Web Site Privacy Notices
University Information Policy Office, firstname.lastname@example.org
This policy applies to all content owners and site managers of university web sites and web applications that are:
This includes web sites of professional associations and publications that are formally hosted, maintained, or operated by faculty or staff of the university.
This policy applies to visitor information that is collected either actively or passively, as defined in the glossary.
Other web sites that may be hosted on university servers, such as personal home pages and student organizational web sites are encouraged to adhere to the terms of this policy as well. However, Indiana University is not responsible for the content of these sites or for their practices regarding the privacy of their visitors.
Content owners and site managers of university web sites that support web-based research (as "research" is defined in federal law and in university policy governing human subjects-based research) should be aware that this policy sets minimum requirements and that there may be additional research-specific requirements. Sites engaged in research must have prior review and approval by the campus Institutional Review Board (IRB) or Human Subjects Committee (HSC), and will follow procedures concerning the collection, use, and sharing of site visitor information established in accordance with that review and approval.
Indiana University respects the privacy of visitors to its web sites. Therefore, content owners and site managers of university web sites must:
A web site privacy notice (or privacy statement) is a public description of an organization's information management practices with respect to information collected by the organization's web site. Such notices have two purposes: visitor education and institutional accountability. Notification of privacy practices is a basic principle of good information management, and builds visitor confidence. Furthermore, the process of creating and maintaining a privacy notice requires web site content owners and site managers to understand their information-handling practices and may reveal potential issues to be addressed. This policy outlines Indiana University's philosophy concerning the use of web site privacy notices.
Privacy practices for web site content owners and site managers must include, and web site privacy notices must describe, procedures covering the following topics:
Thus, a web site that passively collects information must address the following issues in its privacy notice, as appropriate:
In addition, a web site that asks or requires visitors to actively provide information, must address the following additional issues in its privacy notice, as appropriate:
Once the university receives visitor information, the university will employ reasonable safeguards to maintain the security of that information on university systems. Units that maintain university web sites are expected to maintain those sites, and supporting systems and databases, at a security level consistent with institutional policies and prevailing industry standards, and commensurate with the sensitivity of the information being stored.
Due to the rapidly evolving nature of information technologies, no transmission of information over the Internet can be guaranteed to be completely secure. While Indiana University is committed to protecting the privacy of our visitors, the university cannot guarantee the security of any information visitors transmit to university sites, and visitors do so at their own risk. All web site privacy notices developed pursuant to this policy must include a statement to this effect.
Web sites covered by this policy must comply with all applicable laws regarding the privacy and security of visitor information. If web site content owners and site managers have questions regarding the applicability of certain laws to their operations, they must seek appropriate guidance from relevant university officials.
University web sites may provide links to other, non-university sites. Indiana University is not responsible for the availability, content, or privacy practices of those sites. Non-university web sites are not bound by this web site privacy notice policy and may or may not have their own privacy policies. All web site privacy notices developed pursuant to this policy must include a statement to this effect.