects have the right to request that their Personal Data be removed from all university systems if:

• the Personal Data is no longer necessary for the purpose it was originally collected or Processed;
• the university is relying on the individual’s consent as the legal basis for Processing the data and the individual withdraws that consent;
• the university is relying on “legitimate interests” as its justification for Processing the individual’s data, the individual objects to the Processing, and there is no overriding legal basis for the university to continue the Processing;
• the university is Processing the data for direct marketing purposes and the individual objects to this Processing;
• the university is Processing the data unlawfully;
• the Personal Data must be erased in order to comply with a legal ruling or obligation; or
• the Data Subject was a child (under age 16) at the time of collection.

This means that if the legal basis for Processing the data is “performance of a contract” or “legal obligation,” and the Processing is fully lawful, the request may (and usually must) be refused. Although “performance of a contract” covers many of the situations in which the university Processes Personal Data, there are some significant areas that it does not cover, including marketing, research, fundraising, and alumni relations.

Even if the removal request meets one or more of the conditions above, there are still several exemptions that will permit the university to refuse the request. The university may not have to erase the data if

• the Processing is for the purpose of exercising the right to freedom of expression and information;
• the university is required to Process the data to comply with a legal ruling or obligation;
• the Processing is necessary for reasons of public interest in the area of public health;
• the Processing is performed for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes (with specific caveats); or
• the Personal Data is needed for the establishment, exercise, or defense of legal claims (e.g., a lawsuit).

If the data to be erased has been shared with third parties or within the university, each recipient to whom the data was disclosed must be contacted and notified of the erasure, unless this proves impossible or involves disproportionate effort. The Data Subject has the right to be informed about those recipients upon request.

Right to rectification

Data Subjects are entitled to request that their Personal Data be corrected if it is inaccurate or (in certain circumstances) completed if it is incomplete. If the data to be rectified has been shared with third parties or within the university, each recipient to whom the data was disclosed must be contacted and notified of the rectification, unless this proves impossible or involves disproportionate effort. The Data Subject has the right to be informed about those recipients upon request.

Right to portability

The right to portability allows a Data Subject to receive a copy of the Personal Data the university holds concerning them. The Data Subject may also instruct the university to transmit the Personal Data directly to another Data Controller of the subject’s choice, where technically feasible.

Data Subjects have this right if all of the following conditions are met:

• the individual has provided the Personal Data to the university; and
• the university’s legal basis for Processing is “consent” or “performance of a contract;” and
• the Processing is carried out solely by automated means with no human involvement.

When providing the data to the Data Subject, it must be provided in a structured, commonly used, and machine-readable format.

Right to object

Data Subjects have the right to object to the university’s Processing of their Personal Data in certain situations:

• If the university’s legal basis for the Processing is “legitimate interests” or “public task,” including Profiling based on those bases, Data Subjects may object at any time on grounds relating to their personal situation. The university must stop the Processing unless
  • it can demonstrate compelling legitimate grounds for the Processing that override the interests, rights, and freedoms of the Data Subject; or
  • the Processing is for the establishment, exercise, or defense of legal claims.
• If the data is Processed for scientific or historical research purposes or statistical purposes, Data Subjects may object at any time on grounds relating to their personal situation. The university must stop the Processing unless the Processing is necessary for the performance of a task carried out for reasons of public interest.
• If the Processing is performed for direct marketing purposes, including Profiling to the extent that it is related to such direct marketing, the Data Subject may object at any time, without providing any grounds for the objection. When the Data Subject objects, the university must stop Processing the subject’s Personal Data for direct marketing purposes; it is not allowed to override the objection.

Right to restrict processing

Data Subjects have a right to restrict, or halt, the Processing of their Personal Data in any way except to store it. This right applies only if one of these requirements are met:

• The Data Subject contests the accuracy of the Personal Data—Processing should be restricted until accuracy has been verified.
• The Data Subject has objected to the Processing (see above), and The New School is considering whether the university’s legitimate grounds override those of the Data Subject.
• The Processing is unlawful, and the Data Subject prefers not to request the erasure of the Personal Data, requesting the restriction of its use instead.
• The Personal Data is no longer needed and would be deleted in accordance with the retention schedule, but the Data Subject requires the data for the establishment, exercise, or defense of legal claims.

If the data whose Processing will be restricted has been shared with third parties or within the university, each recipient to whom the data was disclosed must be contacted and notified of the restriction, unless this proves impossible or involves disproportionate effort. The Data Subject has the right to be informed about those recipients upon request.

