European Economic Area Privacy Notice and General Data Privacy Regulation (GDPR)
Houston Christian University (HCU) recognizes the need to protect the personal information of individuals and strives to protect the privacy of individuals who come in contact with the university. This European Economic Area (“EEA”) Privacy Notice outlines the collection, use, and disclosure of personal information provided to the University by individuals who are located in the EEA. When information is submitted to HCU, or someone uses the University’s websites and other services, they consent to the collection, use, and disclosure of that information as described in this EEA Privacy Notice.
For purposes of this EEA Privacy Notice, “information” refers to information concerning a natural person that is created by or provided to HCU from or concerning individuals who are located in the EEA. “Sensitive information” refers to information concerning such a natural person’s race, ethnic origin, religious or philosophical beliefs, health data, sexual orientation and criminal convictions.
This EEA Privacy Notice is a supplement to the HCU Privacy Notice, which also contains important information relevant to individuals in the EEA and GDPR. Please visit HC.edu/PrivacyPolicy for more information.
Throughout this document “HCU” or “we” or “our” refers to Houston Baptist University, a not-for-profit institution of higher education located at 7502 Fondren Road, Houston, Texas, 77074 USA, incorporated as a 501(c)3 in the State of Texas.
I. Who is HCU’s Data Protection Officer?
HCU has designated the Staff Counsel, Financial Operations as the Data Protection Officer for the purposes of GDPR. He can be contacted with questions or concerns at GDPR@hbu.edu.
II. How does HCU collect and use personal information?
There are many ways that individuals may interact with HCU, and that will affect the data collected and how it is used. For the sake of clarity, most individuals will fall into one of these categories (each of which will be discussed below):
- Prospective Students, Applicants, Admitted and Enrolled Students, and other Learners
- Faculty and Staff
- Individuals involved in research
- Alumni, donors, and other community members
- Visitors at HCU for specific purposes
A. Information for Potential Students, Admitted Students, and other Learners
HCU may collect your personal data in a numbers of ways, including prospective students providing it to us through an application for admission or financial aid, email, phone call or in-person meeting. We may receive information about prospective students from third parties acting on their behalf (such as high school guidance counselors, community organizations with which they are affiliated, or their parents). We may also receive information about prospective students from third parties at our request (such as application or testing services).
The types of data we collect are mainly driven by the extent to which prospective students either provide information to HCU, or to the extent they use HCU programs or services. As students attend HCU, in person or online, we may collect information about their participation and performance, including information such as the courses they take, their grade or performance in a course, and information about their attendance or participation.
If students use an online learning platform, information about their online activities will be associated with their log in, which may include what pages they visit, how long they were there, forum postings, and any correspondence with the instructor or other students.
If prospective students use other HCU services or programs, we may collect personal information from them that is relevant to providing that service or program. Examples of these services and programs include academic advising, career services, financial aid, work study, health center or counseling, athletics, disability services, library, information technology, housing, dining, parking, wellness center, clubs and student activities, student judicial programs, equal opportunity or Title IX coordinators, police or emergency medical services.
Importantly, there are laws that affect how a person’s data may be used or shared by HCU, and may provide them with additional rights. The primary law affecting student information is the Family Education Rights and Privacy Act (FERPA), which is a federal law designed to protect the privacy of and limit access to student educational records (as defined in that law). In some cases, FERPA allows certain information to be shared without a student’s permission. More information about FERPA is available at HC.edu/FERPA.
B. Information for Faculty and Staff
HCU may collect personal data in a number of ways, including applicants providing it to HCU as part of an employment application or during the hiring process. HCU will also collect any information necessary to comply with the law and relevant regulations (e.g. Immigration Form I-9), or as required by our accreditors (e.g. degree or transcript information).
HCU uses a third party vendor to conduct background checks on designated prospective employees that may include things such as criminal history.
If a person uses other HCU services or programs, we may collect personal information that they provide and that is relevant to providing that service or program (for example, if a person obtains a parking pass, HCU will keep your license plate number; or if someone purchases athletics season tickets, HCU will keep information about the transaction). Other examples of these services or programs include payroll, library, human resources, disability services, information technology, dining, parking, recreation center, equal opportunity or Title IX, police or emergency medical services.
Importantly, laws that affect how HCU may use or share personal data may provide faculty and staff with additional rights.
C. Information for individuals involved in research
HCU may collect someone’s personal data in a numbers of ways, including the person providing it to us as part of an agreement to participate in research. Third parties may also provide someone’s information to HCU through agreements that allow information to be shared.
These agreements are often contained in an “Informed Consent” document that participants sign with HCU or with a third party. This Informed Consent document will contain additional important information about how personal data may be used.
For any research that involves human subjects, HCU follows the principles outlined in the Belmont Report, the U.S. “Common Rule,” and other applicable law.
HCU may also receive information as part of a research collaboration with federal, state, or local governmental authorities.
Importantly, laws that affect how HCU may use or share personal data may provide individuals involved in research with additional rights.
D. Information for Alumni, Donors, and other Community Members
HCU may collect personal data in a numbers of ways, including through alumni outreach efforts, contributions to HCU, participation in HCU- sponsored events, or by personal knowledge or recommendation of other alumni, students, faculty, or staff. HCU may also receive personal information from third parties that we have contracted with to provide information about alumni or potential donors.
