Compliance and Ethics
GDPR Privacy Notice
Page Content
- The GDPR provides the aforementioned rights only to those individuals who have been in the EU and can verify that they have been in the European Union (EU) or the European Economic Area (EEA) at the time their personal data was processed by the data controller (i.e. USM). Click here to view a list of the countries included in the EU and the EEA.
- Any request to exercise rights under the GDPR will require that the individual provide
documentation:
verifying their identity, and - verifying they were in the EU or EEA at the time their personal data was processed.
NOTE: Request by domestic students cannot be honored as the law is only applicable to those individuals who can verify through time-stamped documentation that they were in the EU at the time their personal data was processed.
If you are able to meet the verification requirement, please be sure to read the entire Privacy Notice before moving forward with submitting a request to exercise rights under the GDPR. Information on how to submit a request to exercise rights under the section labeled Submit a GDPR Request near the bottom of this page.
The University of Southern Mississippi ("USM") is committed to protecting the privacy of personal data. In compliance with the General Data Protection Regulation (GDPR) effective as of May 2018, we are issuing this notice to outline how we collect, use and disclose personal and special category data provided by students, faculty, applicants, alumni, donors, research subjects and any and all other individuals disclosing personal and/or special category data, which is subject to the GDPR.
This notice addresses how USM processes your personal data if you are an individual with rights under the General Data Protection Regulation (GDPR).
- Data controller is the person, company or other body that determines the purposes and means of personal data processing. For purposes of this notice, USM is the data controller.
- Data Processor is a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.
- General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and harmonizes data privacy laws across Europe, to protect and empower all EU citizens with data privacy while also reshaping the way organizations across the region approach data privacy. For additional information about the GDPR see the EU Data Protection page.
- Personal data is defined as any information relating to a person who can be directly or indirectly identified in particular by reference to specific data collected or provided by you. Examples include name, email address, IP address, online identifier, and identification number. Additional examples relate to an individual's physical, physiological, genetic, mental, cultural, economic or social identity.
- Personal data breach is a breach of security that results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data.
- Sensitive personal data otherwise known as special category personal data includes race, genetic data, ethnic origin, religious or philosophical beliefs, trade union membership, health data, genetic data or biometric data, sexual orientation, and criminal convictions.
- For other pertinent definitions see Article 4 of the GDPR.
Data (both personal and sensitive in nature) is collected, processed, and may be shared/transferred both internally and externally (i.e. with third party vendors contracted to perform functions for USM who are subject to both confidentiality as well as safeguarding measures focused on preventing unauthorized disclosure) in order to satisfy contractual, statutory, or public interest purposes, including, but not limited to:
- Responding to initial requests for information about the University
- Recruiting, evaluating and managing those applying for or admitted to programs (in-person or online)
- Registering and advising individuals
- Designing and implementing education programs as well as services, activities or to provide reasonable accommodations
- Facilitating participation in study abroad programs
- Monitoring academic progress
- Assessing and improving educational offerings using both general demographics as well as statistical research
- Meeting state and federal reporting requirements and to comply with applicable laws
- Enforcing University policies
- Processing applications for employment
- Completing audits
- Maintaining accreditation
- Processing financial aid requests including reporting to appropriate federal and state government agencies
- Managing student accounts
- Assisting with the completion of visa sponsorship for study, work or research at USM, as appropriate to comply with applicable immigration laws
- Assigning or facilitating housing requests for those residing on campus while enrolled
- Exercising scientific and historical research
- Maintaining relationships with alumni or donors through notifications of services, donations, fundraising as well as other functions
- Archiving purposes in the public interest
- Having entities affiliated with the University contact you about goods, services or other information that may be of interest to you
Data that has been de-aggregated or de-identified can be shared without any limits being placed on such disclosure.
De-identified and Aggregate Information: Once data has been de-identified or anonymized (per Recital 26 of the GDPR, data is
anonymized when it can no longer be used to identify an individual/data subject (i.e.
removing personal information so that it becomes impossible to identify individuals
) or aggregated (set forth in a summarizing manner that does not allow identification),
we may disclose said data without limitation.