Right to object to automated processing and profiling

The New School is limited in the circumstances in which it can make solely automated decisions, including those based on Profiling, that have a legal or similarly significant effect on individuals.

A “solely” automated decision is one that is totally automated and excludes any human influence on the outcome. A process could still be considered solely automated if a human enters the data to be processed, and then the decision-making is carried out by an automated system. But a process would not be considered solely automated if a human reviews the decision made by the automated system before it is applied and has discretion to alter it. The question is whether the human involvement is active or just a token gesture.

A decision that has a “legal effect” is one that affects a Data Subject’s legal status or legal rights (including rights under a contract). For example, evaluating whether an individual is entitled to a government benefit and the amount of the benefit.

A decision that has a “similarly significant effect” is one that has the potential to significantly influence the circumstances, behavior, or choices of the individual concerned; has a prolonged or permanent impact; or at its most extreme, could lead to the exclusion of or discrimination against the individual. For example, automatic refusal of online credit applications, or e-recruiting practices without human intervention. To determine whether a decision has a similarly significant effect on an individual, consider the extent to which it might affect, for example, the individual’s

• financial circumstances;
• health;
• reputation;
• employment opportunities;
• behavior; or
• choices.

There are three exceptions to the prohibition, and that is where automated decision-making:

• is necessary for the performance of or entering into a contract;
• is authorized by law; or
• is based on the Data Subject’s explicit consent.

Even where one or more of the three exceptions above apply and automated decision-making and Profiling can be used, Data Subjects still have rights. They can still object to the automated Processing and request that a human being become involved and reconsider the decision.

Also, Data Subjects have the absolute right to object to Profiling, as seen above under right to object.

Research

Human Subject Research performed at The New School (excluding Parsons Paris) is more likely to be covered by the Federal Policy for the Protection of Human Subjects (the “Common Rule”) than the GDPR. The GDPR generally applies only to research activities that involve Personal Data being collected from research participants physically located in a European Economic Area (EEA) country at the time of collection (even if the participant is not a resident of the EEA) and/or the transfer of Personal Data collected under the GDPR from an EEA country to a non-EEA country (e.g., the United States). The GDPR does not apply to activities involving the collection of Personal Data from research participants who are physically located within the United States at the time of data collection (even if the individual is an EEA citizen).

Researchers should contact the New School Office of Research Support before embarking on any research project involving human subjects.

Consent as a legal basis

The GDPR requires a legal basis to collect and Process (e.g., analyze) Personal Data. In order to use Personal Data for research, the legal basis that will usually apply is consent from the Data Subject.

Consent must be freely given, specific, informed, and unambiguous with regard to the Data Subject’s wishes by a statement or by a clear affirmative action:

• Freely given means the individual must have a realistic choice, or the realistic ability to refuse or withdraw consent. Individuals in a position of authority cannot obtain consent. To be valid, consent cannot be coerced. Consent is not “freely given” where there is a clear imbalance of power between the Data Controller and the Data Subject, or when the delivery of goods, services, or other benefit is conditioned on the recipient giving consent.

• Specific means the consent must be explicit and transparent and contain the following information:

  • Identity of the Principal Investigator
  • Purpose of the Personal Data collection
  • Types of Personal Data collected, including listing of any Special Categories of Personal Data
  • The right to withdraw from the research and the mechanism for withdrawal
  • Identify who will have access to the data
  • Time period for which data will be stored (may be indefinite)
  • Information regarding data security, including storage and transfer of data
  • Information regarding automated decision-making about the individual, including Profiling
  • Whether and under what conditions data may be used for future research, either related or unrelated to the purpose of the current study

  The above information is commonly provided to the participant via a Research Participant Information Sheet, which combines the consent form and privacy notice into a single document. See the Research Guidelines for more details.

• Informed means that subjects are made aware of the risks, how their data will be safeguarded, their rights in relation to the research (as described below), and how to exercise those rights.

• Unambiguous means consent is given through a statement or clear affirmative action.

  • This may be by a written or oral statement or other affirmative act demonstrating consent. For instance, checking a box can indicate consent, while silence or pre-ticked boxes that require unchecking (opting out) cannot.
  • Investigators should be able to demonstrate that a particular Data Subject consented to the research. Consent records, including time and date of consent, must be maintained for each Data Subject.
  • If the consent form serves multiple purposes, the request for consent must be clearly distinguishable within the document.
  • There is no ability for the Institutional Research Board (IRB) to waive informed consent under GDPR.

