This Notice describes the practices of Hartwick College with respect to the collection, use, storage, and disclosure of personal information associated with activities related to employees, students, alumni, applicants, and other friends of Hartwick College. This includes personal information covered by the European Union’s General Data Protection Regulation (GDPR) for individuals who are located in the European Union, or the additional countries located in the European Economic Area (EEA). For the purposes of this Notice and the GDPR, the collection, use, storage and disclosure of information is called “processing”. This Notice applies to Hartwick College (referred to below as “College”, “we,” “us” or “our”) located at 1 Hartwick Drive, Oneonta, NY 13820, as well as, to its affiliated legal entities. All natural persons in the EU or EEA who are associated with Hartwick College (referred to below as “you” or “your”) should carefully read the provisions of this Privacy Notice.

Under the GDPR, “Personal Data” means any information relating to an identified or identifiable Data Subject; specifically including, but not limited to, name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that Data Subject. A Data Subject is an identifiable natural person, i.e., one who can be identified, directly or indirectly, in particular, by reference to Personal Data. Processing means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. “Process” and “processed” have a corresponding meaning.

The GDPR prohibits the processing of “special categories” of Personal Data unless certain exceptions apply, because this type of data could create more significant risks to a Data Subject’s fundamental rights and freedoms. For example, an unauthorized disclosure of “special categories” of Personal Data may put Data Subjects at risk of unlawful discrimination. For this purpose, processing of “special categories” of Personal Data includes processing of: (i) Personal Data that reveals; (A) racial or ethnic origin, (B) political opinions, (C) religious or philosophical beliefs, or (D) trade union membership; or (ii) (A) genetic data, (B) biometric data for the purpose of uniquely identifying a natural person, (C) data concerning health; or (D) data concerning a natural personal’s sex life or sexual orientation.

We process information we collect from you directly, including during our communications with you during your enrollment, employment, participation in student or alumni activities or programs, when you work as a vendor or contractor, as a result of your other association with Hartwick College, when you attend one of our events, when you make contributions, when you communicate with the College for any purpose, when you apply for employment, employment benefits, admission or financial aid, when you make use of Hartwick equipment, systems, facilities, programs, resources, and/or Hartwick services provided by third-party vendors, and when you request services from Hartwick. In some cases, we will require that certain information be provided in order for us to provide you with a service, benefit, or to take an action related to a request that you make. We will indicate when such information is required and failure to provide required or mandatory information may result in our being unable to provide you with a service, benefit, or take an action you request.

We also employ cookies and may collect background information about you when you use our website, including your IP address, date and time of connection, operating system, browser type, and the webpages you visit.

Hartwick maintains video surveillance and card swipe systems for the security of our premises. The College or our contracted service providers may process images and video of you, and information about your use of and access to our premises, in connection with the operation of these systems.

Alumni and Friends of Hartwick College

For purposes of this document, “Friends of Hartwick” includes former employees, family of students and employees, donors to Hartwick and their families, potential donors and their families, and others who have expressed an interest in supporting Hartwick or in participating or engaging in College-sponsored activities.

We may also collect the following kinds of information about you from third parties:

Information we collect from other personnel or students: We may collect information about you from other persons affiliated with Hartwick. For example, we collect contact information for our student’s parents and family members from our students.

Information we receive about you from journals, research publications, professional organizations, or other platforms through which you publish or present content.

Information from publicly available sources, like your public social media profiles (e.g., LinkedIn), and public directories that include your professional and contact information.

Demographic Information: We may review and process available demographic information about you.

Information about your prior or concurrent educational history, which we collect from other educational institutions (or retrieve from our own records).

Employees or Applicants for Employment at Hartwick College

The information we process may include information about your employment history with Hartwick, your job performance, compensation and benefits, and your dependents and emergency contacts. We use automated decision-making processes to process your data in certain contexts. For example, we may automatically evaluate information about your compensation and benefits to withhold taxes or determine your eligibility for employee benefits or other programs, or key terms in your application to determine if you meet the qualifications for a position to which you apply for employment.

We may also collect the following kinds of information about you from third parties:

Your contact and demographic information, including publicly available information, which we collect from third parties who provide us information about prospective employees who may be interested in working at Hartwick College.

Any criminal convictions or offenses, information about your credit, and other information about your previous employment and education, which we collect as part of a background check process (where permitted by applicable law) from government records, credit reporting companies, your previous employers, and other academic institutions.

We collect information about your employment history and education during the application process or when taking an employment action – such as considering you for a promotion or a new position.

We may confirm information you have provided concerning your previous employers and the education institutions you attended.

Information about your professional certifications: We may confirm information you have provided about any professional certifications you might have from third parties that provide or verify those certifications.

>Information about your health: Where permitted by applicable law, we may receive or communicate information to provide you with benefits to which you are entitled, such as workers’ compensation and disability claims.

Information we collect from other employees or students who may provide us with information about you, whether in the process of reporting an incident or complaint, alerting us to an emergency situation involving you, or as part of the employment process. This information can include your name, information about your behavior or activities, and other information about the situation being reported to us.

Immigration information: Governments and consulates may provide us with government identification, immigration information, or other information in order to confirm your eligibility to work in the United States or to facilitate travel related to your employment at Hartwick. The type of information provided may vary by country depending on applicable reporting requirements. For example, the Czech government may report information regarding criminal convictions and debts.

