This document sets forth the Data Privacy Standards 德克萨斯大学奥斯汀分校(“大学”)的网站，并提供有关该收藏的信息, 维护和使用提供给大学或由大学以其他方式收集或处理的个人信息或数据.
The purpose of this policy is to establish a generally applicable University-wide data privacy standard and to provide interested persons with information about the University’s collection, maintenance and use of personal information or data regardless of the lawful bases under or legitimate purpose for which the information was obtained. Subject to state and federal law, the University intends for this policy to be compliant with the European Union’s (“EU”) General Data Protection Regulation (“GDPR”).
The Data Privacy Standard applies to all domains within the University Web and to any other University action or process concerning the collection, processing, analysis and other data processing of personal information regardless of the method by which such information came to be owned and/or controlled by the University.
The University, by and through its academic, research and administrative units and programs, owns, controls, 运营和/或维护多个域名下的网站(统称), “University Web”). While this policy applies across campus, 一些大学网站可能有十大正规网博平台隐私的额外政策和做法，也必须遵守. The University’s Data Protection Officer in consultation with the Chief Information Officer must approve any such “local” policies prior to the policy’s implementation.
大学的网站可能包含指向大学无法控制的第三方外部网站的链接. The University disclaims any responsibility for the privacy practices or the content of external websites regardless of a link to such websites being displayed on the University Web.
For the purposes of the policy, “processing” means obtaining, 记录或保存信息或数据，或对该信息或数据进行任何操作或一组操作, including – organization, adaptation or alteration of the information or data, retrieval, consultation or use of the information or data, disclosure of the information or data by transmission, dissemination or otherwise making available, or alignment, combination, blocking, erasure or destruction of the information or data. A “data subject是一个短语，指的是与个人资料有关的人.
4. Required Link
5. What is ‘personal information’ or ‘personal data’?
‘Personal information’ or ‘personal data’ 指与某人有关或将某人识别为个人的任何信息.
The University obtains personal information when a person fills out and submits an application to attend or work at the University along with any additional information the person submits to the University before or after they submit an application. Persons may also provide the University personal information when they apply for an EID from the University or seek financial aid or visit certain parts of the University Web or make use of University Health Services or similar student or employee services.
除了申请过程或个人要求的大学服务, the University may also acquire personal information when a person seeks to interact or do business with the University or to participate in research or other activities offered by the University. As discussed elsewhere in this policy, 一些大学网站(以及第三方)的网页使用“cookie”来收集有关网络用户的信息. University Web servers (“Web Server”) may also “collect” information about people by generating temporary logs that may contain the following information:
- Internet address (IP address) of computer being used
- Web pages requested
- Referring Web page
- Browser used
- Date and Time
The data collected on the University Web are used in aggregate by IT custodians to tune the University Web site for its efficiency and are not ordinarily associated with specific individuals. 来自Web服务器日志的原始数据仅与每个大学网站的管理员共享. Summary reports produced from the logs help University Web publishers determine what University Web browsers and pages are most popular. For example, if the aggregate reports show that a particular University Web page is very popular or is used more by freshmen than by seniors, 发布者可能会使用这些信息来定制页面的内容，使其更容易被找到.
Individual data gathered through a specific process, 例如提交大学入学申请, related submissions, and subsequent interaction with admissions staff, will only be used for its intended purpose, 例如对申请人入学或就业决定的考虑, or for certain archiving, research, or statistical purposes described below. 个人信息也可能来自被授权向大学提供个人信息的第三方.
The University may use personal data it collects for a specific purpose and further process that personal data for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes (“research purposes”). 用于研究目的的处理将受到适当的保障措施, 包括尽可能使用数据最小化和假名. The University will anonymize the personal data it uses for research purposes whenever the University can fulfill the purpose without the need of identification of the personal data subject. The University is not required to provide notice to data subjects when it further processes personal data for research purposes.
Further processing of personal data for research purposes is only permitted when the purpose of the processing is to support the University. Further processing of personal data by researchers for their own research purposes is not permitted unless the researcher follows the University’s processes for human subject research, if applicable, 研究者向数据主体提供任何必要的通知.
cookie是由大学网页浏览器存储的小块数据. cookie通常用于记住用户的偏好和访问过的页面信息. For example, 当一个人访问大学网站上的一些网站时，他们可能会看到一个“欢迎回来”的信息. The first time the person visited the site, a cookie was probably set on their computer; when they return, the cookie is read again. 一个人可以配置他们的网络浏览器拒绝接受cookie, to disable cookies, and to remove cookies from their hard drive as needed.
