General Data Protection Regulation

• The General Data Protection Regulation (GDPR) is the European Union law that went into effect on May 25, 2018.
• GDPR is a privacy law governing how personally identifiable information is used.  Under the GDPR, certain rights are granted to people whose personal data (including special category data) is being collected and processed.  Moreover, certain legal responsibilities are imposed upon those entities controlling or processing personal data.

 

Yes, Article 23 allows member states to make derogations in special circumstances based on specific criteria.   

• Collect no more data than is necessary from an individual for the purpose for which it will be used; 
• Obtain personal data fairly from the individual by giving them notice of the collection and its specific purpose;
• Retain the data for no longer than is necessary for that specified purpose;
• Keep data safe and secure; 
• Provide an individual with a copy of his or her personal data if they request it.

Please see below a video explaining more about GDPR which was created by the Wall Street Journal- WSJ.

Although the GDPR is not a law passed in the U.S., it may be applicable to various activities that The University of Southern Mississippi engages in relative to processing, storing or managing EU resident's personal data (i.e. those individuals residing in the EU at the time they access systems in which USM is processing/storing/managing their data). 

Additionally, contracts that involve processing of data of individuals in the EU or EEA must contain certain protections.  If you are in the process of negotiating a contract that involves the collection, storage or transmission of data collected from individuals who are in the EU or EEA, please contact gdprrequestsFREEMississippi and provide a copy of the proposed contract along with your contact information as well as the timeline for finalizing the contract  Do not enter into a contract until the contract has been reviewed for GDPR provisions as a data processing agreement is needed that contain certain provisions between the data processor (a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller) and the data controller (A controller determines the purposes and means of processing personal data). 

Individuals in the EEA (includes the EU plus 3 countries- Iceland, Liechtenstein and Norway):

• Austria
• Belgium
• Bulgaria
• Croatia
• Republic of Cyprus
• Czech Republic
• Denmark
• Estonia
• Finland
• France
• Germany
• Greece
• Hungary
• Iceland
• Ireland
• Italy
• Latvia
• Liechtenstein
• Lithuania
• Luxembourg
• Malta
• Netherlands
• Norway
• Poland
• Portugal
• Romania
• Slovakia
• Slovenia
• Spain
• Sweden
• United Kingdom

GDPR rights only apply to those individuals located in the EU or EEA at the time their personal data is processed.

Any request to exercise rights under the GDPR will require that the individual provide documentation:

• verifying their identity, and
• verifying they were in the EU or EEA at the time their personal data was processed.   

If an individual is requesting rectification/correction of a record, information must be submitted as to where the error lies thereby justifying rectification. 

NOTE:   Request by domestic students cannot be honored as the law is only applicable to those individuals who can verify through date-stamped documentation that they were in the EU at the time their personal data was processed. 

Within the scope of the GDPR is storage or use of personal data for those actions or activities that:

• occur in the EU;
• involve reaching out to EU residents to initiate an offer for goods or services; or
• record EU resident's activity online or relate to the control or processing of data relative to EU
• residents (i.e. individuals residing in the EU at the time that the University processes their personal data).

The GDPR takes a wide view of what constitutes "personal data", which includes each of the following:

Basic identity information such as:

• name
• address 
• ID numbers

as well as web data such as:

• location
• IP address
• cookie data and
• RFID tags

The GDPR also defines what constitutes special category data, which requires that added protections be implemented to protect the data from disclosure: 

• race;
• ethnic origin;
• politics;
• religion;
• trade union membership;
• genetics;
• biometrics (where used for ID purposes);
• health;
• sex life; or
• sexual orientation.

If you are in the EEA at the time you access our systems, you may be able to assert certain rights relative to any of the personal data we are processing, but you will have to show proof of your identity as well as of your EU residency to assert any rights under the GDPR.

• Right to be Informed
• Right to Access
• Right to Rectify
• Right to Erase/to be Forgotten
• Right to Restrict Processing
• Right to Data Portability
• Right to Object
• Rights in relation to automated decision-making and profiling

Right of Access
A data subject can obtain the following information:

• confirmation that their personal information is being processed;
  a copy of the information;
  supplementary information regarding processing that details each of the following:
  purpose of processing categories of personal data concerned recipients or categories of recipients that have obtained the data subject's personal data or to who will have said data disclosed to them
• if possible, the length of time that data will be stored (i.e. data retention period), or the criteria used to determine the data retention period a list of any sources who provided personal data directly regarding the data subject. 

Right to Rectification
 
A data subject can request that any inaccurate or incomplete personal data be corrected or that a supplemental statement is added.

• The University may determine that rectification is not warranted and will provide the data subject with an explanation as well as informing the data subject that they can complain to the Information Commissioner's Office to request a judicial remedy.
• If the University determines that rectification is warranted, we will contact each recipient who has obtained the data from us and advise them of the need for correction unless doing so results in disproportionate effort.  

Right to Erasure-Individual Rights
Individuals can exercise their right to be forgotten/erasure in the following situations: 

• if personal data held is no longer necessary relative to the purposes for which it was collected or processed;
  if consent is withdrawn and consent is the only basis for processing;
  if the individual objects to the processing of their data and no overriding legitimate ground for continued processing exist;
  Where data has been processed unlawfully;
  if personal data must be erased to meet a legal obligation.