Students and Applicants for Enrollment at Hartwick College

In addition to submitting an application directly to us, you may submit an application through the Common Application or via other third party sites through which Hartwick collects prospective student information or financial aid related data. We may use automated decision making processes to screen applicants for both admission and financial aid according to predetermined criteria. For example, the information in your financial aid application may be used to generate a profile of your financial circumstances that is used to make decisions about your eligibility for scholarships, loans, and other financial assistance.

In addition, we collect the following kinds of information about you from third parties:

Your contact and demographic information, including publicly available information, which we collect from third parties who provide us information about prospective students who may be interested in attending Hartwick. We may also collect this contact information from students about their parents and family members.

Specific personal background and health details, which we may collect from third parties.

Information about your prior educational history, which we collect from other educational institutions (or from our own records in the event of a re-enrollment or enrollment for a different degree).

Alumni and Friends of Hartwick College

We process your personal information in order to support and operate Hartwick College and its programs, to provide you with alumni support and related services (such as job placement, email, reunion planning, transcripts, and library services), to assure continuity in our communications with you, and to contact you to offer you services and request financial support for Hartwick College.

We also use this data to: file required reports with applicable governmental authorities, administer our programs and provide appropriately tailored services, monitor trends within our fundraising activities, verify your identity, ensure that the college is prepared for emergencies, enforce college policies and applicable laws, manage university gift receipting, acknowledgement, billing, collecting, refunding and cashiering functions, facilitate internal research, coordinate events such as meetings, gatherings, conferences, and professional development, and facilitate alumni directories and other promotional activities. We combine the data that we collect in order to provide these functions.

We have the following legal basis for processing the information you provide us or that we collect about you.

We have a legitimate interest in raising funds to support Hartwick College’s mission and programs; supporting our alumni and other friends of Hartwick; complying with laws and regulations; and administering programs in an efficient, ethical, and appropriate manner. We process all the information we collect from or about you to meet these purposes.

We may also be required to process your personal information to complete a contract or agreement that you have entered into with us, including when you wish to receive a service or when the College responds to your pledge or intention to make a contribution.

We may also be required to process your personal information to comply with laws applicable in the European Union or its member states.

The lawful and legitimate purposes for which we may use other Personal Data (including “special categories” of Personal Data) we collect while you visit our website (e.g., the background information such as IP address, date and time, and the webpages you visit) is that it is in our legitimate interests to provide and monitor the usefulness of our website and to ensure it is kept secure.

Employees or Applicants for Employment at Hartwick College

We process your Personal Information to administer and manage Hartwick College programs and services, evaluate your eligibility for employment, communicate with you about your application, to onboard you as a new employee, administer, manage, and evaluate your employment with Hartwick, communicate with you regarding your employment, and provide you with access to Hartwick programs, benefits, services, and facilities.

We also use data to: make strategic decisions about Hartwick programs or course offerings, and administer those programs, file required reports with applicable governmental authorities, engage in financial planning, to comply with application retention requirements, and for the enforcement of Hartwick College policies and applicable laws. We combine the data that we collect in order to provide these functions.

We have the following legal basis for processing the information you provide and that we collect about you during your employment.

We have a legitimate interest in hiring and retaining qualified employees, complying with laws and regulations that govern our conduct in the countries where we operate, and administering Hartwick College and its programs in an efficient, ethical, and appropriate manner.

We may be required to process your Personal Information to fulfill our obligations pursuant to an offer of employment or an agreement to receive certain other benefits.

We may also be required to process your Personal Information to comply with laws applicable in the United States or in the European Union or its member states. For example, we may process your passport information in order to comply with our obligations under applicable employment laws.

Students and Applicants for Enrollment at Hartwick College

We process your Personal Information to recruit prospective students, evaluate applications for admission, evaluate your eligibility for financial aid, communicate with you about Hartwick and your application, and, if you are admitted, to award you financial aid and to enroll you in programs if you choose to attend.

We also use this data to: administer programs and make decisions about course offerings, file required reports with applicable governmental authorities, administer our programs and provide appropriately tailored services, including student health services, financial aid, and research and reporting activities, monitor trends within incoming classes, report application and admission statistics to appropriate publications, plan course offerings, verify identity, ensure that the College is prepared for emergencies, and enforce Hartwick policies and applicable laws. We combine the data that we collect in order to provide these functions.

We have the following legal basis for processing the information you provide us in your application or that we collect about you during the application process.

We have a legitimate interest in recruiting and admitting qualified applicants, complying with laws and regulations that govern our conduct in the countries where we operate, and administering Hartwick and its programs in an efficient, ethical, and appropriate manner.

Once you have accepted an offer of admission from us, we may also be required to process your Personal Information to complete a contract that you have entered into with us, including to be admitted to a program, or receive financial aid, housing, or another service from us.

In the case of Sensitive Personal Information (which includes (i) information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; (ii) genetic and biometric data, and (iii) data concerning health, sex life, or sexual orientation), we process information because it is necessary for our legitimate business interests and have concluded that our interests do not inappropriately impact your fundamental rights and freedoms. We may also be required to process certain information to comply with applicable laws. You can obtain more information about these laws by contacting the DPO.

If Hartwick requested, and you provided your explicit consent for the processing of your Personal Data (or where a parent or legal guardian provided consent on your behalf because you were under the age of 16 at the time consent was required), you (or your parent or legal guardian, as applicable) have the right (in certain circumstances) to withdraw that consent at any time. However, withdrawal of consent will not affect the lawfulness of the processing before your consent was withdrawn.