大学Web服务器在称为UT EID的集中认证系统中使用cookie. The University uses these cookies so that users will not have to repeatedly enter user names and passwords when they go to different parts of the University Web. Normally, a person is required to enter a UT EID when they request data about themselves or to ensure that they are a member of the University community. For example, students who want to check their admission status or staff members who complete time sheets must enter their UT EID so the system knows who is requesting the data. This login process uses Secure Sockets Layer (SSL) so the user name and password are encrypted between the Web browser and our Web server.
8. Third-party content on UT Websites
Some pages within the sustokes.net 域可能包含由外部第三方提供的内容. For example, a sustokes.net 网站可能包含图形徽标或第三方脚本. Specifically, the following code within a sustokes.net Page将代表第三方内容的一个例子:
http://www.other-org.com/logo.gif" alt="Sample" />
作为此类请求的一部分，大学不会向这些第三方传输任何信息. However, when a person visits sustokes.net pages that contain third party content, information, such as their IP address, date, browser, and requested page, is transmitted from your computer to that third party.
大学出于多种原因处理个人数据, including to meet its contractual obligations, the legitimate conduct of its business operations, and to comply with applicable law. 有时，同意是处理个人资料的基础. In these cases, 大学会征求资料当事人同意处理其个人资料及与第三者分享该等资料. 处理由资料当事人或经授权的第三方提供给大学的个人资料, like their high school or a national testing service, enables the University to identify the data subject; engage in processing an application or other submission to the University; or verify information already provided to the University.
The University may also use or disclose personal data for the following statutory or public interest purposes: to prevent or detect fraud; to monitor equal opportunity; to better serve the needs of students with disabilities with reasonable accommodations; or for research and statistical purposes, the later purpose relying only on aggregate data.
Furthermore, the University processes personal data either necessary for the University to take steps with a view to creating a contractual relationship with a person (e.g. to assess an offer of services to the University) or for the purposes of a legitimate interest of the University pursued by the University (e.g. equal opportunity monitoring). The University requires persons to provide the University with certain information during the application process in order to assess their application properly except where providing personal information is marked as optional. 录取和就业决策都不是自动化的.
10. Google Analytics
Some University Web websites use Google Analytics; a web analytics service provided by Google, Inc. 谷歌Analytics使用cookie收集url等信息, Internet domain and host names, browser software, and the date and time that the user visits the site. 此信息用于监控网站的有效性，并考虑对网站的潜在改进. 这些信息是非个人的，由b谷歌在其服务器上传输和存储. 大学不分享任何十大正规网博平台特定用户的具体信息.
11. Security and Accuracy of Confidential Information
大学尽最大努力确保所提供的个人信息准确无误. 拥有UT EID的用户可在以下网址查阅及更新个人资料，例如地址及电邮地址 UT Direct.
Although no computer system is 100% secure, 大学已部署广泛的保安措施，以防止损失, misuse, or alteration of the information under our control. 这些安全措施和我们的系统由经过认证的独立安全专家进行审核. See Information Resources Use and Security Policy http://security.sustokes.net/policies/irusp#standard12
12. Plan to Respond to Data Breaches
The University has policies and procedures in place in case of a data breach or some other incident that places information held by the University in jeopardy. 任何认为发生数据泄露的个人必须立即通知首席信息安全官, who will investigate the alleged breach and, if necessary, 与大学的数据泄露应对计划小组和受影响的部门协商，以纠正违规行为, including providing any required notices.
请参阅以下两项政策，了解大学的完整数据泄露政策(UT EID Required).
ISO Incident Management Procedures
Personally Identifiable Data Breach Notification Plan
In certain circumstances, the University may be required to provide notice to affected individuals or certain governing authorities if a data breach results in disclosure of personal data.
大学网站内的几个网站允许用户使用信用卡在线支付产品或服务. 除非另有说明，否则这些交易都是加密的. It is University policy to only use confidential information that a user enters during a transaction for the purposes described in that transaction, 除非该网站特别说明了其他用途.
14. Open Records Requests and Other Sharing of Information
Except for educational records governed by the Family Educational Rights and Privacy Act (“FERPA”) or information made confidential by other law, 向大学网站提供和收集的所有信息, including the summary server log information, emails sent to the University Web, 以及从大学网上表格收集的信息, 连同任何其他形式或类型的文件或其他载有个人资料的文书, may be subject to the Texas Public Information Act. Such information may also, in the legal context, 受披露要求或其他法律要求的约束，要求发布和公开个人数据或信息. The same is true for any personal information obtained by the University through other means such as written submission or communications with previous schools or employers.