Researchers using consent for research purposes can seek broad consent from Data Subjects for research activities. This means that data can be stored for longer periods and individuals’ rights to erasure and to object can be limited. For archival research projects, Data Subjects’ right to data portability can also be limited.

Legitimate interests as a legal basis

For research projects using existing data sets or third party data (i.e., data not directly provided by the individual or where no contractual relationship with the individual exists), “legitimate interests” may be used as the legal basis for Processing.

Use of this basis requires clarity as to who the Data Controller will be, and what the Data Controller’s legitimate interests are, so that it can be determined whether the Data Controller’s interests are overridden by the fundamental rights and interests of Data Subjects. Balancing the Data Controller’s rights against the rights of the individual requires that research be carried out in the least intrusive and most privacy-enhancing way.

More detailed information is available in the Research Guidelines.

Student research

Students may conduct research as part of their undergraduate or postgraduate work. Students will be the Data Controllers and therefore responsible for their research until they submit their dissertation. At that time The New School becomes a joint Data Controller with the student.

The only exception to this is where a student Processes Personal Data while working on a project led by a university research group. In this case, the student and the university are both Data Controllers from the outset.

The Research Guidelines provide more detailed information.

Automated decision-making

Exam grading

The university does not use solely automated decision-making when grading exams. Even multiple choice tests that may be checked and graded by automated means do not fall under the definition of solely automated decision-making, because the exam has been written by a human being, the correct answer has been determined by a human being, and the automation applies only to checking the given answers against the correct ones.

Learning analytics

When using learning analytics, the university will take the following approach:

• Use “legitimate interests” as the legal basis for the Processing of Personal Data (but not Special Categories of Personal Data) for analytics
• Obtain consent for the Processing of any Special Categories of Personal Data for analytics
• Obtain consent to make interventions directly with students on the basis of the analytics

In accordance with the rights of Data Subjects, individuals may object to the Processing where legitimate interests is the legal basis. For the situations where consent is required, that consent can either be withheld or withdrawn at any time.

Privacy by design and by default

Privacy by design states that any action the university undertakes that involves Processing Personal Data must be done with data protection and privacy in mind at every step. This includes internal projects, product development, software development, IT systems, and much more. In practice, this means that the IT department, or any department that Processes Personal Data, must ensure that privacy is built in to a system during the whole life cycle of the system or process. Up to now, tagging security or privacy features on at the end of a long production process would be fairly standard.

Privacy by default means that once a system or service has been released to the public, the strictest privacy settings should apply by default, without any manual input from the end user. In addition, any Personal Data provided by the user should only be kept for the amount of time necessary to provide the product or service. If more information than necessary to provide the service is collected, then “privacy by default” has been breached.

Examples of technical and organizational measures that can be used to help implement privacy by design and by default include, but are not limited to:

• Data Protection Impact Assessments
• Anonymization and pseudonymization
• Encryption, hashing, salting
• Data minimization
• Data retention limits
• Restricted access

All university Workforce Members are required to apply privacy by design and by default principles when developing a new project or reviewing an existing project that involves the Processing of Personal Data.

Data Protection Impact Assessments

A Data Protection Impact Assessment (DPIA) must be conducted for projects or initiatives that may have a negative impact on Data Subjects’ privacy. A DPIA is a type of risk assessment whereby potential privacy issues and risks are identified and examined from the perspective of all stakeholders.

A DPIA should be performed as part of the initial phase of a project to ensure that risks are identified and taken into account before the problems become embedded in the design and causes higher costs due to making changes at a later stage. Also if there is a change to the risk of processing for an existing project a review should be carried out.

The DPIA will then continue to assess privacy impacts throughout the lifespan of the project. Examples of the types of projects where a DPIA must be considered include, but are not limited to:

• Building or buying new software or IT systems for storing or accessing Personal Data
• Developing policies or strategies that have privacy implications
• Embarking on a data sharing initiative where two or more organizations seek to pool or link sets of Personal Data
• A new video surveillance system (including simply installing more cameras)
• Using Personal Data for new purposes such as a new database that consolidates information held by separate, unrelated parts of the university

In addition to meeting legal requirements, taking a proactive approach to privacy will reduce the likelihood of fines or financial losses due to Personal Data Breaches and help build reputation and stakeholder confidence.

