Web Site, Web Application, and Web Services Privacy Notices
University Information Policy Office, firstname.lastname@example.org
This policy applies to all content owners and site managers of university web sites, web applications, and web services (collectively referred to as "sites") for sites hosted on university servers or external servers. This policy applies to user information collected actively or passively (as defined below).
This also includes (but is not limited to):
This does not include:
Indiana University respects the privacy of users who access, visit, and use its sites. Content owners and site managers must post a readily visible link to a privacy notice on the home page of each site and on any page that actively solicits user information that reasonably notifies users regarding how that information will be used, managed, and disclosed.
IU seeks to balance the privacy rights of individuals and IU’s “Principles of Ethical Conduct” with the needs of content owners and site managers to collect data in support of University business or to meet a legal requirement. Notifying users of privacy practices is a basic principle of good information management. Privacy notices support user education and institutional accountability, and the process of creating and maintaining a privacy notice requires content owners and site managers to understand their information-handling practices and address any gaps.
Content owners and site managers should:
Content owners and site managers of university sites that support web-based research (defined by any applicable law, or university policy governing human subjects-based research) may be subject to additional requirements.
All sites covered by this policy must comply with all applicable laws and university policies regarding the privacy and security of user information. If site content owners and site managers have questions regarding the applicability of certain laws or policies to their operations, they should seek guidance from appropriate university officials.
International law may mandate additional privacy notice requirements. For example, content owners and site managers collecting data from the EU should be aware of the General Data Protection Regulation (GDPR).
Indiana University makes the following tools available for content owners and site managers so they can easily create a privacy notice for their site:
Regardless what language you use, the privacy notice should accurately reflect your practices regarding the collection and use of information from users to your site.
Active Collection: For the purposes of the Website Privacy Notices Policy, active collection refers to the gathering of information where a visitor voluntarily provides information such as through a form, or creating a profile, or choosing account settings.
Content Owner: For the purposes of the Web Site Privacy Notices Policy, the content owner of a university web site is the functional person or group that owns and directs the content of a web site. Typically, the content owner directs the site manager in the implementation of a web site. The content owner and site manager share responsibility for a web site and for adherence to this policy.
Passive Collection: For the purposes of the Web Site Privacy Notices Policy, passive collection refers to the automatic gathering of information from visitors as they migrate or navigate from page to page on a web site or series of sites, such as via server logs or cookies.
Site Manager: For the purposes of the Website Privacy Notices Policy, the site manager of a university web site is the person or group that technically implements the wishes and publishes the content of the content owner. Typically, the site manager follows the direction of the content owner. The site manager and content owner share responsibility for a web site and for adherence to this policy.
Indiana University will handle reports of misuse and abuse of information and information technology resources in accordance with existing policies and procedures issued by appropriate authorities. Depending on the individual and circumstances involved this could include the offices of Human Resources, Vice Provost or Vice Chancellor of Faculties (or campus equivalent), Dean of Students (or campus equivalent), Office of the General Counsel, and/or appropriate law enforcement agencies. See policy IT-02, Misuse and Abuse of Information Technology Resources for more detail.
Failure to comply with Indiana University information technology policies may result in sanctions relating to the individual's use of information technology resources (such as suspension or termination of access, or removal of online material); the individual's employment (up to and including immediate termination of employment in accordance with applicable university policy); the individual's studies within the university (such as student discipline in accordance with applicable university policy); civil or criminal liability; or any combination of these.
Please note: This policy is currently under review.