Finally, we process your Personal Information for additional purposes that are compatible with those already described, including for the purposes of conducting scientific, statistical, or historical research or for the purpose of creating archives in the public interest. Where possible, we do not use identifiable information for these purposes, or we take steps, including making use of pseudonymous data, to limit the amount of Personal Information we use in our research or archives.

You can obtain additional information about the legitimate interests, contracts or agreements, or processing we do to comply with applicable laws by contacting the DPO.

Hartwick College is concerned with ensuring adequate protection of all Personal Information. In this regard, Hartwick endeavors to restrict Personal Information to only those needing access to carry out their duties. Your personal information will be received and processed by Hartwick employees and personnel, students, as well as third parties who provide services to Hartwick in connection with the purposes of the processing described above. We share your Personal Information with our service providers only when they have agreed to process your Personal Information only to provide services to us and have agreed to protect your Personal Information from unauthorized use, access, or disclosure. We also disclose your information to government authorities as required by laws that regulate immigration, tax, national security, and criminal activity.

We may provide your information to other colleges, universities, or entities for purposes such as, but not limited to: facilitate joint activities, including travel, collaborative events for professional affiliations or research partners documenting or transferring academic credit, printers and mailing houses, The College Board, ACT, and the National Student Clearinghouse for reporting and enrollment verification, verifying employment by providing only your title and dates of employment unless you provide a signed authorization to provide additional information.

We may also disclose your Hartwick contact information in employee and student directories available to Hartwick students, employees, and the general public. You may request that your information be removed from this directory. We will not share your personal information with any company or organization outside the College except as stated within this document.

Non-personalized identifiable website visitor information (i.e. information that has been “pseudonymised” as described in the GDPR) may be provided to other parties for marketing, advertising, or other uses without restriction.

Hartwick College is located and operates primarily in the United States. We transfer your data within the United States and to the countries where we operate Global Exchange and Study Abroad programs. Hartwick offers study abroad programs in countries around the world inside and outside the EU.

You can find more information about how long we retain personal data by consulting our Records Management, Retention, and Disposal Policy. If you have any questions, you may contact the DPO

You have the right to the following information regarding our processing of your Personal Information: the purposes of the processing, the categories of Personal Information concerned, the recipients or categories of recipients to whom the Personal Information has been or will be disclosed, where possible, the envisaged period for which the Personal Information will be stored, or, if not possible, the criteria used to determine that period.

This Privacy Notice is intended to provide this information. Any questions about these details may be directed to the DPO.

You also have the following additional rights with respect to your Personal Information:

The right to request access to the Personal Information that we have about you as allowed by law and/or policy; as well as, the right to request rectification of any data that is inaccurate or incomplete.

The right to request a copy of your Personal Information as permitted by College Policy or law in electronic format so that you can transmit the data to third parties, or to request that we directly transfer your Personal Information to one or more third parties.

The right to object to the processing of your Personal Information for the College’s communications regarding your student, employee or alumni status, College publications relating to academic, employment and fundraising functions and other purposes where permitted by law.

Under certain circumstances, you may also have the right to erasure of your Personal Information when it is no longer needed for the purposes for which you provided it, as well as the right to restriction of processing of your Personal Information to certain limited purposes where erasure is not possible.

Individuals in the EU (including students, alumni, and employees) who wish to exercise their rights under GDPR, please download and complete the Hartwick GDPR Data Request Form (PDF), with signature and notarization, and send it to GDPR Data Request at compliance@hartwick.edu.

If you have questions, concerns, or complaints about how we are using your Personal Data, we may be able to resolve your complaints, and we request that you contact the Data Protection Officer (DPO) using the contact information contained in this Notice. You also have the right to file a complaint with the data protection authority in any Member State where you habitually work, live, or believe an infringement of EU data protection law occurred if you believe that we have not complied with the requirements of the GDPR with regard to your Personal Data, or if you are not happy with the response you receive from us regarding your complaint. You may consult the list of data protection authorities provided by the European Commission.

Effective: August 15, 2018
Revised: August 31, 2020

The purpose of this policy is to provide uniform guidelines for the management, retention and disposal of records received, created, generated, or maintained by Hartwick College (College) in connection with the conduct of College business.

This policy seeks: to establish record management guidelines and a system of accountability to help ensure that the College can meet the legal requirements pertaining to records management; to ensure the authenticity and reliability of official records of the College; to protect the confidentiality of records and the privacy of constituents; to prevent the misuse, misplacement, damage, untimely destruction, or theft of records; to ensure that records which have enduring historical value are retained; and to ensure that the College and the College’s employees are working toward compliance with the European Union General Data Protection Regulation (the “GDPR”).

The GDPR applies to the Processing of a Data Subject’s Personal Data (as such terms are defined below). Under the GDPR, the College may be considered a Controller (as defined below) of Personal Data, and, as such, likely is subject to numerous requirements under the GDPR.

This policy addresses the management, retention and disposal of all records received, created, generated, or maintained by the College and applies to all departments of the College. This policy covers all types of records, regardless of physical characteristics, that are created, generated, received; recorded as evidence of the organization, its functions, policies, decisions, procedures, operations, or activities; or documents legally filed in the course of business or legal obligations.

