C07.0 Privacy Policy
- RIT/
- University Policies/
- Policies/
- Governance Policy Library/
- Section C: General University Policies/
- C07.0 Privacy Policy
I. Purpose
The purpose of Rochester Institute of Technology's Privacy Policy is to clarify the legitimate expectations of privacy by those individuals who live in RIT Housing, are present at RIT Facilities or at RIT events, who use RIT Information Systems, and whose Personal Information is used by RIT.
II. Scope
This Policy and its Procedures applies to all RIT Community Members and RIT Guests and is considered part of the conditions of housing, employment and participation in university sponsored events or programs. This Policy applies at all times, while on the university campus, at university sponsored events, during employment related activities, or during non-working time such as lunch, breaks, and before or after work periods. Nothing in this Policy replaces existing university policies that may be related to the receipt, storage, and use of Personal Property or Personal Information. The principles and standards set forth in this policy do not replace the requirements of applicable local, state, federal, or international law. All RIT Community Members are expected to comply with applicable laws pertaining to their conduct, including but not limited to, data privacy laws.
III. Policy Statement
Individual privacy and security are highly valued by our society but it has limitations at a private educational and research institution such as RIT. The right to individual privacy must be balanced by the other community values and needs consistent with the university's educational mission, its obligation to protect and maintain its property, information systems and resources, preserve the health and safety of RIT Community Members and RIT Guests, and to comply with applicable laws and regulations. The university is committed to protecting the privacy of:
-
RIT Property, RIT Facilities, RIT Housing, and RIT Information Systems;
-
Personal Property of RIT Community Members and RIT Guests; and
-
Personal Information
IV. Definitions
-
“Employee(s)” means all individuals employed by the university, including but not limited to, all regular faculty and staff, adjuncts and student employees, and those persons who are under contract or assignment by the university. RIT’s Employee Work Classification Policy (E01.0) further defines employee classifications.
-
“Legitimate University Reason” means a purpose consistent with RIT’s educational and research mission, its obligation to protect and maintain its property, information systems and resources, preserve the general health and safety of RIT Community Members and RIT Guests, and to comply with applicable laws and regulations.
-
“Personal Information” means any information concerning a person which, because of its nature, can be used to reasonably identify such person. Personal Information may be received, stored, and used in electronic form, on paper, or through any other medium.
-
“Personal Property” means any physical item owned by an RIT Community Member or RIT Guest, including but not limited to clothing, handbags, wallets, backpacks, briefcases.
-
“Personal Electronic Devices” means Personal Property which are mobile devices, laptops and similar electronic items not provided or paid for by RIT.
-
“RIT Community Member” means Employees, Students and student organizations, alumni, volunteers and trustees.
-
“RIT Facilities” means any physical location owned or leased by the university, its subsidiaries or affiliates, wherever located.
-
“RIT Guest” means any non-RIT Community member within or utilizing RIT Facilities, RIT Property, or RIT Guest Information Systems.
-
“RIT Guest Information Systems” means those portions of the RIT Information Systems designated for RIT Guest use.
-
“RIT Information Systems” means all information technology devices and services (e.g., email, computers, telephones, printers, servers, networking devices, etc.) involved in the processing, storage, accessing, and transmission of information, which is provided, owned, or maintained by RIT. Except where specifically noted, all references to RIT Information Systems in this policy includes RIT Guest Information Systems.
-
“RIT Housing” means the various housing options provided by RIT, including but not limited to, the residence halls, bedroom suites, apartments, Greek housing and the student section of the RIT Inn and Conference Center.
-
“RIT Property” means any physical item owned, controlled, or leased by the university including but not limited to computers, laptops, mobile devices, desks, filing cabinets, offices and similar items. RIT Property does not include Personal Electronic Devices.
-
“RIT Record” means the original or copy of any document, communication, or similar item generated or received by the university or on its behalf, which must be held for official business or regulatory purposes. RIT Records do not include records that are not created in the official course of business, serve no legitimate or necessary business purpose, or are created for personal purposes only.
-
“Student” means Undergraduate Students, Graduate Students, non-matriculated Students and Students in not-for-credit programs.
V. General Provisions
-
Privacy Principles and Standards. The following privacy principles and standards shall guide the university with respect to the privacy of Personal Information, the inspection of Personal Property, and the use of RIT Facilities, RIT Property, and RIT Information Systems.