The University does, upon explicit request of users, 与其他各方共享信息，并从其他私人数据提供商收集信息. For example, 大学从考试机构收到考试成绩，并将成绩单寄给其他学校. This is done only at the request of users.
As well as circulating application and related materials to the appropriate staff at the University and its various departments and colleges, 如有需要，大学会就上述目的与以下人士分享个人资料:
- School/college or training organizations;
- Examination boards or testing services;
- Governmental bodies, including local authorities; the Teachers’ Retirement System; UT Workers Compensation; and other agencies or private actors, such as health care providers, 这种情况要求对某些个人信息保密
- Other Higher Education organizations, in order to assist with tracking and research into access to Higher Education; and
- 提供特定服务的公司或组织, or on behalf of, 大学和/或一个或多个组成学院, schools, department or programs.
Unless specifically required under public information requests filed under the Texas Public Information Act or otherwise compelled by lawful means, or as a party to a legal action, 发布通过大学网站收集的机密信息是违反大学政策的, such as pages visited, or personalized preferences. For example, the University's portal, UT Direct, 使用户能够自定义他们在个人页面上看到的内容. 除非法律要求，否则不得与外部第三方共享此信息.
Consistent with FERPA and other applicable privacy law, 学校不公布学生的个人信息, other than public directory information, 除非大学得到明确的书面同意，否则不得向其他各方公开, is required to do so by law, or for other legitimate ends of the University. 大学生可以在网站上了解更多的目录信息 University's General Information Catalog. 目录信息的示例包括姓名、地址和出生日期. 注册的学生可以通过联系注册办公室来限制他们的目录信息的发布.
15. Public Forums
The University makes some public chat rooms, forums, message boards, and news groups available to its users. The University does not ordinarily log public chat sessions; however, 用户在这些区域中披露的任何信息都将成为公共信息, 因此，用户在决定在这些地方披露机密信息时应谨慎行事.
16. Online Surveys
The University is a research institution. 在任何时候，大学都在大学网站上进行大量的在线调查. It is University policy only to use personal information gathered in these online surveys for the research purposes indicated in the survey. Unless otherwise noted on the specified survey, answers are confidential and individual responses will not be shared with other parties unless required by the Texas Public Information Act or as otherwise compelled by law. 调查汇总数据可能会与外部第三方共享.
17. Who will process my personal information?
The University will internally share the personal information it receives from applications and other information submitted to the University in accordance with the University’s policy and practice. Various university staff and faculty may be involved in processing personal data for the purposes for which the University obtained the data. In some instances, 大学聘请协助处理资料的第三方供应商可能会处理个人资料. 数据主体有权被告知此类第三方对其个人信息的处理.
18. What personal information will be processed?
For students, 大学将使用他们在申请中提供的详细信息, 连同申请人在申请时可能提供的任何证明文件或其他形式的资料. 就本政策而言，“申请”包括网上申请, application fee, an essay, three short answer prompts, your high school transcripts, any college transcripts, test scores, major-specific items, resume, letters of recommendation (not required) and, if applicable, permanent residence card, student information form, course work form and residency affidavit. 根据公民/居留身份的不同，可以申请不同的申请表格.
In addition to the application form, 大学将使用申请人所就读的每所高级学院的成绩单中的详细信息. 申请人在哪里寻求进入会计和护理研究生课程, University will make use of information from an applicants’ transcripts from all junior and/or community colleges attended as well as past test scores. 个别研究生课程有额外的要求，可能需要大学使用额外的材料. 这同样适用于收到的任何推荐信. 大学也可能依赖学生行为调查或听证会产生的个人信息.
For faculty and staff, the University will process personal information received in an application for employment or through an interview as well as other means, formal and informal, and maintain records of employees. For example, 教师可能希望参加由第三方供应商提供的某些医疗保健/保险计划, 谁与学校签订了提供这些东西的合同. 参加这些项目可能需要与相关第三方共享敏感日期, such as an insurance carrier. 大学亦会利用测试或评估来评估教职员各方面的表现. 此类信息可能是申诉或纪律程序的一部分.
资料当事人有权查阅大学所持有的有关他们的个人资料. Data subjects also have the right to ask the University to correct any inaccurate personal information the University holds about them. In some cases, 资料当事人可要求大学删除个人资料, 要求学校限制处理他们的个人信息, 或反对大学处理他们的个人信息.
There are several laws, including FERPA and the Health Insurance Portability and Accountability Act (“HIPAA”) that give data subjects certain rights so far as it pertains to their personal information.
