NOTE: A revised version of this policy is currently under review.
Web Site Privacy NoticesISPP-24
This policy applies to all content owners and site managers of university web sites and web applications that are:
- created or maintained either by or for academic, administrative, or auxiliary units of Indiana University,
- and are accessible by individuals who are not university employees, students, or affiliates,
- regardless of whether or not the sites are hosted on university servers or external servers.
This includes web sites of professional associations and publications that are formally hosted, maintained, or operated by faculty or staff of the university.
This policy applies to visitor information that is collected either actively or passively, as defined in the glossary.
Other web sites that may be hosted on university servers, such as personal home pages and student organizational web sites are encouraged to adhere to the terms of this policy as well. However, Indiana University is not responsible for the content of these sites or for their practices regarding the privacy of their visitors.
Content owners and site managers of university web sites that support web-based research (as "research" is defined in federal law and in university policy governing human subjects-based research) should be aware that this policy sets minimum requirements and that there may be additional research-specific requirements. Sites engaged in research must have prior review and approval by the campus Institutional Review Board (IRB) or Human Subjects Committee (HSC), and will follow procedures concerning the collection, use, and sharing of site visitor information established in accordance with that review and approval.
Indiana University respects the privacy of visitors to its web sites. Therefore, content owners and site managers of university web sites must:
- evaluate what visitor information is being collected by their sites, how that information is used, and what practices are followed for handling and protecting that information;
- comply with all applicable laws and institutional policies regarding visitor privacy;
- develop a privacy notice that explains what information is collected and what practices are followed with respect to that information;
- post a readily visible link to the privacy notice on at least the home page of the site and on any page that actively solicits visitor information (such as through a form); and
- update the privacy notice as needed
Reason for Policy
A web site privacy notice (or privacy statement) is a public description of an organization's information management practices with respect to information collected by the organization's web site. Such notices have two purposes: visitor education and institutional accountability. Notification of privacy practices is a basic principle of good information management, and builds visitor confidence. Furthermore, the process of creating and maintaining a privacy notice requires web site content owners and site managers to understand their information-handling practices and may reveal potential issues to be addressed. This policy outlines Indiana University's philosophy concerning the use of web site privacy notices.
Privacy practices for web site content owners and site managers must include, and web site privacy notices must describe, procedures covering the following topics:
Describe what visitor information is collected, how it is used, how long it is retained, and under what circumstances, if any, it may be disclosed. Also, describe how visitors will be notified of changes to privacy practices.
Describe how a site visitor implicitly or explicitly indicates consent to the collection, use, and disclosure of his or her personal information, particularly if that information is to be used for a secondary purpose or disclosed to a third party.
Describe whether/how an individual may access his or her personal information to review or change that information.
Describe procedures for monitoring compliance with stated practices and for resolving visitors' complaints and disputes regarding the site's use and disclosure of personal information.
Describe how personal information collected by or provided to the site is secured.
Thus, a web site that passively collects information must address the following issues in its privacy notice, as appropriate:
- detail the scope of applicability for the site privacy notice by indicating the web site(s) to which it applies.
- state that different units at the university may collect and use visitor information in different ways and that visitors should review the privacy notices for the particular sites they visit.
- use the information only as outlined in the privacy notice, for the stated purpose(s), and retain the information only as long as necessary to fulfill the stated purpose(s).
- state whether the information will be shared with any external party(ies) and under what circumstances.
- state that the university is not responsible for the content of web sites or for the privacy practices of web sites outside the scope of this policy.
In addition, a web site that asks or requires visitors to actively provide information, must address the following additional issues in its privacy notice, as appropriate:
- state what types of visitor information may be requested, why visitor information is requested, and how it will be used.
- make a copy of a visitor's information available to the visitor on his or her request.
- state that a visitor may contact the site's designee to obtain, modify, or delete information the visitor has provided, and provide contact information for doing so.
- state that providing the requested information is voluntary, and indicate how not providing the requested information (or subsequently asking that the information be removed) will affect the delivery of products or services for which the information is needed.
- provide these statements in such a way that visitors can easily view and read them before submitting any requested information.
Once the university receives visitor information, the university will employ reasonable safeguards to maintain the security of that information on university systems. Units that maintain university web sites are expected to maintain those sites, and supporting systems and databases, at a security level consistent with institutional policies and prevailing industry standards, and commensurate with the sensitivity of the information being stored.
Due to the rapidly evolving nature of information technologies, no transmission of information over the Internet can be guaranteed to be completely secure. While Indiana University is committed to protecting the privacy of our visitors, the university cannot guarantee the security of any information visitors transmit to university sites, and visitors do so at their own risk. All web site privacy notices developed pursuant to this policy must include a statement to this effect.
Web sites covered by this policy must comply with all applicable laws regarding the privacy and security of visitor information. If web site content owners and site managers have questions regarding the applicability of certain laws to their operations, they must seek appropriate guidance from relevant university officials.
Links to non-university web sites
University web sites may provide links to other, non-university sites. Indiana University is not responsible for the availability, content, or privacy practices of those sites. Non-university web sites are not bound by this web site privacy notice policy and may or may not have their own privacy policies. All web site privacy notices developed pursuant to this policy must include a statement to this effect.
SanctionsIndiana University will handle reports of misuse and abuse of information and information technology resources in accordance with existing policies and procedures issued by appropriate authorities. Depending on the individual and circumstances involved this could include the offices of Human Resources, Vice Provost or Vice Chancellor of Faculties (or campus equivalent), Dean of Students (or campus equivalent), Office of the General Counsel, and/or appropriate law enforcement agencies. See policy IT-02, Misuse and Abuse of Information Technology Resources for more detail.
Failure to comply with Indiana University information technology policies may result in sanctions relating to the individual's use of information technology resources (such as suspension or termination of access, or removal of online material); the individual's employment (up to and including immediate termination of employment in accordance with applicable university policy); the individual's studies within the university (such as student discipline in accordance with applicable university policy); civil or criminal liability; or any combination of these.
- Approved: January, 2011
- Revision: October, 2010
- Revision: July, 2010
- Revision: April, 2010
- Revision: October, 2009
- Posted as draft: October 31, 2008