A template and guidance on how to conduct a DPIA can be found in the Data Protection Impact Assessment Guide.

Pseudonymization

Pseudonymization is a data management and de-identification procedure by which Personal Data is altered to make the data record less identifiable while remaining suitable for data analysis and data processing. Personal Data is separated from direct identifiers by replacing them with one or more artificial identifiers, or pseudonyms, so that linkage to an identity is no longer possible without the original direct identifier information, which is held separately. Pseudonymized data can be restored to its original state by reversing the process, which then allows individuals to be re-identified.

Privacy laws and regulations still apply to pseudonymized data (because it can be re-identified to Personal Data).

If pseudonymized data is sent to a third party without also sending the original identifiers, then the third party will be processing anonymized data (see below). The New School, however, will still be processing Personal Data, since it can be re-identified at any time.

Under certain circumstances, pseudonymized data can be exempt from Data Subject rights. This exemption only applies, however, if the Data Controller can show that it is not in a position to identify the Data Subject anymore (e.g., because the Data Controller has destroyed its copies of the original identifiers, but knows they still exist somewhere else). The Data Controller will then not be required to comply with data subject access requests, because tData Controllers are not required to hold additional information for the sole purpose of complying with such requests. If, however, Data Subjects provide the Data Controller with the additional information needed to re-identify them in the data set, then they must be permitted to exercise their rights.

More information can be found in the Guidelines for Anonymization and Pseudonymization.

Anonymization

Anonymization is a data management and de-identification procedure by which Personal Data is irreversibly altered in such a way that a Data Subject can no longer be identified directly or indirectly, either by the Data Controller alone or in collaboration with any other party. It is the process of either encrypting or removing Personal Data from data sets, so that the people whom the data describe remain anonymous. Anonymized data can never be restored to its original state.

Privacy laws and regulations generally do not apply to anonymized data.

More information can be found in the Guidelines for Anonymization and Pseudonymization.

Direct marketing

Direct marketing includes the advertising or marketing of commercial products or service as well as fundraising, and includes all messages promoting an organization such as promoting university events or opportunities for students. It covers all forms of communication, such as marketing by letter, telephone, email, and other forms of electronic messages.

Finding the correct legal basis for direct marketing is very important. There is a difference between direct marketing using electronic means and non-electronic means. Currently, “electronic means” covers the use of email and text messaging.

For marketing by postal letter and telephone, the legal basis can be “legitimate interests;” consent is not needed.

Electronic marketing to private individuals can only be done with consent as the legal basis. Consent must be “opt-in,” and any direct marketing messages should only be sent to those people who have in fact opted in. One exception to the need to obtain prior consent is the so-called “soft opt-in,” which is based on “legitimate interests.” Soft opt-in can be used in situations where the university has a pre-existing commercial relationship with the individual.

More information can be found in the Guidelines for Direct Marketing.

Websites

Websites and web applications are required to provide privacy notices and obtain consent before storing cookies on the user’s computer.

Privacy notices

All websites and web applications operated by or on behalf of The New School must have a privacy notice:

1. The privacy notice must comply with the requirements set forth in the Privacy notices section of this handbook.
   1. Web sites and web applications operated by The New School should link to the New School Website Privacy Notice.
   2. Websites and web applications operated on behalf of The New School should, in most circumstances, link to the website privacy notice provided by the third party responsible for operating the website or web application.
2. The link to the privacy notice should be prominently displayed on every page of the website or web application. Conventionally this is accomplished by placing the link in the page footer, although it may be placed elsewhere if the page layout or page design dictates.
3. The name of the link to the privacy notice should be either “Privacy Notice” or “Privacy,” depending on which fits better with the page design and layout. The name “Privacy Policy” should be avoided.

Cookie consent

All websites and web applications (where technically possible) must obtain consent from the user to store or retrieve any information on the user’s computer, smartphone, or tablet. This is commonly referred to as “cookie consent.”

