Vendors and Homestays — Privacy Notice

Boston University understands that collecting and processing personal information is an important topic, and it is committed to safeguarding privacy. Boston University collects and processes certain types of personal information from its prospective and contracted vendors in connection with Requests for Proposals (RFPs), vetting prospective vendors, and hiring and paying vendors. This privacy notice explains what information is collected, how it is used, and how the University safeguards it. You should contact the relevant site director or BU Study Abroad with any questions or concerns regarding this policy.

Whose Information Is Collected?

Boston University collects information about prospective and current vendors who submit bids for and enter into contracts with the University.

What Information Is Collected?

For individual vendors, Boston University collects:

  • Contact information for individual prospective and current vendors, including names, address, telephone numbers, email addresses, etc.;
  • Government ID number; and
  • Bank account number

In addition to the information collected by Boston University for individual vendors, for Study Abroad homestay families Boston University also collects:

  • Information about the homestay family members and other residents in the home, including names, dates of birth, relationship, and profession/occupation, etc.;
  • Information about the homestay residence, including location, a description of the home/room (e.g., number of rooms and bathrooms, air-conditioning), public transportation and metro stops near the home, pets, internet connection/WiFi availability, smoking habits of the residents; and
  • Information to facilitate matching students with homestay families, including student preferences (e.g., dietary restrictions, non-smoking), familiarity with/ability to speak English, and general availability.

Why Is This Personal Information Collected?

Boston University collects this information to comply with its contractual, statutory, and management obligations, including:

  • The University’s contractual responsibilities arising from the contract with the third-party vendor. The data processed to meet contractual responsibilities includes, but is not limited to, data relating to: vendor qualification; bank account; postal address; and government ID.
  • The University’s management responsibilities necessary for the organizational functioning of the University’s programs. The data processed to meet management responsibilities includes, but is not limited to, data relating to: contract bids; negotiations; agreements; scope of work; performance; payment; and the health, safety and security of University faculty, staff and students. For the management of student homestays with local families, it also includes but is not limited to data relating to the homestay families’ home and residents.

Boston University needs to keep and process information about third-party vendors for normal operational and contractual purposes and to promote the safety and well-being of the University’s students, staff, and faculty. The information the University holds and processes will be used for management and administrative use only. The University will keep and use it to manage operations and the University’s relationship with vendors effectively, lawfully, and appropriately, during the bidding and negotiation process, while the vendor is under contract with the University, at the time the contractual obligations end, and after the contractual term ends. This includes using information to enable the University to comply with the vendor contract, to comply with legal requirements, to pursue the University’s legitimate interests, and to protect the University’s legal position in the event of legal proceedings. Much of the information the University holds will have been provided by the vendor him or herself, but some may come from internal or external references or other sources. If the vendor does not provide this data, the University may be unable in some circumstances to execute a contract or continue the contractual relationship with that vendor.

Boston University may sometimes need to process vendor data to pursue its legitimate operational interests, for example to ensure the safety and security of students, to prevent fraud, for administrative purposes, or for reporting potential crimes. The University will never process vendor data where these interests are overridden by the vendor’s own interests.

Sensitive Personal Data

“Sensitive personal data” includes information about racial and ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of genetic data, biometric data, data concerning health, criminal history, or data concerning a person’s sex life or sexual orientation. The University rarely processes such data relating to vendors and will only process such data where the processing is necessary to perform the vendor contract or to comply with laws and regulations, for example, where trade union membership imposes requirements on the University relating to the vendor’s contract; to establish, exercise, or defend legal claims; or to assess a vendor’s working capacity. This processing of sensitive personal data ordinarily would not happen without the vendor’s knowledge and consent. Data about a vendor’s criminal convictions will be held as necessary.

How Is Information Collected?

Information is collected through a variety of sources, including:

  • Information provided by a vendor through the bidding and negotiation process;
  • Information provided by a vendor during the course of the contractual relationship;
  • University management and other internal sources;
  • Third parties from whom the University seeks references;

What Is Done With Collected Information?

Collected information is used only for purposes of Boston University operating its programs, including performing and managing third party vendor contracts.

Who Has Access To Collected Information?

  • Boston University employees, including employees in the United States;
  • Third parties who provide benefits or other services to the University, pursuant to a contract with the University; and
  • Government departments or agencies, as required by law.

How Is Information Stored and Secured?

Boston University uses University-managed, secure information technology systems to store electronic personal information, including systems such as Microsoft’s Office 365, that permit creating shared spaces that are accessible by BU faculty and staff. BU employs appropriate administrative, technical, and physical security measures to protect paper or other physical records that contain personal information, including locked offices and file cabinets. BU uses encrypted SecureMail for Restricted Use information that is subject to the University’s Data Protection Standards.

How Long Is Information Saved?

Boston University maintains records as specified in its Record Retention Policy and the accompanying Record Retention Table.

What Are Your Rights Related To Your Personal Data?

You have a number of rights with regard to your personal data. You have the right to request from us access to and rectification or erasure of your personal data, the right to restrict processing, object to processing, as well as in certain circumstances the right to data portability. If you have provided consent for the processing of your data, you have the right (in certain circumstances) to withdraw that consent at any time, which will not affect the lawfulness of the processing before your consent was withdrawn. In certain circumstances, the University may process a vendor’s personal data and sensitive personal data without their explicit consent.

Concerns?

If you have questions or concerns about the use of your personal data, please contact the site director or BU Study Abroad with any questions or concerns regarding this policy.

Updates to this Notice

The University may change this Privacy Notice from time to time. If the University makes any significant changes in the way it treats your personal information, the updated notice will be posted on the University’s website.