Privacy laws play a crucial role in how higher education institutions collect, store, use, and share student and employee information. Several key laws that apply in the United States, and some that apply abroad, are designed to protect the privacy rights of individuals in academic settings. Here are a few of the major privacy laws that Boston University is subject to:
European General Data Protection Regulation (GDPR)
GDPR is a data protection and privacy law in the European Union (EU) and the European Economic Area (EEA).
Overview
The General Data Protection Regulation (GDPR) is a set of rules that establishes broad protections for the personal data of citizens and residents of the European Union (EU) and the European Economic Area (EEA).[1] The GDPR applies to organizations, including non-profit corporations, that process the personal data of individuals in the EU, or process personal data in connection with offering goods or services to individuals in the EU.
Key Definitions
As defined by GDPR:
- “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law
- “Personal Data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
- “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
- “Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller
Processing of Personal Data
Under the GDPR, only processing of personal data is lawful only if at least one of the following applies:
-
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which the controller is subject;
- processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Does academic research fall under the GDPR?
Research that includes the collection of personal data from participants in the EU may fall under the GDPR as there is no general exemption for research. However, organizations that implement appropriate safeguards, such as data minimization, may be exempt from certain requirements such as GDPR’s “right to be forgotten” (i.e., request that an organization delete your personal data).
[1] The European Union includes the following countries: Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain and Sweden. The European Economic Area includes the following countries: Iceland, Liechtenstein, and Norway. For convenience, we will refer to all the countries above as the “EU.”
Chinese Personal Information Protection Law (PIPL)
Overview
In November 2021, the People’s Republic of China (PRC) enacted a new, comprehensive data privacy law – the Personal Information Protection Law (PIPL). The PIPL is intended to protect the personal data of citizens of the PRC and address the PRC’s concerns around exporting personal data outside of the PRC.
Key Definitions
As defined by the PIPL:
- “Personal Information” means information related to identified or identifiable natural persons recorded by electronic or other means, excluding information processed anonymously
- “Anonymized Information” means personal information processed so that it is impossible to identify certain natural persons and that such identification cannot be recovered
- “Sensitive Personal Information” means personal information whose disclosure or illegal use could infringe the dignity of data subjects or damage their safety or property interest, including the following types of information:
- biometrics
- religious beliefs
- specific identities
- medical health
- financial accounts
- whereabouts
- personal information of minors under the age of 14
- “Handler” means individuals or organizations who independently determine the purposes and means of processing information (similar to GDPR’s definition of “controller”)
- “Handling” means the collection, storage, use, refining, transmission, provision, public disclosure or deletion of personal information (similar to GDPR’s definition of “processing”)
Handling Personal Data
Under the PIPL, consent must be obtained from the data subjects to handle their personal data in the following manner:
- to transfer a data subject’s PII to cloud service providers, a third-party processing the PII on behalf of the handler, or recipients outside of the country; and
- to process data subjects’ PII (e.g. analytics, internal data related assessments, potential job opportunities, etc.)
In addition, to handle “sensitive personal information,” the following conditions must be met:
- the handling is necessary to achieve a specific purpose
- strict protection measures must be in place
- the data subjects must be notified about the need to process their sensitive personal information and the impact such processing may have on their rights and interests
- the data subjects must provide their specific separate consent to the processing of their sensitive personal information for the purpose disclosed
Does the PIPL provide any rights to individuals?
Yes, under the PIPL, data subjects must be provided with notice about the processing of personal information and able to:
- obtain access to and a copy of any personal information processed by handlers
- withdraw consent to the processing of personal information where consent was previously provided (does not affect personal information that was previously collected with consent)
- request an amendment or correction of any personal information collected
- request that certain uses of personal information are restricted
- ask handlers transfer personal information to others
- ask handlers to delete their information
Does academic research fall under the PIPL?
The PIPL does not have a general exemption for research. However, if the research data is de-identified, it is not governed by the PIPL.
Does the PIPL require a data protection impact assessment or other risk assessment?
Yes, the PIPL requires handlers to conduct a data protection impact assessment if the handler:
- Handles sensitive personal information
- Uses personal information for automated decision-making
- Entrusts personal information handling, provides personal information to other personal information handlers, or discloses personal information
- Provides personal information abroad
- Engages in activities that involve personal data and could have a “major influence” on individuals
Family Educational Rights and Privacy Act (FERPA)
The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of a student’s education records. In compliance with FERPA, Boston University does not disclose personally identifiable information contained in student education records, except as authorized by law. The Office of the University Registrar maintains a FERPA Policy.