Since no one individual or department can be directly responsible for all campus records and files, users throughout the College share a collective responsibility to manage records appropriately and adhere to the retention and disposal guidelines outlined in this policy. Access, maintenance, retention, and disposal procedures for college records must be followed by all employees.

This Policy applies to, and will be provided to, all employees and staff of the College, except when they are acting in a private or external capacity unrelated to the College. For clarity, the term “employees and staff,” for this purpose means anyone working in any context for the College at any level or grade (whether permanent, full-time, part-time, adjunct or temporary), and including employees, retired but active former employees, faculty members, staff, visiting fellows, workers, trainees, interns, seconded staff, agency staff, agents, volunteers, external members of committees, and Trustees.

This policy addresses international, federal, and state laws and regulations, and College policies such as, but not limited to, Family Education Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act (HIPPA), General Data Privacy Regulation (GDPR), Fair Credit Reporting Act (FCRA), Federal Trade Commission (FTC), Department of Labor, Payment Card Industry Security Standards (PCI-DSS), and New York State General Business Law Section 399-h.

Any questions regarding the implementation of this policy, including its applicability to any document, should be addressed to Hartwick College Compliance Coordinator.

Archivist: Responsible for assessing the long-term value of a record and making the determination on whether or not a record will be considered an Archival Record. The Archivist will be responsible for collecting, organizing, preserving, maintaining control over, and providing access to records in the Hartwick College Archives and The Record Storage Center.

Compliance Coordinator: Responsible for the coordination of the record management, retention, and disposal program.

Department Record Coordinator: Responsible for the proper management and disposal of records for a designated department and shall be the primary contact for records management, retention and disposal for their designated department.

Information Technology: Responsible for the day-to-day maintenance of the network and electronic systems owned or managed by the College that store data and records, to ensure that electronic records remain accessible and recoverable. IT Services is available to assist College offices and departments with the IT aspects of records management, retention and the secure digital disposal of records.

Data Protection Officer: Responsible for: (a) monitoring and auditing the College’s compliance with its obligations under the GDPR; advising the College on all aspects of its compliance with the GDPR; acting as the College’s point of contact with the applicable Supervisory Authority(ies) with regard to the GDPR, including in the case of Personal Data Breaches; and acting as an available point of contact for complaints from Data Subjects.

Accountability Obligations: the obligation(s) under Article 5 and Recital 29 of the GDPR to: (A) comply with the GDPR and retain records demonstrating compliance; (B) implement policies, procedures, processes, and training to promote data protection “by design and by default”; (C) have appropriate contracts in place when outsourcing functions that involve the Processing of Personal Data; (D) maintain records of the data Processing that is carried out; (E) record and report Personal Data Breaches; (F) carry out, where relevant, a Data Protection Impact Assessment on high risk Processing activities; (G) cooperate with the applicable regulator(s) of the GDPR; and (H) respond to regulatory/court action, including, in certain instances, the payment of administrative fines levied by the applicable regulator(s) of the GDPR.

Administrative Safeguards: administrative actions, and policies and procedures, intended/used to manage the selection, development, implementation, and maintenance of Security Measures to protect Personal Data and to manage the conduct of a Controller’s workforce in relation to the protection of Personal Data.

Archival Record: A record whose long term value justifies its permanent retention either to meet the fiscal, legal or administrative needs of the College, or because it contains historically significant information.

College Record: Any form of recorded information, regardless of physical characteristics, that are created, generated, received, and/or recorded as evidence of the organization, functions, policies, decisions, procedures, operations, or other activities, or documents legally filed in the course of college business or in the College’s legal obligations. All Records, regardless of physical characteristics, received, created, generated, or maintained by the College or its employees in connection with the conduct of College business are the sole property of the College.

Confidential Information: Information that must be protected from unauthorized access or public release based on state or federal law. Examples of confidential information include but are not limited to personal information, personal identification numbers, personal identifying information, financial account numbers, medical records, passwords, and student education records.

Confidential Record: A record that contains one or more pieces of personal information or contains information protected from disclosure by law or College policy, including but not limited to, the Family Educational Rights and Privacy Act (FERPA), the Health Insurance Portability Accountability Act (HIPAA), the New York State General Business Law §399-h, and the New York State Disposal of Personal Records Law.

Controller: the natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.1.
_________________________________

1. Unfortunately, the Commission did not update the definitions of Controller and Processor to reflect current Processing practices and new technological developments. When Processing was limited to basic situations (e.g., the College asks company X to send an email to alumni on its behalf), the concepts were useful because the roles were more clear (in the example, the College is the Controller and X is the Processor). However, in complex situations involving new technologies such as the blockchain, the Internet of Things (IoT), big data, etc., commentators have suggested Processing be considered subject to joint control.
__________________________________

Data Protection Principle(s): the principles set forth in Article 5 of the GDPR that state that Personal Data shall be: (A) Processed fairly, lawfully, and transparently; (B) Processed only for specified, explicit, and legitimate purposes; (C) adequate, relevant, and limited; (D) accurate (and rectified if incomplete or inaccurate); (E) not kept for longer than necessary; and (F) Processed securely.

Data Subject: an identifiable natural person, i.e., one who can be identified, directly or indirectly, by reference to Personal Data.