Also, as a general rule but subject to certain exceptions, schools must have written permission from the parent or adult student in order to release any part of the student’s education records.
HIPAA为在承保实体接受医疗保健服务的患者提供某些个人数据权利. The University is a hybrid entity, which means that certain departments at the University, including, but not limited to, 大学健康服务("保健处")及戴尔医学院, are subject to HIPAA. Each University department that is subject to HIPAA will provide a Notice of Privacy Practices to patients detailing their rights under HIPAA, including their personal data rights. For example, 资料当事人可在以下连结查阅保健处提供的私隐实务通知: http://healthyhorns.sustokes.net/images/pdf/privacypractices.pdf.
Texas Public Information Act
The Texas Public Information Act, with a few exceptions, 赋予个人被告知大学收集的有关他们的信息的权利. 它还赋予个人要求获得该信息副本的权利, 并要求学校更正任何错误的信息. Requests to receive and review any of that information, or request corrections to it, 可联络大学的赌博正规的十大网站主任提出申请, Office of Financial Affairs, PO Box 8179, Austin, Texas, 78713 (email: email@example.com).
GDPR是欧盟通用数据保护条例，于2018年5月25日生效. The GDPR’s intent is to regulate the gathering, use and maintenance of personally identifiable information about a natural person and providing certain rights to the data subject, 例如删除权和反对使用个人数据的权利. This law applies to any person, citizen or not, 谁在数据收集时位于欧盟. It does not require an entity, like the University, to be located or acting within the EU for jurisdiction to attach; however, a non-EU entity like the University must process personal data related to the offering of goods or services in the EU or to the monitoring of a person’s behavior in the EU for jurisdiction to attach.
You have the right to request access to, a copy of, rectification, restriction in the use of, 或根据所有适用法律删除您的信息. The erasure of your information will be subject to the retention periods of applicable federal and state law and the University’s Record Retention Schedule. 如果您已同意使用您的信息, you have the right to withdraw consent without affecting the lawfulness of the University's use of the information prior to receipt of your request. 数据主体可以通过联系大学的数据保护官来行使其权利.
University employees who receive a request by a Data Subject to have their data forgotten or who have other questions regarding the rights of Data Subjects provided by the GDPR should contact the University’s Data Protection Officer.
20. How long is my information kept?
该大学是十大正规网博平台的一个机构，必须遵循记录保留时间表, which may be found at: http://financials.sustokes.net/hbp/part-20/2-1-records-management-services-documents. Generally, 大学会保存申请人的入学或就业记录，存档时间如下:
- Applicants for admission who do not matriculate into the University: one year after the semester during which an individual applies for admission to the University;
- Applicants for employment who are not hired: two years from the end of the fiscal year during which the individual applies for employment; and
Some departments may be subject to other laws that require the department to keep certain personal information for a prescribed period.
21. Who can I contact for assistance or to complain?
学生对他们的个人信息如何被使用有疑问, or who wish to exercise any of their rights, 可以查阅此政策并与教务处联系吗, an ombudsperson http://ombuds.sustokes.net/，或主管其主要学习领域(专业)的办公室。. They may also contact the Registrar’s office. http://registrar.sustokes.net/
教师可以向系主任寻求帮助, the Dean of their college or equivalent position, 教务委员会或教务长办公室的代表或监察员 http://ombuds.sustokes.net/.
An employee, should contact their immediate supervisor first, and then if necessary proceed up the chain of command. Employees are also free to contact the Ombuds office http://ombuds.sustokes.net/.
22. Are changes made to this webpage?
This webpage was last updated in June 2018. It is reviewed when necessary and at least annually. 大学将在此发布变更，并可能通过此网页和/或电子邮件通知用户.
23. Additional Information re- IT Use and Security
- Acceptable Use Policy for University Students (includes Privacy provision)
- Information Resources Use and Security Policy
- Network Monitoring Standards
- GDPR FAQs
|Date||Change description||Original text|
更新文档结构以匹配IT策略，增加更改日志，权威来源，范围. 将ARL添加到已批准的部门政策列表中. 在“我们收集的信息”部分增加了IT保管人的概念. Updated "Purpose" section.
更新链接到ISO技术和安全术语表和一般信息目录. 增加了一段澄清在UT网站上链接的要求. 增加了一个段落，以包括Web隐私政策本身的更改日志.
Each university Web site that contains official university information must contain a link for "Web Privacy" that links to this page.
Added section about use of Google Analytics.
Removed Applied Research Labs (ARL) exception.
Adjusted policy to align with GDPR.