-
The university shall collect, store, use or disclose Personal Information in a manner that ensures appropriate security of the Personal Information.
-
The university shall limit the collection, storage, use or disclosure of Personal Information to what is reasonably necessary for its academic, research and administrative functions.
-
RIT Community Members and RIT Guests who have access to Personal Information through employment at or affiliation with the university shall use the Personal Information solely for the purpose for which access was granted.
-
When necessary and as required by the university in its sole discretion, the university shall implement mechanisms to ensure Personal Information is used and protected in accordance with this policy including, but not limited to, requiring nondisclosure and/or data protection agreements as a condition of access to Personal Information.
-
Use of Personal Information for purposes other than that for which access was granted is prohibited and shall result in disciplinary action up to and including termination, or the commencement of student conduct proceedings.
-
-
The university shall retain Personal Information only as long as necessary for the purpose for which it was collected, in accordance with the RIT Records Management Policy (C22.0), or as required by applicable law and regulation.
-
When required by applicable law, the university shall obtain the prior written consent of individuals before collecting, storing, using or disclosing Personal Information.
-
All RIT Facilities, RIT Property, and RIT Information Systems are subject to access and inspection by the university in accordance with the principles and standards set forth in this Policy and other existing policies and procedures. Such access and inspection shall occur when there is a Legitimate University Reason to do so, or as otherwise provided for in this Policy.
-
Inspection or retention of Personal Property shall only occur under the following conditions:
-
RIT vice presidents (or their designees) may authorize the inspection or retention of Personal Property through the issuance of a written or verbal authorization to that effect, stating that they have reason to believe that a law or an university policy has been or is about to be violated, and that the inspection or retention may either yield the information or item necessary to prove the existence of such violation or prevent danger or harm to individual(s) or property. For inspection or retention of Personal Property owned by RIT students, except in the limited circumstances described in this section, IV.A.7, authorization shall be issued by the vice president for Student Affairs (or their designee).
-
In the case of an immediate threat of harm to RIT Community Members, RIT Guests, RIT Facilities, RIT Property, or RIT Information Systems, inspection or retention of Personal Property may be approved by RIT Public Safety without authorization from an RIT vice president (or their designee).
-
University personnel who conduct inspections or retentions of Personal Property will, except where prohibited by law:
-
Provide reasonable notice of an inspection except in the event of an immediate threat of harm to RIT Community Members, RIT Guests, RIT Property, or RIT Information Systems;
-
Allow the individual whose Personal Property is the subject of the inspection or retention to be present while the inspection or retention is conducted. If that individual cannot be located, or refuses to be present, the inspection or retention can go forward without that person’s presence; and
-
Create a record of the Personal Property retained, and provide a copy to the individual.
-
-
RIT reserves the right to inspect or retain Personal Property of anyone on or entering RIT Facilities when such inspections are related to the attendance at an event (e.g., concerts, sporting events, community events, etc.).
-
Law enforcement officials may also search and/or seize Personal Property but are generally required to have a court order, subpoena or a search or arrest warrant. If RIT is served with a court order or subpoena for Personal Property of an RIT Community Member or RIT Guest, which is being transported or stored in RIT Facilities or RIT property, RIT will attempt in good faith to notify the individual affected before complying with the subpoena, if permitted.
-
Failure to allow inspection or retention of Personal Property in RIT Facilities, RIT Housing or RIT Property, when such inspection or retention is permitted by this Policy, shall result in disciplinary action up to and including removal from RIT Facilities, RIT Property, or RIT Housing, termination for staff, the commencement of dismissal for cause for faculty, or student conduct proceedings.
-
-
The university may remove from or limit access to RIT Facilities, RIT Property, or RIT Information Systems with or without notice to RIT Community Members or RIT Guests, upon the sole discretion of the university, when such removal or limitation is in furtherance of a Legitimate University Reason.
-
Incidental and occasional personal use of RIT Information Systems by RIT Community Members is permissible. Such incidental and occasional use shall not subject Personal Electronic Devices utilizing RIT Information Systems to access or inspection, except as follows:
-
Access and inspection of Personal Electronic Devices utilizing RIT Information Systems shall occur when required by applicable laws, regulations, or in response to a validly issued subpoena or law enforcement request.
-
Whenever possible, and if allowed by applicable laws, regulations, validly issued subpoena or judicial request, access and inspection of Personal Electronic Devices will occur with notice.