Data Subject Rights: the rights set forth in Articles 15-22 of the GDPR, all of which are qualified in different ways, including the Data Subject’s right: (A) to be informed of how his/her Personal Data is being used; 2. (B) of access to his/her Personal Data; (C) to have his/her inaccurate Personal Data rectified; (D) to have his/her Personal Data erased (right to be forgotten); (E) to restrict the Processing of his/her Personal Data pending its verification or correction; (F) to receive copies of his/her Personal Data in a machine-readable and commonly-used format (right of data portability); (G) to object to: (i) Processing (including Profiling) of his/her Personal Data under particular Legal Bases, (ii) direct marketing, and (iii) Processing of Personal Data for research purposes where that research is not in the public interest; and (H) not to be subject to a decision based solely on automated decision-making using Personal Data.
_______________________________

2. This right is usually fulfilled by the provision of “privacy notices” (also referred to as “data protection statements” or, especially in the context of websites, “privacy policies”) which set out how an organization plans to use Personal Data, who it will be shared with, the Legal Bases for Processing, ways to complain, and who to contact in order to exercise Data Subject Rights.
________________________________

Digital Record: A record created, generated, converted, sent, communicated, received, or stored by electronic means. Digital record formats include, but are not limited to, word processing documents, spreadsheets, e-mails, instant messages, text messages, web sites, databases, and scanned images, as well as multimedia files such as audio, graphics, and video. These records, although electronic in format, are treated the same as records in other formats and are subject to the same retention and disposition schedules as similar paper records.

Duplicate Records: A duplicate is an exact replica of the Official Record.

Encryption: A method of hiding electronic information by encoding it into a format that renders it unreadable without access to the encryption key. Encryption is most often used to transmit records or data that contain personal information, personal identification numbers or personally identifying information.

Encryption Key: A password that is required to encrypt and decrypt information, essentially locking and unlocking the data.

General Administrative Records: Records created and maintained by departments as part of routine operations. General Administrative Records are of short-term interest and are not required to be retained. Examples include but are not limited to: daily activity schedules, calendars, appointment books, tickler files, extra copies of correspondence, temporary drafts or personal notes that were not circulated, reviewed, or used to make decisions or complete transactions; temporary files used solely to change the arrangement or format of electronic records; copies of files or extracts of databases created solely to transfer data between systems.

General Data Protection Regulation (GDPR): Regulation adopted by the European Union (EU) in April 2016, with an effective date of May 25, 2018, that protects the personal privacy of residents of the EU and European Economic Area.

Hartwick College Archives: The Archives provide a permanent repository for official records of the College, as well as historical artifacts and records. The Archives are overseen and managed by the college Archivist.

Health Information: Any information, whether oral or recorded in any form or medium, that relates to the past, present, or future physical or mental health or condition of any individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.

Inactive Records: Records which no longer required in the day to day operations of an organization, but which must be kept to meet fiscal, legal, or administrative needs of the College.

Information System: an interconnected set of information resources under the same direct management control that shares common functionality. An information system normally includes hardware, software, information, data, applications, communications, and people.

International Organization: an organization and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.
International Recipient: any Recipient of Personal Data in any country outside of the EEA, other than an International Organization.

Legal Bases or Legal Basis: there is a lawful basis for Processing Personal Data where: (A) there is clear Consent for a specific purpose; (B) the Processing is necessary to comply with the terms of a contract; (C) the Processing is necessary to comply with a Legal Obligation; (D) the Processing is necessary to protect vital interests (e.g., to protect a Data Subject’s life or safety); (E) the Processing is done in the performance of a public task (which has a clear basis in EU law); and/or (F) the Controller’s legitimate interests require the Processing of Personal Data, and this legitimate interest outweighs the Data Subjects’ interests in the privacy of their Personal Data.3.
______________________________
3. This Legal Basis appears broad; however, it generally is meant to be read narrowly, and to serve as a balancing test in which the College’s interests are balanced against a Data Subject’s interest in protecting his/her Personal Data.
______________________________

Legal Hold: Suspends the normal disposition of records due to a pending or anticipated audit, litigation, claim, agency charge, investigation, enforcement action, or an administrative review.

Member State(s): Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the UK.

Official Record: An original record that must be kept for a specific period of time to meet fiscal, legal, or administrative needs of the College. Official records must be stored in hard copy.

Originating Department/Office: The department/office in which an original document or Official Record was created, generated or received.

Personal Data: any information relating to an identified or identifiable Data Subject; specifically including, but not limited to, name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that Data Subject. For clarity, the term Personal Data refers to data that is in either paper or electronic form.

Personal Data Breach: a breach of Security leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or Access to, Personal Data.4.
_________________________________
4. The WP29 has identified three categories of Personal Data Breaches: (1) a Confidentiality breach where there is an unauthorized or accidental disclosure of, or Access to, Personal Data; (2) an Availability breach where there is an accidental or unauthorized Loss of Access to, or Destruction of, Personal Data; and (3) an Integrity breach where there is an unauthorized or accidental alteration of Personal Data.
_________________________________

Personal Information: Any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify the person.

Personal Identification Number: Any number or code which may be used alone or in conjunction with any other information to assume the identity of another person or access to financial resources or credit of another person.

Personal Identifying Information: Personal identifying information consisting of any information in combination with any one or more data elements of personal information that can be used to determine the identity of an individual. Data elements include but may not be limited to: name, birth date, social security number, driver’s license number, non-driver identification number, account numbers, or mother’s maiden name.
Physical Safeguards: physical measures, policies, and procedures intended/used to protect a Controller’s electronic information systems and related buildings and equipment from natural and environmental hazards, and from unauthorized intrusion.

