Privacy Policy
Document Summary
Georgia Highlands College (GHC) stores the data it collects in accordance with United States law, State of Georgia law, and Board of Regents of the University System of Georgia Records Retention Schedules. Students and website visitors have the right to know how the institution uses and discloses the personal data it collects and what measures GHC puts in to place to protect student and website visitor privacy. Any individual wishing to exercise their rights under this policy should contact the institution’s designated privacy officer by emailing privacy@highlands.edu. Any GHC employee that suspects a data breach or unauthorized disclosure of data has occurred or is actively occurring must immediately notify the Information Security & Network Services unit of Information Technology by emailing infosec@highlands.edu.
Purpose
This policy defines how Georgia Highlands College collects and manages information collected from individuals such as website visitors, students, employees, and third-parties operating at or on behalf of the institution.
Definitions
- Business Associate
- HIPAA defines a business associate as a third-party operating for or on behalf of an organization that provides services that involve healthcare information.
- Cookie
- Cookies are small files or collections of text data stored by web browsers that are used for maintaining user information and website preferences.
- Data subject
- GDPR defines a data subject as any natural person whose personal data is collected or maintained by GHC. A legal entity such as a corporation is an artificial person.
- Family Educational Rights and Privacy Act (FERPA)
- FERPA is a federal law (20 U.S.C. § 1232g; 34 CFR Part 99) that protects the privacy of student educational records. All schools that receive funds through a U.S. Department of Education program are in scope of FERPA.
- Georgia Open Records Act (O.C.G.A § 50-18-70)
- Entities of the State of Georgia are subject to the Georgia Open Records Act. This law allows citizens to request (view) records of Georgia agencies.
- General Data Protection Regulation (GDPR)
- GDPR is a European Union (EU) law that defines data protection and privacy standards for individuals within the EU and personal data about EU citizens managed outside of the EU.
- Health Insurance Portability and Accountability Act of 1996 (HIPAA)
- HIPAA is a federal law that restricts how organizations store and communicate healthcare information.
- Personally Identifiable Information (PII)
- Georgia law (O.C.G.A. § 10-1-911(6)) defines PII as an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:
- United States Social Security number;
- Driver’s license number or government identification card number;
- Bank account or payment card information, if circumstances exist wherein such a number could be used without additional identifying information, access codes, or passwords;
- Account passwords or personal identification numbers or other access codes; or
- Any of the items contained in A through D when not in connection with the individual’s first name or first initial and last name, if the information compromised would be sufficient to perform or attempt to perform identity theft against the person whose information was compromised.
PII does not include publicly available information that is lawfully made available to the public from federal, state, or local government records.
Content / Policy
Web Privacy
Georgia Highlands College (GHC) is the operator of www.highlands.edu. Web hosting services and software tools, integrations, and programming frameworks may be provided by third-parties. GHC may collect information from each device used to visit www.highlands.edu such as Internet Protocol (IP) address, operating system version, web browser version, and the presence of web browser extensions/add-ons/plug-ins. GHC may collect other information provided by cookies stored on a user device. GHC may collect aggregate information about www.highlands.edu and other websites owned or operated by the institution. Examples of this information include web page usage statistics or how users navigate from one part of www.highlands.edu to another. This data collection is typically performed in order to improve the institution’s web services or for routine security monitoring.
Specific forms on www.highlands.edu may require you to submit your name, street address, phone number, and/or email address. You may make an appointment with the appropriate office(s) to visit in-person or provide this information through an alternate means, if possible and as appropriate. GHC utilizes physical, technical, and administrative controls to protect your data against unauthorized access or misuse, however we cannot guarantee the security of any information transmitted to the institution from a system or information technology resource outside the institution. GHC does not actively share personal information gathered from www.highlands.edu. However, there may be some situations where we share this data. These situations include compliance with a a lawful court order (or subpoena) or a Georgia Open Records Act request.
This policy does not define data privacy practices by third-parties or websites linked to from www.highlands.edu. Links to a third-party website are provided as a courtesy and do not constitute an endorsement of a third-party website or the content contained within.
University System of Georgia (USG) Directory Information
Purpose
The purpose of this section is to define Directory Information as it pertains to the Family Educational Rights and Privacy Act (FERPA) and outline the rights of students regarding the disclosure of such information by Georgia Highlands College. The policy ensures compliance with FERPA while balancing the need for transparency and the protection of student privacy.
- Student’s name
- Student’s hometown
- Major field of study
- Enrollment status (e.g., full-time, part-time)
- Participation in officially recognized activities and sports
- Dates of attendance
- Degrees, honors, and awards received
- Height and weight of athletes
- Class level
- Institution-assigned email address only to other, current students (Current students may not request email listings of the entire student body or segments thereof, except for academic purposes.)