1. The message seeking the user’s consent must be displayed every time the user visits the website or web application until the user affirmatively gives (or denies) consent.
   1. Web sites and web applications operated by The New School should use the New School Cookie Banner to display the request for consent, obtain the user’s consent, and provide the user with an opportunity to customize which cookies may and may not be used.
   2. Web sites and web applications operated on behalf of The New School should, in most circumstances, use the cookie consent and management system provided by the third party responsible for operating the website or application.
2. The message seeking the user’s consent must be displayed (if appropriate; see above) on every page of the website or web application; it is not sufficient to only display the message on the “front page.”
3. The message seeking the user’s consent should include a link to the site’s “cookie statement” or “cookie notice.” This may be either a separate webpage or included as a section of the website or web application privacy notice.
   1. Web sites and web applications operated by The New School should link to the New School Cookie Statement.
   2. Websites and web applications operated on behalf of The New School should, in most circumstances, link to the cookie statement provided by the third party responsible for operating the website or web application.
4. It is recommended, but not required, that the website or web application include a link named “Cookie Statement,” “Cookie Notice,” or “Cookies” on every page of the website or web application. This link usually appears next to the link to the privacy notice.

Mailing lists

Privacy notices

Whether the communication is internal or external, electronic or in paper format, recipients must always receive a privacy notice through either a link or the entire privacy notice in the footer or all emails, and a link or the entire privacy notice included in all letters sent out.

External mailing lists in paper format

For external mailing lists used to send communications in paper format, the legal basis is “legitimate interests,” and it is not necessary to obtain consent from recipients. However, recipients must be provided with the opportunity to easily and effortlessly opt out of receiving the communication in every letter.

External mailing lists in electronic format

Business-to-business

Emails to business contacts, i.e., individuals who can be considered as representatives of their company, organization, or institution (e.g., students or academics from another university), “legitimate interests” can be used as the legal basis. However, every communication must provide the option to opt out of further communications.

Private individuals

To send emails to private individuals, prior consent must have been obtained from each recipient. If an existing (prior to May 25, 2018) mailing list contains exclusively or mostly private individuals who have not explicitly subscribed, but have been added to the list, then consent must be requested from those individuals and those who do not reply within a reasonable time removed from the list. After an appropriate period of time, consent must be refreshed. Every communication to the list must include the option to opt out of the list.

Mixed lists

If a mailing list contains both business-to-business contacts and private individuals, and consent has not been obtained from the private individuals, a risk assessment should be performed to determine whether continuing to send emails is likely to cause offense or distress or whether receiving the emails is in the individuals’ interest and/or to their benefit.

Internal mailing lists in electronic format

For essential business mailing lists to the university community (students, faculty, staff) with information such as lecture location changes for students, information about lack of heating/cooling or power failure in certain buildings, etc., membership on the list may be considered mandatory and an option to unsubscribe does not have to be given. The legal basis for these emails is “performance of a contract.”

For non-essential mailing lists to the university community, with information such as upcoming events, career opportunities, etc., members of the university community are considered to be business contacts, and the legal basis for these emails is “legitimate interests.” Every communication must provide the option to opt out of further communications.

More information can be found in the Guidelines for Mailing Lists.

Photography and videography

Privacy laws and regulations apply whenever individuals can be identified by their image. In these situations, the rights of the individuals in the collection and use of their images must be respected—they must be informed when an identifiable image of them will (may) be or has been captured, and a legal basis must be found before the image is used in any way.

Photos and videos of individuals and posed groups

When taking photos or videos of a specific person that might be published on the Internet, valid legal bases are “legitimate interests,” “consent,” and “performance of a contract.” Generally, consent is the least attractive option, since consent may be withdrawn at any time and the university will have to react accordingly.

Photos and videos of crowds

If crowd shots are taken during an event and an individual is not identifiable, then it is not necessary to have a legal basis to take, display or publish the photo or video. This applies to any individuals, including students, faculty, and staff, whose images are incidental detail, such as in crowd scenes for graduation, conferences, and in general campus scenes. If the photos are taken at a conference where it is likely that individuals may be identified even in crowd scenes, then the legal basis should be “legitimate interests.”

Notices must be displayed at the event informing attendees that photography and/or videography are being used so they have the opportunity to opt out.

Photos and videos of children

When taking photos or videos of children, consent must be obtained from a parent or guardian. This may be written or verbal depending on the circumstances, see the guidance below.

Photographs for ID purposes

Photographs are taken/provided by students, faculty, and staff for identification purposes, as part of the university’s contract with them to ensure their safety and security and to prevent fraudulent activity. However, use of these photographs beyond these purposes requires consent.

The Guidelines for Photography and Videography provide more detailed information.