-
When required, access and inspection of Personal Electronic Devices shall only include information maintained by RIT and shall not include any personal data maintained solely on the Personal Electronic Device.
-
-
RIT Guests that wish to use RIT Information Systems must use RIT Guest Information Systems. Such use shall be subject to access and inspection, with or without notice, at the sole discretion of the university. RIT Community Members utilizing the RIT Guest Information Systems in the same manner as an RIT Guest shall subject their Personal Electronic Devices to access and inspection in accordance with the provisions of this policy.
-
The university shall not retain any records or logs relating to Personal Electronic Devices used to access RIT Information Systems by an RIT Community Member (except to the extent required to provide such access), unless required by applicable laws, regulations, or in response to a validly issued subpoena or law enforcement request. Whenever possible, and if allowed by applicable laws, regulations, validly issued subpoena or judicial request, the RIT Community Member shall be informed of this requirement to retain records or logs.
-
The university may maintain records or logs relating to Personal Electronic Devices used to access RIT Guest Information Systems. Such records or logs shall be maintained in accordance with the provisions of the RIT Records Management Policy (C22.0).
-
The university shall use video surveillance systems and audio recordings responsibly and in accordance with applicable law.
-
Responsible use of video surveillance and audio recording systems shall be limited to where there is a Legitimate University Reason.
-
Whenever the university uses or proposes to use video surveillance or audio recording systems, the Privacy Officer and Department of Public Safety shall review the system to ensure compliance with this Policy and may require specific video/audio surveillance system requirements.
-
Whenever the university uses video surveillance systems and/or audio recordings it shall provide conspicuous notice of such systems, unless prohibited by applicable laws, regulations, validly issued subpoenas, or law enforcement requests.
-
Video and audio recordings shall be maintained in accordance with the provisions of the RIT Records Management Policy (C22.0).
-
-
The university shall comply with written requests from law enforcement officials and governmental entities for access to or inspection of RIT Information Systems, RIT Facilities, or RIT Property. Such access or inspection may occur with or without notice, but when allowed by applicable laws and regulations and when consistent with the principals and standards of this Policy, the university will attempt in good faith to notify RIT Community Members whose Personal Information will be impacted by the access or inspection before complying with the request.
-
-
Existing RIT Policies and Procedures. The university has established privacy policies that cover particular types of Personal Information, consistent with applicable laws and regulations. RIT expects adherence to the requirements of these policies at all times. The mere absence of a specific policy does not relieve any individual in the RIT Community of the responsibility to collect, store, use, disclose, and protect the Personal Information of others in accordance with the provisions of this Policy. Other policies and procedures include, but are not limited to:
-
Personal Information. Privacy Statement;
-
Student Records. Educational Records Policy (D15.0);
-
Alumni Information. Alumni Information Confidentiality Policy;
-
Health Care Information. Medical Records Confidentiality Statement;
-
Human Subjects Research Information. Protection of Human Subjects in Research Policy (C5.0);
-
RIT Information Systems. Information Security Policy (C8.1); and
-
RIT Records. Records Management Policy (C22.0).
-
-
Privacy Advisory Committee
There shall be a standing Privacy Advisory Committee that shall offer guidance and information to the Privacy Officer regarding this Policy and its implementation, and may bring forth any questions or concerns raised by a member’s respective governance body, division, or by other RIT Community Members.-
Faculty Senate, Staff Council, and Student Government shall each appoint two members to the committee. The vice presidents and provost shall each appoint one committee member to represent their division.
-
Each committee member shall serve at the pleasure of the governing body, vice president or provost who appointed the committee member.
-
The committee shall meet at least once during each fall and spring semesters.
-
-
Privacy Officer
The university shall have a Privacy Officer to further its commitment to privacy and compliance with the provisions of this Policy. The RIT Privacy Officer shall be appointed by the Office of Legal Affairs and work with departments and divisions to ensure compliance with the principals and standards of this Policy. The primary obligations of the Privacy Officer are to:-
Oversee and update RIT privacy policies and statements, as needed;
-
Chair the Privacy Advisory Committee;
-
Oversee risk assessments related to the management of Personal Information;
-
Develop training materials and oversee training and education about RIT policies and legal requirements to protect and manage Personal Information;
-
Respond to privacy incidents and complaints.
-
Responsible Party: Office of Legal Affairs
Effective Date: Approved December 11, 1996
Policy History:
Revised April 26, 2006
Edited August, 2010
Revised May 2020