Privacy laws play a crucial role in how higher education institutions collect, store, use, and share student and employee information. Several key laws that apply in the United States, and some that apply abroad, are designed to protect the privacy rights of individuals in academic settings. Here are a few of the major privacy laws that Boston University is subject to:
European General Data Protection Regulation (GDPR)
GDPR is a data protection and privacy law in the European Union (EU) and the European Economic Area (EEA).
Overview
The General Data Protection Regulation (GDPR) is a set of rules that establishes broad protections for the personal data of citizens and residents of the European Union (EU) and the European Economic Area (EEA).[1] The GDPR applies to organizations, including non-profit corporations, that process the personal data of individuals in the EU, or process personal data in connection with offering goods or services to individuals in the EU.
Key Definitions
As defined by GDPR:
- “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law
- “Personal Data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
- “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
- “Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller
Processing of Personal Data
Under the GDPR, only processing of personal data is lawful only if at least one of the following applies:
-
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which the controller is subject;
- processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Does academic research fall under the GDPR?
Research that includes the collection of personal data from participants in the EU may fall under the GDPR as there is no general exemption for research. However, organizations that implement appropriate safeguards, such as data minimization, may be exempt from certain requirements such as GDPR’s “right to be forgotten” (i.e., request that an organization delete your personal data).
[1] The European Union includes the following countries: Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain and Sweden. The European Economic Area includes the following countries: Iceland, Liechtenstein, and Norway. For convenience, we will refer to all the countries above as the “EU.”
Chinese Personal Information Protection Law (PIPL)
Overview
In November 2021, the People’s Republic of China (PRC) enacted a new, comprehensive data privacy law – the Personal Information Protection Law (PIPL). The PIPL is intended to protect the personal data of citizens of the PRC and address the PRC’s concerns around exporting personal data outside of the PRC.
Key Definitions
As defined by the PIPL:
- “Personal Information” means information related to identified or identifiable natural persons recorded by electronic or other means, excluding information processed anonymously
- “Anonymized Information” means personal information processed so that it is impossible to identify certain natural persons and that such identification cannot be recovered
- “Sensitive Personal Information” means personal information whose disclosure or illegal use could infringe the dignity of data subjects or damage their safety or property interest, including the following types of information:
- biometrics
- religious beliefs
- specific identities
- medical health
- financial accounts
- whereabouts
- personal information of minors under the age of 14
- “Handler” means individuals or organizations who independently determine the purposes and means of processing information (similar to GDPR’s definition of “controller”)
- “Handling” means the collection, storage, use, refining, transmission, provision, public disclosure or deletion of personal information (similar to GDPR’s definition of “processing”)
Handling Personal Data
Under the PIPL, consent must be obtained from the data subjects to handle their personal data in the following manner:
- to transfer a data subject’s PII to cloud service providers, a third-party processing the PII on behalf of the handler, or recipients outside of the country; and
- to process data subjects’ PII (e.g. analytics, internal data related assessments, potential job opportunities, etc.)
In addition, to handle “sensitive personal information,” the following conditions must be met:
- the handling is necessary to achieve a specific purpose
- strict protection measures must be in place
- the data subjects must be notified about the need to process their sensitive personal information and the impact such processing may have on their rights and interests
- the data subjects must provide their specific separate consent to the processing of their sensitive personal information for the purpose disclosed
Does the PIPL provide any rights to individuals?
Yes, under the PIPL, data subjects must be provided with notice about the processing of personal information and able to:
- obtain access to and a copy of any personal information processed by handlers
- withdraw consent to the processing of personal information where consent was previously provided (does not affect personal information that was previously collected with consent)
- request an amendment or correction of any personal information collected
- request that certain uses of personal information are restricted
- ask handlers transfer personal information to others
- ask handlers to delete their information
Does academic research fall under the PIPL?
The PIPL does not have a general exemption for research. However, if the research data is de-identified, it is not governed by the PIPL.
Does the PIPL require a data protection impact assessment or other risk assessment?
Yes, the PIPL requires handlers to conduct a data protection impact assessment if the handler:
- Handles sensitive personal information
- Uses personal information for automated decision-making
- Entrusts personal information handling, provides personal information to other personal information handlers, or discloses personal information
- Provides personal information abroad
- Engages in activities that involve personal data and could have a “major influence” on individuals
Family Educational Rights and Privacy Act (FERPA)
The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of a student’s education records. In compliance with FERPA, Boston University does not disclose personally identifiable information contained in student education records, except as authorized by law. The Office of the University Registrar maintains a FERPA Policy.
Gramm-Leach-Bliley Act (GLBA)
Overview
The Gramm-Leach-Bliley Act (GLBA) requires that financial institutions be transparent about how they collect and share personal financial data, give consumers control over information sharing, and implement strong protections to maintain the confidentiality and security of the personal financial information they retain.