Recording lectures, seminars, and studios

Class recordings, including conventional audio/video recordings and recordings made by online web conferencing platforms, made for the sole use of the instructors, Teaching Assistants, Teaching Fellows, and enrolled students in a particular section or single course—that will be destroyed at the conclusion of the course—do not required consent from students. The legal basis for these recordings is “legitimate interests.”

If classes are to be recorded for any purpose other than (or in addition to) making the session available to students in the class for instructional use, or if the recording will be kept beyond the end of the course, the legal basis for these recordings is “consent.” Students must be provided with a privacy notice describing the specific purpose(s) of the recording and to whom it will be disclosed and their written opt-in consent must be obtained. A single consent form for the entire semester is sufficient; the consent form must be maintained as a business record of the university.

The Guidelines for Recording Lectures, Seminars, and Studios provide more detailed information.

Video surveillance

For video surveillance systems (“security cameras”), two types must be distinguished:

• Cameras that record
• Cameras that don’t record but only show live video

Privacy laws and regulations that cover video surveillance generally apply only to cameras that record. However, it is good practice to include cameras that do not record when complying with the fairness and transparency requirements, such as when displaying appropriate signage where cameras are in use.

Cameras that record are required to have a legal basis:

• If the cameras are installed to meet regulatory or compliance requirements (e.g., a high-security laboratory), the legal basis will be “legal obligation.”
• In all other locations, the legal basis will be “legitimate interests,” as the cameras are intended to assist with general safety and security.

Individuals whose images are recorded have a right to view the images of themselves and to be provided with a copy of the images.

Personal Data breaches

A Personal Data Breach is any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed.

The various state, federal, and international laws and regulations The New School must comply with use different variations of this definition depending on their purpose, but the idea is the same. Most of these laws and regulations require, generally, that data breaches be reported to appropriate government or supervisory authorities, that affected individuals be notified of the breach, and that certain corrective actions be taken, all within certain (often short) time constraints.

While the university makes every effort to avoid Personal Data Breaches, it is possible that mistakes will occur on occasion or things will happen that are beyond the university’s control. All individuals who access, use, or manage Personal Data are responsible for immediately reporting any Personal Data Breach (including suspected breaches) that comes to their attention.

A Personal Data breach can occur for a variety of reasons including, but not limited to:

• loss or theft of data or equipment on which data is stored;
• inappropriate access controls allowing unauthorized use;
• unauthorized disclosure (e.g., an email sent to an incorrect recipient, a document mailed to the wrong address, or Personal Data posted on a public website without consent);
• human error;
• equipment failure;
• unforeseen circumstances such as a fire or flood;
• hacking attack or malicious software (e.g., ransomware); and
• social engineering offenses where information is obtained by deceiving the organization that holds it.

Reporting a breach

Any Workforce Member, student, or other individual who discovers (or suspects) a Personal Data Breach must report it immediately to IT Central and the Information Security and Privacy Office (ISPO) by following the instructions in the Standard for Incident and Breach Response.

References

• European Parliament and the Council of the European Union. Regulation (EU) 2016/679 of the European Parliament and the Council of the European Union of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing directive 95/46/EC (General Data Protection Regulation). Adopted April 27, 2016. Effective May 25, 2018. Available from https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN.
• Standard for Handling Institutional Information
• Guidelines for Anonymization & Pseudonymization
• Data Protection Considerations for Cloud Services Guide
• Data Protection Impact Assessment Guide
• Guidelines for Direct Marketing
• Guidelines for Handling Data Subject Access Requests
• Guidelines for International Data Transfers
• Legal Basis for Data Processing Guide
• Guidelines for Mailing Lists
• Guidelines for Photography and Videography
• Guidelines for Recording Lectures, Seminars, and Studios
• Research Guidelines

Review

This standard is reviewed on a periodic basis and updated as necessary by the Information Security and Privacy Office to ensure it remains accurate, relevant, and fit for purpose.

Document history

Date	Author	Description
Jun 2020	D. Curry	Initial publication
Jun 2020	D. Curry	Reorganized some sections; added videography
Jul 2020	D. Curry	Added information about recording classes Removed references to non-existent guidelines
Aug 2020	D. Curry	Replaced oppressive and gender-specific terms with better alternatives Clarified description of privacy by design and default
Oct 2020	D. Curry	Clarified language in right to access section
Nov 2020	D. Curry	Added section on websites

Parts of this handbook are adapted from the University of Edinburgh’s data protection handbook, the contents of which are used with permission.