Web Site, Web Application, and Web Services Privacy Notices
University Information Policy Office, firstname.lastname@example.org
This policy applies to all content owners and site managers of university web sites and web applications that are:
• created or maintained either by or for academic, administrative, or auxiliary units of Indiana University,
• and are accessible by individuals who are not university employees, students, or affiliates,
• regardless of whether or not the sites are hosted on university servers or external servers. This includes web sites of professional associations and publications that are formally hosted, maintained, or operated by faculty or staff of the university.
This policy applies to visitor information that is collected either actively or passively, as defined in the glossary.
Other web sites that may be hosted on university servers, such as personal home pages and student organizational web sites are encouraged to adhere to the terms of this policy as well. However, Indiana University is not responsible for the content of these sites or for their practices regarding the privacy of their visitors.
Content owners and site managers of university web sites that support web-based research (as "research" is defined in federal law and in university policy governing human subjects-based research) should be aware that this policy sets minimum requirements and that there may be additional research-specific requirements. Sites engaged in research must have prior review and approval by the campus Institutional Review Board (IRB) or Human Subjects Committee (HSC), and will follow procedures concerning the collection, use, and sharing of site visitor information established in accordance with that review and approval.
Indiana University respects the privacy of visitors to its web sites. Therefore, content owners and site managers of university web sites must:
• evaluate what visitor information is being collected by their sites, how that information is used, and what practices are followed for handling and protecting that information;
• comply with all applicable laws and institutional policies regarding visitor privacy;
• develop a privacy notice that explains what information is collected and what practices are followed with respect to that information;
• post a readily visible link to the privacy notice on at least the home page of the site and on any page that actively solicits visitor information (such as through a form); and
• update the privacy notice as needed
A web site privacy notice (or privacy statement) is a public description of an organization's information management practices with respect to information collected by the organization's web site. Such notices have two purposes: visitor education and institutional accountability. Notification of privacy practices is a basic principle of good information management, and builds visitor confidence. Furthermore, the process of creating and maintaining a privacy notice requires web site content owners and site managers to understand their information-handling practices and may reveal potential issues to be addressed. This policy outlines Indiana University's philosophy concerning the use of web site privacy notices.
Privacy practices for web site content owners and site managers must include, and web site privacy notices must describe, procedures covering the following topics:
Describe what visitor information is collected, how it is used, how long it is retained, and under what circumstances, if any, it may be disclosed. Also, describe how visitors will be notified of changes to privacy practices.
Describe how a site visitor implicitly or explicitly indicates consent to the collection, use, and disclosure of his or her personal information, particularly if that information is to be used for a secondary purpose or disclosed to a third party.
Describe whether/how an individual may access his or her personal information to review or change that information.
University Policies ISPP-24 3 Describe procedures for monitoring compliance with stated practices and for resolving visitors' complaints and disputes regarding the site's use and disclosure of personal information.
Describe how personal information collected by or provided to the site is secured.
In addition, a web site that asks or requires visitors to actively provide information, must address the following additional issues in its privacy notice, as appropriate:
• state what types of visitor information may be requested, why visitor information is requested, and how it will be used. • make a copy of a visitor's information available to the visitor on his or her request.
• state that a visitor may contact the site's designee to obtain, modify, or delete information the visitor has provided, and provide contact information for doing so.
• state that providing the requested information is voluntary, and indicate how not providing the requested information (or subsequently asking that the information be removed) will affect the delivery of products or services for which the information is needed.
• provide these statements in such a way that visitors can easily view and read them before submitting any requested information.
Once the university receives visitor information, the university will employ reasonable safeguards to maintain the security of that information on university systems. Units that maintain university web sites are expected to maintain those sites, and supporting systems and databases, at a security level consistent with institutional policies and prevailing industry standards, and commensurate with the sensitivity of the information being stored.
Due to the rapidly evolving nature of information technologies, no transmission of information over the Internet can be guaranteed to be completely secure. While Indiana University is committed to protecting the privacy of our visitors, the university cannot guarantee the security of any information visitors transmit to university sites, and visitors do so at their own risk. All web site privacy notices developed pursuant to this policy must include a statement to this effect.
Web sites covered by this policy must comply with all applicable laws regarding the privacy and security of visitor information. If web site content owners and site managers have questions regarding the applicability of certain laws to their operations, they must seek appropriate guidance from relevant university officials.
Links to non-university web sites
University web sites may provide links to other, non-university sites. Indiana University is not responsible for the availability, content, or privacy practices of those sites. Non-university web sites are not bound by this web site privacy notice policy and may or may not have their own privacy policies. All web site privacy notices developed pursuant to this policy must include a statement to this effect.
• The Web Site Privacy Notice Generator
• Web Site Privacy Notices Policy FAQ
Please note: This policy is currently under review.