This information may be disclosed without the student’s prior written consent unless the student has opted out of such disclosure (see Student Rights below).
Student Rights Under FERPA
- Right to Inspect and Review Education Records
Students have the right to inspect and review their education records within 45 days of submitting a written request to the institution registrar. The institution will arrange access and notify the student of the time and place where the records may be inspected. - Right to Request Amendment of Records If a student believes their education records contain inaccurate or misleading information, they have the right to request an amendment. The request must be submitted in writing, clearly identifying the part of the record to be amended and explaining why it is inaccurate or misleading.
- Right to Provide Written Consent Before Disclosure Students have the right to provide written consent before the institution discloses any personally identifiable information from their education records, except as authorized under FERPA. Directory Information, as defined above, may be disclosed without prior consent unless the student has opted out.
- Right to Opt-Out of Directory Information Disclosure Students may choose to opt out of the disclosure of Directory Information by submitting a written request to the Office of the Registrar. Once the request is submitted, the institution will withhold Directory Information from public disclosure. Important: Opting out does not prevent the institution from disclosing Directory Information to school officials with legitimate educational interests, including certain institution administrators, faculty, and contracted service providers.
- Right to File a Complaint with the U.S. Department of Education Students who believe the institution has failed to comply with FERPA may file a complaint with the U.S. Department of Education at the following address:
Family Policy Compliance Office
U.S. Department of Education
400 Maryland Avenue, SW
Washington, DC 20202-8520
Disclosure Without Consent
USG institutions may disclose education records without a student’s prior written consent to certain parties under certain conditions, as allowed by FERPA, including:
- School officials with legitimate educational interests.
- Other schools to which a student is transferring.
- Specified officials for audit or evaluation purposes.
- Appropriate parties in connection with financial aid.
- Organizations conducting certain types of studies for or on behalf of the school.
- Accrediting organizations.
- Compliance with a judicial order or lawfully issued subpoena.
- Appropriate officials in cases of health and safety emergencies.
Annual Notification
USG is committed to informing students of their rights under FERPA annually. This policy will be made available through each college or university official communications channels, including student handbooks, institution websites, and registrar’s offices.
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Georgia Highlands College (GHC) is a designated as a hybrid entity under HIPAA. The Heritage Hall dental clinic is the only component of the institution subject to HIPAA. Employee and student records subject to the Family Education Rights and Privacy Act (FERPA) are excluded.
An individual’s health information may be used by GHC for treatment, payment, and healthcare operations in the dental clinic (as defined by HIPAA) after the institution has provided to the individual a copy of this policy and has made a good faith effort to obtain an acknowledgment of its receipt, except in the event of an emergency. Additionally, GHC may use an individual’s health information for other purposes or may disclose an individual’s health information to external entities for other purposes upon obtaining a valid authorization from the individual giving permission for that stated use or disclosure. GHC may use and disclose an individual’s health information without prior permission or authorization where the health information has been sufficiently “de-identified”, so as to hide the identity of the individual(s), is part of a “limited data set”, or for other uses where allowable by law.
GHC maintains personal healthcare information about employees and, under certain circumstances, students. GHC will allow individuals to inspect and obtain copies of their own health information that has been collected by the institution. Individuals may also request information regarding disclosures of their health information made to third-parties. GHC will allow an individual to amend information in their health record where it is incomplete or inaccurate. Information maintained by GHC for purposes related to the administration of employee wellness and fitness programs will not be used for employment related purposes, including but not limited to, annual evaluations, employee discipline, promotion, retention or termination. GHC strictly segregates functions related to health plan administration from employment decisions.
GHC’s privacy officer coordinates the institution’s HIPAA compliance and is responsible for gathering information sought by individuals who have a right to access it. Further, the privacy officer is responsible for receiving HIPAA complaints. GHC may also designate one or more HIPAA coordinators to assist the privacy officer with HIPAA compliance obligations. The institution’s designated a security officer is responsible for the implementation of security policies and technical controls that conform to the HIPAA Security Rule. Divisions and departments of the college that collect, process, or store healthcare information are required to develop and conduct HIPAA training for their employees and students serving as interns or employees. Further, each division and department is responsible for implementing the appropriate procedures to protect the confidentiality of healthcare information in verbal, written, and electronic communications.
