Privacy laws play a crucial role in how higher education institutions collect, store, use, and share student and employee information. Several key laws that apply in the United States, and some that apply abroad, are designed to protect the privacy rights of individuals in academic settings. Here are a few of the major privacy laws that Boston University is subject to:<\/p>\n
<\/p>\n
Overview<\/strong><\/p>\n The General Data Protection Regulation (GDPR) is a set of rules that establishes broad protections for the personal data of citizens and residents of the European Union (EU) and the European Economic Area (EEA).[1]<\/span><\/a> The GDPR applies to organizations, including non-profit corporations, that process the personal data of individuals in the EU, or process personal data in connection with offering goods or services to individuals in the EU.<\/p>\n Key Definitions<\/strong><\/p>\n As defined by GDPR:<\/p>\n Processing of Personal Data<\/strong><\/p>\n Under the GDPR, only processing of personal data is lawful only if at least one of the following applies:<\/p>\n Does academic research fall under the GDPR?<\/strong><\/p>\n Research that includes the collection of personal data from participants in the EU may fall under the GDPR as there is no general exemption for research. However, organizations that implement appropriate safeguards, such as data minimization, may be exempt from certain requirements such as GDPR\u2019s \u201cright to be forgotten\u201d (i.e., request that an organization delete your personal data).<\/p>\n [1]<\/span><\/a> The European Union includes the following countries: Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain and Sweden. The European Economic Area includes the following countries: Iceland, Liechtenstein, and Norway. For convenience, we will refer to all the countries above as the \u201cEU.\u201d In November 2021, the People\u2019s Republic of China (PRC) enacted a new, comprehensive data privacy law \u2013 the Personal Information Protection Law (PIPL). The PIPL is intended to protect the personal data of citizens of the PRC and address the PRC\u2019s concerns around exporting personal data outside of the PRC.<\/p>\n As defined by the PIPL:<\/p>\n Under the PIPL, consent must be obtained from the data subjects to handle their personal data in the following manner:<\/p>\n In addition, to handle \u201csensitive personal information,\u201d the following conditions must be met:<\/p>\n Yes, under the PIPL, data subjects must be provided with notice about the processing of personal information and able to:<\/p>\n The PIPL does not have a general exemption for research. However, if the research data is de-identified, it is not governed by the PIPL.<\/p>\n Yes, the PIPL requires handlers to conduct a data protection impact assessment if the handler:<\/p>\n <\/p>\n <\/div>\n<\/div>\n\n The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of a student\u2019s education records. In compliance with FERPA, Boston University does not disclose personally identifiable information contained in student education records, except as authorized by law. The Office of the University Registrar maintains a FERPA Policy<\/a>.<\/p>\n <\/div>\n<\/div>\n\n The Gramm-Leach-Bliley Act (GLBA) requires that financial institutions be transparent about how they collect and share personal financial data, give consumers control over information sharing, and implement strong protections to maintain the confidentiality and security of the personal financial information they retain.<\/p>\n GLBA applies to universities that operate a financial institution or provide financial services, handle financial information (i.e. student financial aid) or share financial information with financial institutions or other entities covered by GLBA.<\/p>\n GLBA\u2019s requirements are additional to those of the\u00a0<\/a>, the federal law governing educational and student records.<\/p>\n Financial Institution:<\/strong> Any institution engaged in financial activities as defined by the Act, including banks, securities firms, insurance companies, and other companies significantly engaged in financial activities, such as lending, investing, or brokering financial products.<\/p>\n Nonpublic Personal Information:<\/strong> Any personally identifiable financial information provided by a consumer to a financial institution, resulting from a transaction or service, or otherwise obtained by the financial institution. This excludes information that is publicly available.<\/p>\n Consumer:<\/strong> An individual who obtains or has obtained a financial product or service from a financial institution primarily for personal, family, or household purposes.<\/p>\n Affiliate:\u00a0<\/strong> Any company that controls, is controlled by, or is under common control with another company. For example, subsidiaries or parent companies related to a financial institution.<\/p>\n Nonaffiliated Third Party:<\/strong> A party that is not an affiliate of the financial institution and is unrelated to the institution’s operations or corporate structure.<\/p>\n Opt-Out Notice:\u00a0<\/strong> A notice given to consumers explaining their right to direct the financial institution not to disclose their nonpublic personal information to nonaffiliated third parties.