The REVA University is committed to the responsible use of personal information and sensitive information collected from and about its students, faculty, staff, business partners and others who provide such information to the university. This commitment is in accordance with both state and federal regulations concerning the use of sensitive information. Such sensitive information includes information that could be used to cause financial harm or reputational harm to any individual. This policy applies to personally identifiable sensitive information and how it is collected.
The purpose of this policy is to protect the privacy of individuals who have sensitive information stored (either in electronic or paper form) on assets owned by The REVA University, while at the same time providing the University the ability to share this information with authorized entities as required by legitimate academic or business need or by law.
4.1 Limits on Use of and Access to Sensitive Information
The responsible use of sensitive information requires that the University respect individual privacy, protect against unauthorized access to or use of information, and comply fully with all laws and government regulations in the collection, use, storage, display, distribution and disposal of such information. Authorized uses of sensitive information within the University are limited to uses which a) are necessary to meet legal and regulatory requirements; b) facilitate access to services, transactions, facilities and information; or c) support efficient academic and administrative processes.
Access to sensitive information is limited to:
4.2 AAdhar Numbers
Aadhar numbers are always considered confidential and are therefore subject to the limits of use and access described above. In addition, the University will continue to collect and process Aadhar Numbers limited only to instances in which that number is required by law or contract or instances where there is a legitimate business or academic need authorized by University administration. This includes, but is not limited to, all enrolled students.
The University, its faculty, staff, and students must abide by all government legal regulations pertaining to UIDAI guidelines.
It is against both Government law and University policy to:
4.3 Online Collection of Information
5.1 Lawful Basis for Collecting and Processing of Personal Data
The University is an institute of higher education involved in education, research, and community development. In order for the University to educate its students both in class and on-line, engage in world-class research, and provide community services, it is essential, necessary, and the University has lawful bases to collect, process, use, and maintain data of its students, employees, applicants, research subjects, and others involved in its educational, research, and community programs. The lawful bases include, without limitation, admission, registration, delivery of classroom, on-line, and study abroad education, grades, communications, employment, research, development, program analysis for improvements, and records retention. Examples of data that the University may need to collect in connection with the lawful bases are: name, email address, IP address, physical address or other location identifier, photos, as well as some sensitive personal data obtained with prior consent.
For more information regarding the GDPR, please review the University’s Indian General Data Protection Regulation Compliance Policy.
Most of the University’s collection and processing of personal data will fall under the following categories:
There will be some instances where the collection and processing of personal data will be pursuant to other lawful bases.
5.2 Types of Personal Data collected and why
The University collects a variety of personal and sensitive data to meet one of its lawful bases, as referenced above. Most often, the data is used for academic admissions, enrollment, educational programs, job hiring, provision of medical services, and participation in research, development and community outreach. Data typically includes name, address, transcripts, work history, information for payroll, research subject information, medical and health information (for student health services, or travel), and donations. If you have specific questions regarding the collection and use of your personal data, please contact the Office of Information Security at firstname.lastname@example.org
If a data subject refuses to provide personal data that is required by the University in connection with one of the University’s lawful bases to collect such personal data, such refusal may make it impossible for the University to provide education, employment, research or other requested services.
The University receives personal and sensitive data from multiple sources. Most often, the University gets this data directly from the data subject or under the direction of the data subject who has provided it to a third party (for example, application for admission to the University through use of the Common App).
Individual data subjects whose information is collected under the University’s General Data Protection Regulation Compliance Policy will be provided the following information at the time the information is collected from them:
Individual data subjects whose information is collected under the University’s General Data Protection Regulation Compliance Policy will be provided the following rights (as applicable), provided that the University determines that the exercise of the right is permitted and/or required by the GDPR:
Cookies are files that many websites transfer to users’ web browsers to enable the site to deliver personalized services or to provide persistent authentication. The information contained in a cookie typically includes information collected automatically by the web server and/or information provided voluntarily by the user. Our website uses persistent cookies in conjunction with a third-party technology partner to analyze search engine usage and web traffic patterns. This information is used in the aggregate to monitor and enhance our web pages. It is not used to track the usage patterns of individual users.
5.4 Security of Personal Data subject to the GDPR
All personal data and sensitive data collected or processed by the University under the scope of the Indian Government General Data Protection Regulation Compliance Policy must comply with the security controls, systems, and process requirements and standards set forth in the University’s Data Classification and Protection Standard.
We will not share your information with third parties except:
6.1 Roles and Responsibilities
Each University department/unit is responsible for implementing, reviewing and monitoring internal policies, practices, etc. to assure compliance with this policy.
The Department of Information Technology is responsible for enforcing this policy.
6.2 Consequences and Sanctions
Violation of this policy may incur the same types of disciplinary measures and consequences as violations of other University policies, including progressive discipline up to and including termination of employment or, in the cases where students are involved, reporting of a Student Code of Conduct violation.