Policy Suspension: This Policy may be suspended for any record due to a Legal Hold.

Processing: any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. “Process” and “Processed” have a corresponding meaning.

Processor: a natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Controller.

Protected Health Information: Any information that is a subset of Health Information and includes Personal Identifying Information collected from an individual.

Recipient: a natural or legal person, public authority, agency, or another body, to which Personal Data is disclosed, whether a Third Party or within an entity, corporation, or affiliated group. Public authorities receiving Personal Data in the context of a particular inquiry in accordance with EU or Member State law are not regarded as Recipients. For this purpose, “public authorities” generally means tax and customs authorities and financial market authorities, receiving Personal Data necessary to carry out a particular inquiry in the general interest, in accordance with EU or Member State law.

Record Retention and Disposition Schedule: A schedule that identifies various records, the medium in which they exist, where the records are stored, and a minimum length of time that a record must be retained.

Record Series: A group of related records that result from the same activity and are kept together as a unit and can be evaluated together for disposition and/or other management purposes.

Representative: a natural or legal person established in the EU who is designated by the Controller or Processor in writing pursuant to Article 27 of the GDPR, and who represents the Controller or Processor with regard to their respective obligations under the GDPR.

Security or Security Measures: all of the Administrative Safeguards, Physical Safeguards, and Technical Safeguards in an Information System.

Secure Digital Destruction: The disposal method for sensitive, confidential, personal information, personal identification numbers or personally identifying information or data from a computer or other electronic storage media.

Supervisory Authority(ies): an independent public authority which is established by a Member State pursuant to Article 51 of the GDPR.

The Records Center: A storage area for inactive records which need to be retained for a certain period of time for legal and administrative purposes. In collaboration with the archivist, the department record coordinator and the compliance coordinator will determine what records are stored in the Center.

Some records may be needed for administrative review, audits or as evidence in legal actions. In the event of a pending or anticipated audit, litigation, claim, agency charge, investigation, enforcement action, or an administrative review, a Legal Hold will be placed on all pertinent records regardless of physical format, including e-mails. These records must be preserved, safeguarded and retained for the entire period of the action or proceeding and the time for all appeals has expired even if the record’s retention period has expired.

If the retention period has expired by the time the legal action ends, the records must be retained for at least one additional year after the end of the legal action to resolve any need for the records in an appeal. If the retention period has not expired, the records must be retained for the remainder of the retention period, but not less than one year after the legal action ends.

Premature destruction or disposal of any records with a Legal Hold is expressly prohibited, and if intentional, may result in disciplinary action, up to an including termination of employment and possible civil or criminal penalty.

All employees are responsible for applying administrative, technical, and physical safeguards to appropriately secure all records, paper or digital, from unauthorized access and disclosure, and also to protect the authenticity, accuracy and completeness of information, to prevent information from being destroyed, to protect the privacy and confidentiality of individuals, and to ensure that records are available when needed.

Hartwick College’s User Responsibilities and Appropriate Use Policy outlines the steps employees must take to maintain the integrity of College information.

Some of these responsibilities pertain to the security and access to records and include:

Complying with College, local, state, federal, and/or international laws or regulations regarding access to and use of information.

Taking appropriate action to backup computer systems.

Exercising due diligence in protecting any computers that connect to the Hartwick network from viruses, worms and security vulnerabilities by regularly using anti-virus software.

Keeping technology accounts secure by not sharing privileges (passwords) with others.

In addition to complying with the College’s User Responsibilities and Appropriate Use Policy, all employees must also comply with the Family Educational Rights and Privacy Act (FERPA), The Health Insurance Portability and Accountability Act of 1996 (HIPAA), and Section 203-d of the New York Labor Law to ensure that records and/or access to records containing personal information, personal identification numbers, or a combination thereof are protected from unauthorized access and disclosure.

The level of security and access to a record will vary depending on the content of the record.
To secure and control access to records, employees should:

Control who has access to the record.

Store records, both paper and digital copies, in a secure manner.

Take measures to prevent accidental or malicious destruction.

Create a backup or secondary copy of all digital records, including email messages that meet the criteria of an Official Record.

Protect the transmission of records information by encryption.

In order to assure compliance with FERPA, HIPAA, or any other state, federal, and/or international laws or regulations, the following minimum procedures must be followed for all student, employee, and constituent records:

Any records, data, or files containing health information, protected health information, personal information, personal identification numbers, or personally identifying information or data must be kept in locked file cabinets except when an employee is working on the file. Digital files of the same nature should only be accessible to appropriate personnel.

Any records, data, or files containing health information, protected health information, personal information, personal identification numbers, or personal identifying information transmitted electronically to other appropriate recipients must be protected by encryption.

Any records, data, or files containing health information, protected health information, personal information, personal identification numbers, or personal identifying information transferred by mail or other courier to other appropriate recipients must be sent by traceable means (tracking number). A detailed record of the information transferred must also be maintained.

The College will, to the extent applicable and administratively practicable, comply with the GDPR as part of everyday working practices, by: ensuring Personal Data is managed appropriately through this Policy; understanding, and applying as necessary, the Data Protection Principles when Processing Personal Data; understanding, and fulfilling as necessary, the Data Subject Rights; understanding, and implementing as necessary, the College’s Accountability Obligations; and the publication of data privacy notices outlining the details of how the College will collect and Process Personal Data in a clear and transparent manner.