Healthcare records maintained in physical documents will be kept secured in a locked location. Electronic records will be protected by technical controls such as encryption and access restrictions. Each employee with access to healthcare records is required to use passwords that are unique to (1) that employee and (2) to systems and information technology resources that contain healthcare records. Physical access to secure (controlled) areas and systems containing healthcare information will be revoked upon termination of an employee or when a contract with an authorized third-party ends. Healthcare records may not be collected, processed, or stored on employee or student personal devices. Healthcare records may not be communicated through text messages, chat, meeting, and conference software, or social media for any reason. Health information may only be accessed by authorized employees and is restricted to the minimum amount of access necessary for their respective job function(s).
The use or disclosure of health information by a third-party service provider or third party operating on behalf of GHC must comply with this policy. Health information provided to such a third-party must be pursuant to an assurance that the third-party, and its sub-contractors, will use the information only for the purpose(s) intended, will restrict access to the information on a “need to know” basis only, and will otherwise take appropriate measures to safeguard the information in its possession. There must be a valid, signed business associate agreement in place before identifiable health information may be provided to a third-party by the institution. If GHC determines that a business associate has violated a material term or obligation under the agreement relating to HIPAA compliance, GHC will seek to immediately remedy the breach or, if that is not possible, to alter or terminate the agreement. Violations may also be reported to the Board of Regents of the University System of Georgia.
General Data Protection Regulation (GDPR)
It is necessary for Georgia Highlands College (GHC) to collect, process, use, and maintain data about students, employees, applicants, and other individuals involved with its educational programs and ancillary programs such as research or community outreach. These individuals may be classified as data subjects if they are European Union (EU) citizens or if GHC collects, processes, uses, and/or maintains their personal data within the European Economic Area. Examples of data that GHC may collect include: names, email addresses, IP addresses, physical addresses, location identifiers, photos, academic transcripts, medical information, and other forms of sensitive or federally protected personal data obtained with prior consent. Typically, data collection and processing at GHC is performed in order to 1) directly support the education and employment of individuals 2) fulfill contractual obligations where one or more data subject is a party to, such as the processing of financial aid or payments 3) fulfill legal obligations of the institution and 4) perform specific functions where GHC has obtained consent from the data subject. GHC will not share a data subject’s personal information with third parties, with the following exceptions: contract compliance, pursuant to content provided from a data subject, as required by law, as necessary to protect the institution’s interests, and/or with service providers that have agreed to protect the confidentiality of data and are acting on the institution’s behalf.
Data subjects have the following rights in accordance with GDPR:
- to receive information about how GHC collects and uses their data and the legal basis/legitimate interest of those activities.
- to receive contact information for the institution’s designated privacy officer.
- to information about persons or entities that receive personal data from GHC.
- to know if GHC intends to transfer personal data to another country or international organization.
- to know how long GHC will store personal data.
- to access, update (correct), or request the erasure of personal data.
- to withdraw consent of the use or storage of personal data at any time.
- to file a complaint with a supervisory authority, such as the Board of Regents of the University System of Georgia.
- to receive information about the existence of automated decision-making processes.
- to know if data collected by GHC is going to be used for a purpose other than for which it was originally collected.
Scope
All personal data collected and used by Georgia Highlands College is in scope of this policy.
Enforcement
Inappropriate use of personal data or healthcare information may result in disciplinary action up to and including termination of employment, expulsion, and/or criminal prosecution. If there is evidence indicating an individual has adversely affected the availability, confidentiality, or integrity of personal data collected, transmitted, or stored on institution systems and information technology resources, the Vice President for Information Technology, Chief Technology Officer, or Information Security Officer, in consultation with one or more members of IT leadership, may authorize the suspension of a user’s privileges until the incident is properly examined and resolved. Executive leadership, including the Vice President for Human Resources, will be notified of these incidents. Data breaches will be reported to the USG Cybersecurity office per the institution’s Incident Response Plan and the USG IT Handbook.
Source Documents
- 2018 Reform of EU Data Protection Rules, European Commission, https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en (2018)
- USG Data Privacy Policy and Legal Notice, University System of Georgia, https://www.usg.edu/siteinfo/web_privacy_policy
- Georgia Open Records Act (O.C.G.A. § 50-18-70), Georgia Institute of Technology Legal Affairs, http://www.legal.gatech.edu/sites/default/files/images/186385699r1.pdf
- Health Information Privacy (HIPAA), HHS.gov, https://www.hhs.gov/hipaa/index.html
- Family Educational Rights and Privacy Act (FERPA), United States Department of Education, https://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html
- USG Records Retention Schedules, University System of Georgia, https://www.usg.edu/records_management/schedules/
- McCallister, Grance, et al. Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), National Institute of Standards and Technology Computer Security Resource Center, https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-122.pdf (2010)