NOTE: Pseudonymized data or data in which information that personally identifies an individual has been replaced with random numbers or symbols is still considered to be information on an identifiable natural person subject to GDPR because re-identification is possible.
Under the GDPR, data can only be processed if it is being processed based on one of the basis listed below (i.e. legal basis) [see Information Commissioner's Office page on Lawful Basis for Processing]:
Consent- if an individual provides clear consent for processing their data for a specific purpose.
Those consenting for processing of their data must be 16 years old or older, as consent is only valid from those 16 or older) [see Article 8 of the GDPR].
- Consent is only valid if it is freely given and not a condition of receiving a product or service unless the information being provided is required for the delivery of the product or service; and a mechanism for withdrawing consent must be provided that includes an active and unamibiguous opt-in approach without use of any automatically checked boxes indicating consent. For valid consent, the purpose and use for which consent is being sought must be clear and prominently present.
- Contract-if data must be processed to execute the terms of a contract with the individual or if they have asked for certain steps to be undertaken before entering into a contract.
- Legal obligation-if processing data is required to comply with the law (unrelated to any contractual obligations). This includes laws issued by any municipality, state, the federal government, any nation or an international entity.
- Vital interests- if the personal data must be processed to protect the life of an individual who is legally/physically unable to consent.
- Public Task-if data must be processed to execute a task for the benefit of the public (i.e. (to facilitate performing such tasks as teaching and research)or as part of an officials job duties, or the task or function is clearly allowed by law.
- Legitimate interest- if the data controller or processor has legitimate interests in having data processed that are not overridden by the interest in protecting an individual's personal data.
If you (the Data Subject) have previously provided the University with consent relative to processing your Personal Information, you can withdraw your consent at any time. However, the University can lawfully collect, use, and share your Personal Information until you notify us that you have withdrawn your consent. The University reserves the right to use information that has been anonymized given that it does not personally identify the Data Subject.
| Purpose | Legal Basis |
|---|---|
| To help the University learn more about you and your interests | Legitimate interests of the University - legitimate interest in learning the educational needs of potential students and program participants |
| To help you learn more about and/or apply for the University and its programs by giving you access to or sending you relevant information about university programs and events | Legitimate interests of the University - legitimate interest in making potential students and program participants aware of the University's offerings |
| To respond to requests for information about admission to the University or about participating in online courses or other programs at the University | Performance of a contract or to take steps at the Data Subject’s request prior to entering into a contract |
| To recruit, evaluate, and manage persons who apply to the University for admission, take courses at the University, participate in programs offered by the University, or attend the University, either in person or online, and to perform related activities needed to foster and maintain these relationships | Performance of a contract or to take steps at the Data Subject’s request prior to entering into a contract |
| To operate and facilitate registration and participation in online and in-person education programs, including those relating to professional licensing requirements | Performance of a contract or to take steps at the Data Subject’s request prior to entering into a contract |
| To evaluate applications for and administer financial aid, including reporting to relevant federal and state government agencies | Performance of a contract or to take steps at the Data Subject’s request prior to entering into a contract |
| To facilitate application for and sponsoring of visas to study, work and/or research at the University, including all functions necessary to comply with applicable immigration laws | Performance of a contract or to take steps at the Data Subject’s request prior to entering into a contract |
| To assign housing and facilitate housing requests for individuals studying or participating in programs at or through the University | Performance of a contract or to take steps at the Data Subject’s request prior to entering into a contract |
| To conduct study abroad programs offered by or coordinated through the University | Performance of a contract or to take steps at the Data Subject’s request prior to entering into a contract |
| To provide on-campus and distance learning information technology and other services to students, including network, authentication and help desk services | Performance of a contract or to take steps at the Data Subject’s request prior to entering into a contract |
| To respond to an individual’s request for records relating to an individual’s time at the University, such as transcripts, tax documents, employment documents, etc. | Performance of a contract or to take steps at the Data Subject’s request prior to entering into a contract |
| To respond to an individual’s request for records relating to an individual’s time at the University, such as transcripts, tax documents, employment documents, etc. | Performance of a contract or to take steps at the Data Subject’s request prior to entering into a contract |