Individual employees and staff are responsible for: completing relevant GDPR compliance training as advised by the College; following relevant the College policies and procedures including, but not limited to, this Policy; only accessing and using the minimum amount of Personal Data necessary for their contractual duties and/or other the College roles; ensuring Personal Data they have access to is not disclosed unnecessarily or inappropriately; where identified, reporting any Personal Data Breaches, and cooperating with the College to address them; and only deleting, copying, or removing Personal Data when leaving the employ of the College, as agreed with the College, and as appropriate.

The obligations set forth above in this Policy do not waive any personal liability for individual criminal offenses 5. for the willful misuse of Personal Data under applicable data privacy and security laws, including, but not limited to, the GDPR.
_______________________________

5. The College should note that Germany imposes criminal penalties under the FDPA for certain violations, including a “custodial sentence” of up to three years. Our understanding (as of the Compliance Date) is that criminal penalties under the FDPA generally apply to unauthorized transfers of Personal Data that are “commercial” in nature (e.g., where individuals are profiting from illegally selling Personal Data), and are not intended to encompass inadvertent data breaches.
________________________________

The College and its employees must take security precautions to protect any and all records containing personal information, personal identification numbers or personally identifying information or data that needs to be sent to a third party or other location, either within or outside the College.

Any record that contains personal information, personal identification numbers or personally identifying information that needs to be sent to a third party or other location outside of the College, must be transmitted via encrypted communication or stored on devise that is encrypted during transfer.

The encryption key for accessing the information must be transmitted in a separate communication or provided separately, apart from the encrypted device.

An encryption matrix outlining what types of information should be subject to different levels of encryption will be provided by the Office of the Compliance Coordinator.

Official Records should be retained and managed by the department that has primary responsibility for the record and only for the time period established in the Record Retention Schedule.

Records, data and information that are the property of Hartwick College and that which contains any personal information, personal identification numbers, or personally identifying information shall not be stored on personally-owned portable computing devices.

Physical Storage: When storing records in boxes or filing cabinets, consideration must be given for adequate space and accessibility, security, and damage prevention. Record storage boxes and file drawers should be clearly marked with a description that is sufficiently effective to retrieve the information later. Paper records that contain sensitive or confidential information, personal information, personal identification numbers or personally identifying information must be kept in lockable cabinets or drawers when not in use.

The Record Center: Secure storage with restricted access for paper records is available on campus in the Record Center. The Record Center serves as a temporary storage area for non-permanent records, generally with retention periods of five, seven or ten years from date of creation. Each year, the College Archivist, who functions as the records manager, receives written permission from department record coordinators to dispose of records scheduled for destruction. If department record coordinators choose to store files in the Record Center, they should contact the Archivist and follow established guidelines for delivery, retrieval and eventual disposition. The amount of storage capacity in the Records Center is limited and the archivist, department record coordinator and the compliance coordinator will collaborate to determine which records will be stored there. Access to the Record Center is restricted to the archivist, and in his/her absence, to the Library Director’s Office staff. The archivist will retrieve records from the Record Center for department record coordinators or their representatives on request. Permission from a department record coordinator is required for any person from a department other than that in which the records originated to access records stored in the center.

Digital Storage: When storing records in a digital format, consideration must be given for accessibility, security, and loss prevention. A digital backup or paper copy of an Official Record must be maintained throughout the retention period, such that hardware, software, human error or other failure will not abridge the required or suggested retention period of the record. If the only official copy of a record is an electronic copy, a duplicate copy of the record must be stored in an alternative location or medium.

Digital records, although electronic in format, are subject to the same rules and retention periods as those which govern the management of paper records. Backup procedures are necessary to protect and ensure that digital records remain secure and accessible for as long as they are required. Therefore, any Digital Record that is necessary to meet fiscal, legal, or administrative needs of the College, or that contains historically significant information must be secured in one or more of the following ways to protect against information loss or corruption: a paper copy of the Digital Record must be printed; a copy of the Digital Record must be stored on the College’s secure shared network.

Email: Email messages, sent and received, from a @hartwick.edu email address are evidence of the College’s business transactions and activities, are the sole property of the College and are considered College’s Records which are subject to the same rules and regulations as those which govern the management of paper and/or digital records. The content of the email message will determine whether or not it is an Official Record or a General Administrative Record.

Email messages should be treated as an Official Record if the email message meets one or more of the following criteria:

Proves a business-related event or activity did or did not occur.

Demonstrates a transaction.

Supports facts the College claims to be true.

Has legal or compliance value.

Meets a legal or compliance responsibility covered by law or regulation.

Policy, program, and/or procedural directives issued by members of the senior administration team or by directors or supervisors if the email is the only mean of communicating this information.

Records created within email systems, which meet the legal or regulatory requirements of the College, are subject to the same retention periods as the paper or hard-copy versions and must be secured in one or more of the following ways to protect against information loss or corruption: a paper copy of the email must be printed, which includes all the header information (To; From; Date; Subject Line, etc.); a copy of the email and any attachments must be stored on the College’s secure shared network.