<\/p>\n GLBA includes specific rules about handling personal financial data, primarily designed to protect consumers’ nonpublic personal information. These rules are generally enforced through two main provisions: the **Privacy Rule** and the **Safeguards Rule**.<\/p>\n The Privacy Rule<\/strong> requires financial institutions to respect the privacy of customers’ nonpublic personal information and protect it accordingly.\u00a0 Financial institutions must provide clear, conspicuous privacy notices to their customers that explain:<\/p>\n The Safeguards Rule<\/strong> requires financial institutions to create, implement, and maintain a comprehensive written information security program to protect customer information.\u00a0 Institutions are required to perform risk assessments, to take protective measures, to designate employees responsible for oversight of a security program, and to monitor, test and periodically adjust the security program as needed.<\/p>\n The GLBA prohibits the practice of **pretexting** (obtaining information under false pretenses). Institutions must have measures to detect and prevent attempts to gain access to customer information through deception.<\/p>\n GLBA applies to financial institutions and their handling of consumer financial information.\u00a0 Pure academic research is normally not covered by GLBA, unless the researcher is handling nonpublic financial information originating from a financial institution under GLBA\u2019s scope.\u00a0 Other privacy and ethical rules typically govern academic research involving personal data.<\/p>\n If an academic researcher is handling financial information obtained from a financial institution or working directly with a financial institution\u2014and that information includes nonpublic personal financial data covered by GLBA\u2014then the financial institution remains responsible for GLBA compliance.<\/p>\n If the researcher is directly affiliated with or acting on behalf of a financial institution (e.g., through a research partnership, receiving data under a data-sharing agreement), GLBA obligations may apply to that financial institution\u2019s data handling and sharing practices.<\/p>\n However, academic researchers themselves are not typically regulated by GLBA, especially if the data involved does not come from or relate to a financial institution\u2019s consumer information.<\/p>\n GLBA provides certain rights to individuals, mainly centered on their privacy and control over nonpublic personal financial information.\u00a0 Individuals have the right to receive privacy notices at the time the customer relationship is established, and annually thereafter, as well as the right to opt-out of information sharing, and the right to protection from pretexting.<\/p>\n GLBA does not give an individual the right to access or correct their own financial records held by the institution, the right to extensive control over all types of data sharing, and it does not provide a private right of action against an institution.\u00a0 GLBA is enforced mostly by regulatory agencies.<\/p>\n Under the Safeguards Rule, institutions must develop, implement, and maintain a comprehensive information security program focused on protecting customer information.<\/p>\n Boston University has a Safeguarding Information \u2013 Gramm-Leach-Bliley Act (GLBA) Policy<\/a> (GLBA Policy), in place since 2003 to comply with the Gramm-Leach-Bliley Act. The Policy affirms that the University has an active Safeguarding Program to (1) insure the security and confidentiality of certain customer information, such as student loan-related information, (2) protect against any anticipated threats to the integrity of such information and (3) protect against unwarranted, unlawful and\/or unauthorized disclosure, misuse, alteration, destruction or other compromise of such information. Under the Safeguarding Program, all Boston University departments with access to student loan data or other customer information must adhere to the requirements and the elements of the Safeguarding Program\u00a0 that are outlined within the GLBA Policy. The Safeguarding Program must also be adhered to by outside service providers, such as loan servicing agents and collection agencies to which student loan data may be transferred or who may gather it on behalf of the University.<\/p>\n Pursuant to the GLBA Policy, each Department at the University who is required to adhere to a Safeguarding Program must have a designated Departmental Security Administrators (DSA). The DSA is responsible for coordinating the GLBA Policy compliance efforts of the department.<\/p>\n\n
\n
\n
\n<\/div>\n<\/div>\n\nChinese Personal Information Protection Law (PIPL)<\/strong><\/h2>
Overview<\/strong><\/h3>\n
Key Definitions<\/strong><\/h3>\n
\n
\n
Handling Personal Data<\/strong><\/h3>\n
\n
\n
Does the PIPL provide any rights to individuals?<\/strong><\/h3>\n
\n
Does academic research fall under the PIPL?<\/strong><\/h3>\n
Does the PIPL require a data protection impact assessment or other risk assessment?<\/strong><\/h3>\n
\n
Family Educational Rights and Privacy Act (FERPA)<\/strong><\/h2>
Gramm-Leach-Bliley Act (GLBA)<\/h2>
Overview<\/strong><\/h3>\n
Key Definitions<\/strong><\/h3>\n
Handling Personal Data<\/strong><\/h3>\n
\n
Does academic research fall under GLBA?<\/strong><\/h3>\n
Does GLBA provide any rights to individuals?<\/strong><\/h3>\n
Does GLBA require a data protection assessment or risk impact assessment?<\/strong><\/h3>\n
GLBA at Boston University<\/strong><\/h3>\n