| To engage the services of an independent contractor and all uses the incident to that engagement | Performance of a contract or to take steps at the Data Subject’s request prior to entering into a contract |
| To employ persons to work for the University and all uses incidental to that engagement including but not limited to evaluation and management of employees and administration of employee benefits | Performance of a contract or to take steps at the Data Subject’s request prior to entering into a contract |
| To conduct transactions and business with individuals, such as processing payments made by credit card to the University and payments made by the University to you | Performance of a contract or to take steps at the Data Subject’s request prior to entering into a contract |
| To host and allow individuals to attend and participate in University events, including educational, artistic, and sports camps and sporting events | Performance of a contract or to take steps at the Data Subject’s request prior to entering into a contract |
| To facilitate review and evaluation of University programs, including academic, sports, and other programs, by accrediting organizations, government entities, third-party ranking organizations, and other appropriate bodies | Legitimate interests of the University - legitimate interest in providing and maintaining a world-class higher education experience at the University |
| To promote safety, integrity, and security of the University’s information technology systems | Legitimate interests of the University – legitimate interest in maintaining IT and network security |
| To protect the University community, including you, and to keep its members safe wherever they are located | Legitimate interests of the University – legitimate interest in physical security |
| To report salary data to social security or tax authorities and otherwise comply with applicable EU or Member State laws | Necessary for compliance with a legal obligation |
| To allow individuals to visit University facilities | Legitimate interests of the University - legitimate interest in physical security |
| To facilitate and administer the reservation and use by individuals of University facilities | Performance of a contract or to take steps at the Data Subject’s request prior to entering into a contract |
| To facilitate the use of volunteers and to evaluate and manage individuals who volunteer to assist the University in any capacity, and to perform related activities required to foster and maintain these relationships | Legitimate interests of the University—legitimate interest in physical security |
| To respond to subpoenas, court orders, agency requests, and other legal requests for records relating to an individual’s time at the University, such as transcripts, tax documents, employment documents, etc. | Legitimate interest of the University – legitimate interest in complying with U.S. and state laws and not being held in contempt of court or having penalties imposed |
| To engage third parties to collect sums owing to the University or to otherwise take action to collect outstanding debt from an individual | Legitimate interests of the University—legitimate interest in recovering sums owed to it and enforcing its legal claims whether in or out of court |
| To respond to proper requests for information as required by the Illinois Freedom of Information Act and the U.S. federal Freedom of Information Act | Legitimate interests of third parties—legitimate interest in the publication of data for purposes of transparency and accountability |
| To stay connected with University alumni | Legitimate interests of the University—legitimate interest in communicating unsolicited non-commercial messages |
| To allow and facilitate individuals to perform research at or with the University | Performance of a contract or to take steps at the Data Subject’s request prior to entering into a contract |
| To utilize individuals as subjects of research performed at or through the University, and to perform related activities required to foster and maintain this relationship | Consent |
| To facilitate the provision of medical treatment and the filing of claims for payment from insurance companies and/or government agencies | Consent |
| To raise funds to support the University and its programs | Consent |
We will not utilize your personal information to carry out any wholly automated decision-making that affects you.
Appropriate technical and organizational security measures are in place aim to protect data when transmitted and once stored in systems which we directly control and systems which we control through a third-party vendor.
USM websites use cookies, which are small data files that are placed on your computer when you visit a site to identify you and personalize your visit for maximum enjoyment. The cookie file contains information such as a user ID to track pages visited. Any personal information contained in a cookie is only the information supplied directly by you.
Review the Information Privacy Statement for additional information.
- USM retains your data pursuant to applicable state and federal law, and in adherence
to the specific retention periods that apply to such data.
If a request is entered for data destruction, it will only be processed if doing so does not contradict state or federal law, including but not limited to, data retention rules. - If subject to the previous paragraph, it is determined that data destruction (exercising right to be forgotten) is not barred by federal, state (including data retention rules), any destruction of data shall be conducted in the manner that best preserves and ensures the confidentiality of the information based on the sensitivity, value and how critical the data is to the University.