The College and, where applicable, its Representative, is required to maintain a record of its Processing activities containing all of the following information: the name and contact details of the Controller, and, where applicable, the (i) joint Controller, (ii) Controller’s Representative, and (iii) Data Protection Officer; the purposes for Processing; a description of the categories of Data Subjects and of the categories of Personal Data; the categories of Recipients to whom the Personal Data has been or will be disclosed, including International Recipients or International Organizations; where applicable, transfers of Personal Data to an International Recipient or International Organization, including the identification of that International Recipient or International Organization and, the methodology permitting International Transfer under Article 49(1) of the GDPR, the documentation of suitable safeguards; where possible, the retention schedule of the different categories of Personal Data; and where possible, a general description of the technical and organizational Security Measures utilized, such as those referred to in Article 32(1) of the GDPR.

All policies, procedures, and other documents relating to the privacy and security of Personal Data will be maintained for at least six years following the effective date of the document. When a policy, procedure, or other document is updated or revised, the previous version of the document should be archived for at least six years following the date the policy, procedure, or other document ceased to be effective.

Any communication that is required to be made in writing under the GDPR should be maintained for at least six years following the date the communication was made or was in effect, whichever is later.

If an action, activity, or designation is required to be documented under the College’s “GDPR Privacy Notice,” then the documentation should be maintained for at least six years following the date it was created or was in effect, whichever is later.

Documentation may be maintained in written or electronic format.

The College will keep records that are sufficient in detail to provide required information by which the document may be checked.

For electronic recordkeeping, the College may apply any reasonable document retention requirements, including, but not limited to, the rules for electronic document retention otherwise contained in this Policy.

Disposing of records is an important element of the records management lifecycle. Keeping records past their retention period may cause confusion and expose the College to unnecessary risk. Records kept beyond their expected disposal date can be requested or subpoenaed and cannot be disposed of once requested, which may increase the College’s exposure during litigation. Therefore, records that have outlived their purpose, have no historical value, or for which there is no legally specified period for retention nor the subject of a Legal Hold, should be disposed of in accordance to this policy and the Record Retention and Disposition Schedules.

When the required retention period for a record has passed, a determination of whether to preserve the record as an Archival Record or to dispose of the record must be made. The department record coordinator should consult with the archivist to make a determination as to whether or not a record will be placed into archives as a permanent, historical record of the College.

If a record is to become part of the archives, the archivist will assume responsibility for preserving and maintaining control over the record.

If the record is not of archival value, the department record coordinator will authorize the disposal of the record according to one of the approved methods for disposal outlined below.

The following are approved methods for the disposal of records:

Recycling/Trash: the standard disposal method for records that do not contain sensitive or confidential information.

Shredding: the disposal method for records that contain sensitive, confidential, health information, protected health information, personal information, personal identification numbers or personally identifying information.

Erasing/Deleting: the disposal method for destroying electronic records that do not contain sensitive or confidential information.

Secure Digital Destruction: the disposal method for sensitive, confidential, health information, protected health information, personal information, personal identification numbers or personally identifying information or data from a computer or other electronic storage media before the devices are recycled, reused, disposed of, or discarded. This method should be carried out in collaboration with the Information Technology department.

Imaging: converting paper records to digital images, microfilm, or other media and then disposing of the paper record by recycling or shredding according to the sensitivity and confidential nature of the paper record.

No records shall be destroyed prior to the expiration of the retention period specified in the applicable Record Retention and Disposition Schedules.

Draft records or documents should be disposed of as soon as they have been superseded by the official version of the record or document.

Duplicate records or documents should be disposed of when they are no longer useful and should never be kept longer that the official copy of the record.

Records that contain Sensitive, Confidential, Health Information, Protected Health Information, Personal Information, Personal Identification Numbers or Personally Identifying Information

In accordance with New York State General Business Law Section 399-h, records that contain sensitive, confidential, health information, protected health information, personal information, personal identification numbers or personally identifying information, must be disposed of by someone who has approved access to the records.

In accordance with the U.S. Department of Health and Human Services HIPAA Privacy and Security Rules, if the College hires an outside entity to dispose of records that contain health information and/or protected health information, the College must enter into a contract or other agreement with the business entity that requires the business entity to agree to appropriately safeguard the records and information contained in the records through disposal.

Concerning individuals protected by the European Union’s GDPR, whether related to the processing, management, correction, and/or disposal of individual information, refer to the Hartwick College Privacy Notice.

The College will retain records in accordance with approved Record Retention and Disposition Schedules available from the Office of the Compliance Coordinator. These schedules describe the official retention period for each type of record, which may change from time to time for various reasons. Department record coordinators in collaboration with the compliance coordinator must do their best to stay abreast of changing requirements so that Record Retention Schedules can be updated accordingly.

Under Article 30 of the GDPR, the College must maintain policies, procedures, and other documentation related to the privacy and Security of Personal Data. Although no specific retention period is stated in the GDPR, the College should maintain documentation for six years following the date the document was created or the date the document was in effect, whichever is later. No particular form of record retention is mandated for paper or electronic records.

Records not listed in the schedule that are substantially similar to those listed should be retained for the length of time required for the substantially similar record.

The Record Retention and Disposal Schedules articulate the definition of various records, the medium in which they exist, where the records are stored, and a timetable for the disposition of records. The purpose of a Record Retention and Disposition Schedule is: to ensure that records are maintained securely, readily available, and retained for administrative, legal and fiscal purposes for the appropriate amount of time; to ensure that legal requirements for record retention are met; to ensure that records with enduring historical and other research value are identified and retained permanently; and to encourage and facilitate the systematic disposal of unneeded records.