Please note: This policy is currently under review.
Web Site, Web Application, and Web Services Privacy NoticesISPP-24
This policy applies to all content owners and site managers of university web sites, web applications, and web services (collectively referred to as "sites") for sites hosted on university servers or external servers. This policy applies to user information collected actively or passively (as defined below).
This also includes (but is not limited to):
- Sites of professional associations and publications that are formally hosted, maintained, or operated by IU faculty or staff.
- Sites of University Student Organizations (USOs), even if access is limited to IU employees, students, or affiliates.
This does not include:
- Sites which are only accessible by IU employees, students or affiliates, if the sites are hosted and managed exclusively on IU servers by IU employees.
- Sites hosted or managed by third-parties that are clearly identified and distinguishable from IU by branding and URL (ex. Facebook, Twitter, LinkedIn).
- Other non-university sites that may be hosted on university servers (such as professional or academic home pages and student organizational web sites that are not official University Student Organizations). Indiana University is not responsible for the content of these sites or for their practices regarding the privacy of their visitors.
Indiana University respects the privacy of users who access, visit, and use its sites. Content owners and site managers must post a readily visible link to a privacy notice on the home page of each site and on any page that actively solicits user information that reasonably notifies users regarding how that information will be used, managed, and disclosed.
Reason for Policy
IU seeks to balance the privacy rights of individuals and IU’s “Principles of Ethical Conduct” with the needs of content owners and site managers to collect data in support of University business or to meet a legal requirement. Notifying users of privacy practices is a basic principle of good information management. Privacy notices support user education and institutional accountability, and the process of creating and maintaining a privacy notice requires content owners and site managers to understand their information-handling practices and address any gaps.
Content owners and site managers should:
- Identify what user information is being collected by their sites, how user information is used, and what practices should be followed for handling and protecting user information;
- Use the information collected only as outlined in the privacy notice, for the stated purpose(s), and retain the information only as long as necessary to fulfill the stated purpose(s);
- Develop a privacy notice that includes the content specified in the standards (ISPP-24-S) that support this policy;
- Post a readily visible link to the privacy notice on, at a minimum, the home page of the site and on any page that actively solicits user information (such as through a form); and
- Update the privacy notice(s) as needed. All previous versions of privacy notice(s) should be retained for three years, including information specifying the date range in which the version was in effect. (The previous versions need not be displayed or linked to from the current version.)
Content owners and site managers of university sites that support web-based research (defined by any applicable law, or university policy governing human subjects-based research) may be subject to additional requirements.
All sites covered by this policy must comply with all applicable laws and university policies regarding the privacy and security of user information. If site content owners and site managers have questions regarding the applicability of certain laws or policies to their operations, they should seek guidance from appropriate university officials.
International law may mandate additional privacy notice requirements. For example, content owners and site managers collecting data from the EU should be aware of the General Data Protection Regulation (GDPR).
Indiana University makes the following tools available for content owners and site managers so they can easily create a privacy notice for their site:
Regardless what language you use, the privacy notice should accurately reflect your practices regarding the collection and use of information from users to your site.
Active Collection: For the purposes of the Website Privacy Notices Policy, active collection refers to the gathering of information where a visitor voluntarily provides information such as through a form, or creating a profile, or choosing account settings.
Content Owner: For the purposes of the Web Site Privacy Notices Policy, the content owner of a university web site is the functional person or group that owns and directs the content of a web site. Typically, the content owner directs the site manager in the implementation of a web site. The content owner and site manager share responsibility for a web site and for adherence to this policy.
Passive Collection: For the purposes of the Web Site Privacy Notices Policy, passive collection refers to the automatic gathering of information from visitors as they migrate or navigate from page to page on a web site or series of sites, such as via server logs or cookies.
Site Manager: For the purposes of the Website Privacy Notices Policy, the site manager of a university web site is the person or group that technically implements the wishes and publishes the content of the content owner. Typically, the site manager follows the direction of the content owner. The site manager and content owner share responsibility for a web site and for adherence to this policy.
SanctionsIndiana University will handle reports of misuse and abuse of information and information technology resources in accordance with existing policies and procedures issued by appropriate authorities. Depending on the individual and circumstances involved this could include the offices of Human Resources, Vice Provost or Vice Chancellor of Faculties (or campus equivalent), Dean of Students (or campus equivalent), Office of the General Counsel, and/or appropriate law enforcement agencies. See policy IT-02, Misuse and Abuse of Information Technology Resources for more detail.
Failure to comply with Indiana University information technology policies may result in sanctions relating to the individual's use of information technology resources (such as suspension or termination of access, or removal of online material); the individual's employment (up to and including immediate termination of employment in accordance with applicable university policy); the individual's studies within the university (such as student discipline in accordance with applicable university policy); civil or criminal liability; or any combination of these.
Data Classification / Storage / Disclosure
Licenses / Contracts
Data Security Assessments
- Approved: January, 2011
- Revision: October, 2010
- Revision: July, 2010
- Revision: April, 2010
- Revision: October, 2009
- Revision: May, 2017
- Posted as draft: October 31, 2008