- Rights Available Under GDPR
- Right to request access
Right of data portability
Right to restrict processing
Right to erase
Right to rectify
Right to object
Click here for additional information from the Information Commissioner's Office (ICO) regarding exercising the rights listed above.- Please note that the University is subject to federal and state laws, including but not limited to the Family Educational Rights and Privacy Act, that may require that we request, process and retain and report on certain types of data. These legal obligations may also affect actions we would be permitted to take in response to a request to exercise your GDPR data rights, especially the right to have your data erased.
- For general information on these rights, please see the Information Commissioner's website.
Erasure of data shall be subject to the retention periods of applicable state and federal law. USM adheres to specific records retention schedules.
See the Information on Records Retention Schedules page for additional information.
If you have provided consent to the use of your data and USM is not processing your
data under any other legal basis, you have the right to withdraw consent, and USM
will no longer be able to process your data (i.e. effective as of the data the request
is received).
Withdrawal of consent does not affect the lawfulness of the University's use of the
data prior to receipt of your request to withdraw consent.
Data created in the European Union may be transferred out of the European Union to the University. If such a transfer occurs, the University will adhere to the requirements of the General Data Protection Regulation to ensure that adequate technical and organizational controls are in place. If the transfer involves USM’s third-party vendors, USM will monitor the transfer to ensure that adequate technical and organizational controls are implemented.
- Personal data may be shared if it has been made public by the individual. Your personal information may be shared with relevant staff as needed based on one of the legal grounds for processing personal data.
- For purposes of enrollment, providing services, contractual compliance, or in compliance with legal requirements, your data may be shared with external organizations, including, but not limited to:
- Agencies of the State of Mississippi
- Agencies of the United States Government
- Employment process: To administer employment or social security benefits in compliance with the applicable laws governing such disclosure with appropriate safeguards in place to prevent unauthorized disclosure.
- Non-governmental partners
- Those funding/lending your monies for enrollment
- Providers of any external/collaborative learning and training placements or fieldwork opportunities
- Auditors, examiners, and assessors external to the institution
- Relevant professional or statutory regulatory bodies
- University student organizations, clubs, and societies relative to your membership in such organizations
- International, federal, state and local authorities and as needed, police and other law enforcement
- Legal Obligation: To full legal requirements based on international, federal and state laws and regulations.
- As needed, entities affiliated with The University (e.g. The USM Foundation)
- University-Affiliated Programs/Entities: To affiliated programs or entities so that they may contact you about goods, services, charitable giving or about services/events that may be of interest to you.
- Companies or entities providing services to or on behalf of The University
- Third Party Providers: To third parties who perform functions for the University based on a contract that requires them to maintain the confidentiality of data and safeguard data from unauthorized disclosure.
- Those conducting research for public benefit:
- Archiving: To further historical research and for statistical analysis being conducted in the public interest.
- After you graduate a core record of your studies is retained indefinitely so that the details of your academic achievements can be confirmed and for statistical or historical research.
- Your contact and core personal details are passed to the Alumni office while you are still a student so that you can be added to the alumni database.
To create a work request, navigate to the Help Desk window by clicking the iTech link below:
Link to iTech website
Then click on the Need Help button to access the work request system.
You will need to submit verification of your identity and verification that were in the EEA. Upload that documentation along with your request and indicate which right you are asserting.
Not all requests will be processes.
Requests may be denied based on any of the following:
- to abide by applicable laws, regulations or other laws
- to comply with a University legal obligation;
- in the pursuit of a legal action;
- to detect and monitor fraud; or,
- for the performance of a task in the public interest.
If you feel the University has not complied with applicable foreign laws regulating such data, you can contact us at the email address listed above. Alternatively, you can file a complaint with the appropriate supervisory authority in the European Union. To find the appropriate authority, view the Data Protection Authority list.
Send an email to:
GDPRrequestsFREEMississippi%C2%A0
NOTE: Identity verification and verification of presence within the European Union (EU) or European Economic Area (EEA) during the time when personal data was processed must be submitted. Additionally, you will need to specify that data with which you are concerned and specific which right you are asking to exercise.
This notice may be updated or changed at any time. Continued use of the USM website after any updates to the notice affirms your acceptance of any changes to the notice. This page was last updated on April 13, 2023.