HCU uses this data to provide contacts with information about our programs, opportunities for collaborations and engagement, and to foster involvement between current HCU students, alumni, and the community.
Importantly, laws that affect how HCU may use or share personal data may provide alumni, donors and other community members with additional rights.
E. Information for Visitors at HCU
HCU may collect personal data in a numbers of ways, including information given to HCU as part of participating in a campus function or event, purchasing tickets, making donations, or using HCU services.
HCU may collect relevant information from those who use HCU services, such as the recreation center, library, parking, disability services, testing center, and others. This information may also be used to contact people regarding other HCU activities or outreach efforts.
If someone is involved in an activity that involves interactions with minors, HCU may conduct a background check on them to include your criminal history. HCU ordinarily uses a third party vendor to conduct such background checks.
Importantly, laws that affect how HCU may use or share personal data may provide visitors with additional rights.
III. Other Potential Third Party Uses of Sensitive Information
We may disclose Sensitive Information and other Information as follows:
- Consent: We may disclose Sensitive Information and other Information if we have a person’s consent to do so.
- Emergency Circumstances: We may share Information, or Sensitive Information, when necessary to protect a person’s interests and when someone is physically or legally incapable of providing consent.
- Employment Necessity: We may share Sensitive Information when necessary for administering benefits in accordance with applicable law and subject to the imposition of appropriate safeguards to prevent further unauthorized disclosure.
- Charitable Organizations: We may share Information with other not-for-profit organizations in connection with charitable giving subject to the imposition of appropriate safeguards to prevent further unauthorized disclosure.
- Public Information: We may share Information and Sensitive Information if a person has manifestly made it public.
- Archiving: We may share Information and Sensitive Information for archiving purposes in the public interest, and for historical research, and statistical purposes.
- Performance of a Contract: We may share Information when necessary to administer a contract you have with the University.
- Legal Obligation: We may share Information when the disclosure is required or permitted by international, federal, or state laws and regulations.
- Service Providers: We use third parties who have entered into a contract with the University to support the administration of University operations and policies. In such cases, we share Information with such third parties subject to the imposition of appropriate safeguards to prevent further unauthorized disclosure.
- University Affiliated Programs: We may share Information with parties that are affiliated with the University for the purpose of contacting you about goods, services, charitable giving or experiences that may be of personal interest.
- De-Identified and Aggregate Information: We may use and disclose Information in de-identified or aggregate form without limitation.
IV. Legal Basis under GDPR
HCU will only process personal information for lawful purposes under the GDPR. In most cases, the lawful basis to collect and process personal information is due to the necessity of performance of a personal contract (e.g. to provide educational services).
In many cases, the lawful basis will be the legitimate interests of HCU. In cases where “legitimate interest” is the legal basis, HCU will apply a balancing test to determine if our interest outweighs a person’s fundamental rights in protecting such data.
Where neither of these two bases are appropriate, or if we are collecting sensitive information (what the GDPR refers to as “special categories of personal data”) then HCU will obtain your prior consent.
We implement appropriate technical and organizational security measures to protect personal information when transmitted to us and when we store it on our information technology systems.
VI. Retention and Destruction of Your Information
Personal information will be retained by the University in accordance with applicable international, state, or federal laws. Personal information will generally be destroyed upon request unless applicable law requires destruction after the expiration of an applicable retention period, or unless there is a legitimate reason to retain the information and that reason is recognized by the GDPR. The manner of destruction shall be appropriate to preserve and ensure the confidentiality of personal information given the level of sensitivity, value and criticality to HCU.
Students should be aware that some data is considered part of a student’s “Permanent Record,” and as such it will be securely maintained in perpetuity.
Consent for Data leaving the European Union and Processing in the United States
Most of the personal information and sensitive information we process about someone will be transferred to, and stored at, a destination outside of the EEA, particularly the United States. Transferring this data is essential to providing students and others the services they are requesting, and HCU cannot provide these services without transferring this data. By using HCU websites, online platforms, applying to HCU, attending HCU, or requesting services from HCU, you are consenting to having your data processed in the United States.
Individuals in the EEA have the right to request access to, a copy of, rectification of, restriction in the use of, or erasure of personal information in accordance with all applicable laws, and subject to the limitations outlined in the GDPR. For individuals outside the EEA and data that was not collected within the EEA, the erasure of personal information shall be subject to the retention periods of applicable state and federal law. If a person has provided consent to the use of their information, they have the right to withdraw consent without affecting the lawfulness of the University’s use of the information prior to receipt of their request.
These rights may be exercised by emailing GDPR@HBU.edu. We will ask for information verifying your identity, and we will respond to your request within a reasonable timeframe.
If you feel the University has not complied with the applicable provisions of the GDPR regulating your information, you have the right to file a complaint with the appropriate supervisory authority in the EEA.
IX. Updates to this Notice
We may update or change this policy at any time. Your continued use of the University’s website and third-party applications after any such change indicates your acceptance of these changes.
This was Notice was issued on October 1, 2018, and last updated on October 1, 2018.