GLBA applies to universities that operate a financial institution or provide financial services, handle financial information (i.e. student financial aid) or share financial information with financial institutions or other entities covered by GLBA.
GLBA’s requirements are additional to those of the , the federal law governing educational and student records.
Key Definitions
Financial Institution: Any institution engaged in financial activities as defined by the Act, including banks, securities firms, insurance companies, and other companies significantly engaged in financial activities, such as lending, investing, or brokering financial products.
Nonpublic Personal Information: Any personally identifiable financial information provided by a consumer to a financial institution, resulting from a transaction or service, or otherwise obtained by the financial institution. This excludes information that is publicly available.
Consumer: An individual who obtains or has obtained a financial product or service from a financial institution primarily for personal, family, or household purposes.
Affiliate: Any company that controls, is controlled by, or is under common control with another company. For example, subsidiaries or parent companies related to a financial institution.
Nonaffiliated Third Party: A party that is not an affiliate of the financial institution and is unrelated to the institution’s operations or corporate structure.
Opt-Out Notice: A notice given to consumers explaining their right to direct the financial institution not to disclose their nonpublic personal information to nonaffiliated third parties.
Handling Personal Data
GLBA includes specific rules about handling personal financial data, primarily designed to protect consumers’ nonpublic personal information. These rules are generally enforced through two main provisions: the **Privacy Rule** and the **Safeguards Rule**.
The Privacy Rule requires financial institutions to respect the privacy of customers’ nonpublic personal information and protect it accordingly. Financial institutions must provide clear, conspicuous privacy notices to their customers that explain:
- What types of nonpublic personal information they collect,
- How they use it,
- With whom they share it, and
- How they protect this information.
- Opt-Out Rights: Consumers must be given an opportunity to opt out of having their information shared with certain non-affiliated third parties.
- Timing : Privacy notices must be provided when the customer relationship is established and annually thereafter.
The Safeguards Rule requires financial institutions to create, implement, and maintain a comprehensive written information security program to protect customer information. Institutions are required to perform risk assessments, to take protective measures, to designate employees responsible for oversight of a security program, and to monitor, test and periodically adjust the security program as needed.
The GLBA prohibits the practice of **pretexting** (obtaining information under false pretenses). Institutions must have measures to detect and prevent attempts to gain access to customer information through deception.
Does academic research fall under GLBA?
GLBA applies to financial institutions and their handling of consumer financial information. Pure academic research is normally not covered by GLBA, unless the researcher is handling nonpublic financial information originating from a financial institution under GLBA’s scope. Other privacy and ethical rules typically govern academic research involving personal data.
If an academic researcher is handling financial information obtained from a financial institution or working directly with a financial institution—and that information includes nonpublic personal financial data covered by GLBA—then the financial institution remains responsible for GLBA compliance.
If the researcher is directly affiliated with or acting on behalf of a financial institution (e.g., through a research partnership, receiving data under a data-sharing agreement), GLBA obligations may apply to that financial institution’s data handling and sharing practices.
However, academic researchers themselves are not typically regulated by GLBA, especially if the data involved does not come from or relate to a financial institution’s consumer information.
Does GLBA provide any rights to individuals?
GLBA provides certain rights to individuals, mainly centered on their privacy and control over nonpublic personal financial information. Individuals have the right to receive privacy notices at the time the customer relationship is established, and annually thereafter, as well as the right to opt-out of information sharing, and the right to protection from pretexting.
GLBA does not give an individual the right to access or correct their own financial records held by the institution, the right to extensive control over all types of data sharing, and it does not provide a private right of action against an institution. GLBA is enforced mostly by regulatory agencies.
Does GLBA require a data protection assessment or risk impact assessment?
Under the Safeguards Rule, institutions must develop, implement, and maintain a comprehensive information security program focused on protecting customer information.
GLBA at Boston University
Boston University has a Safeguarding Information – Gramm-Leach-Bliley Act (GLBA) Policy (GLBA Policy), in place since 2003 to comply with the Gramm-Leach-Bliley Act. The Policy affirms that the University has an active Safeguarding Program to (1) insure the security and confidentiality of certain customer information, such as student loan-related information, (2) protect against any anticipated threats to the integrity of such information and (3) protect against unwarranted, unlawful and/or unauthorized disclosure, misuse, alteration, destruction or other compromise of such information. Under the Safeguarding Program, all Boston University departments with access to student loan data or other customer information must adhere to the requirements and the elements of the Safeguarding Program that are outlined within the GLBA Policy. The Safeguarding Program must also be adhered to by outside service providers, such as loan servicing agents and collection agencies to which student loan data may be transferred or who may gather it on behalf of the University.
Pursuant to the GLBA Policy, each Department at the University who is required to adhere to a Safeguarding Program must have a designated Departmental Security Administrators (DSA). The DSA is responsible for coordinating the GLBA Policy compliance efforts of the department.
The GLBA Policy is available on the Policies website.