Right to Restrict Processing 

In the following situations, an individual can request to block or suppress the processing of their data:

• if an individual contests the accuracy of the personal data, processing will be restricted until the accuracy of said data has been verified;
  if individual objects to the processing of their personal data (where processing was necessary to perform a public task or based on a legitimate interest, processing of data will stop for the duration of the investigation aimed at determining if the legitimate grounds override the individual's objection;
  if processing is unlawful, and the data subject requests restriction rather than erasure;
  if the University no longer requires data but data subject requires to establish, exercise or defend a legal claim.

Right to Data Portability 
An individual has the right to receive a copy of any personal data provided by him/her to the University in a structured, commonly used and machine-readable format (e.g. CSV).Categories.   The following categories of data are subject to the right to portability:

• data processed on the basis of consent (Article 6 (1) (a)) or explicit consent (Article 9 (2));
• data processed on a contract (Article 6 (1) (b); and
• data processed by automated means.

Other Information

• If feasible from a technical standpoint, data will be transferred directly to another controller based on the data subject's request.
• If the University cannot transfer the data to another controller directly, the data subject will need to arrange his/her own transfer.
• Information will be provided free of charge in response to an initial request. 

Right to Object

• Individuals have the right to object to: 
• processing based on legitimate interests or performance of a task in the public interest/exercise of official authority; and
• processing for purposes of scientific/historical research and statistics.
• Upon receipt of a right to object request, processing must stop unless:
• the university can demonstrate that there are compelling legitimate grounds for processing, which override the interests, rights, and freedoms of the individual;or
• the processing is for the establishment, exercise or defense of a legal claim.
• If the right to object relates to the processing of data being processed for research purposes, the individual must have ground specific to their particular situation.
• Research being conducted for the public interest is not subject to having an individual exercise their right to object and those conducting research of that nature are not required to comply with the request. 

Right in Relation to Automated Decision Making and Profiling

• Individuals have the right not to be subject to decision making based solely on automated processing, including profiling (i.e. use of personal data to make predictions about you).  Decision-making conducted solely through automated means does not involve humans and instead is conducted using technological means using your personal data to base said decisions (e.g. use of an algorithm).  
• However, automated decision-making is allowed if there is no other way to achieve the same goal to enter or perform a contract or you have given consent to said decision-making.   

• A reasonable fee may be charged for repetitive requests, manifestly unfounded requests, excessive requests or further copies (Rec. 59; Art.12(5), 15(3), (4)).
• Payment may be required if multiple requests for the same data are submitted.

• All rights listed below are available to individuals who can assert them under the GDPR based on being or having been a resident in an EU country who have had their data processed by USM while they were a resident of the EU. 
• To process your request, we will need verification that you were an EU resident and of your identity.

• The erasure of your information shall be subject to the retention periods of applicable federal law and the Record Retention Schedule applicable to University records- for additional information click the button below:

INFORMATION ON RECORDS RETENTION PAGE

• Destruction of records shall be conducted in manner appropriate to preserve the confidentiality of information relative to the level of sensitivity, value and importance of said data to The University. 
  
  
• If you have questions about records retention, please contact Lorraine A. Stuart, Head of Special Collections at Lorraine.StuartFREEMississippi (601.266.4117) or Records Management Specialist Jessica Clark at J.M.ClarkFREEMississippi (601.266.5776).

If the University made personal data public and is obligated to erase the data, The University may refuse the individual's exercise of their right of erasure:

• to exercise the right of freedom of expression and information;
• to comply with a legal obligation or the performance of a public interest task or exercise of official authority;
• for reasons of public health based on a public interest;
• for archiving purposes in the public interest, scientific research, historical research or for statistical purposes; or
• to establish, exercise or defend a legal claim.  

• Requests will be processed within thirty days of submission unless said requests are complex thereby warranting an additional two months for completion. 
• If a request is determined to be complex thereby requiring an additional two months for completion, the data subject will be notified.

• We will answer your request (in terms of providing the information requested or explaining why we cannot do so) or request additional information from you within 30 days. 
• We may extend this process for up to two months, in which case we will notify you of the extension within a month.
• The processing of this request is free of charge, but we reserve the right as allowed under GDPR Article 12(5), to charge an administrative fee under certain circumstances. 
• We may refuse to act, as allowed under GDPR Article 12(2) and 12(5) on requests if they are insufficiently substantiated, unfounded or excessive.

The information you provide (including verification of your identity and residency in the EU) will be processed solely for the purpose of verifying your identity and residency, identifying the information you are requesting.

• If you can satisfy the verification requirements listed above, please review the GDPR Privacy Notice below which includes information on how to submit a request to exercise rights under the GDPR.
• For more information on the rights listed above, see the Information Commissioner's Office website.

Research is affected if it involves processing of personal data about individuals who are located in the EEA (regardless if they are citizens of the EEA):

• conducted along with an organization established in the EEA
• involves personal information about individuals (collected, stored, shared, analyzed or archived) while they were/are in the EEA;Examples include- active recruitment of subjects 
• monitors the behaviors about individuals while they are in the EEA;
• involves transferring personal data out of the EEA; or
• involves using personal information protected under GDPR when said information was originally collected. 

Processing is defined in GDPR Article 4(2) as "any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaption, or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction".

As defined by Article 4 of the GDPR, both the data controller and the processor are responsible for protection of personal data. 

The data controller is responsible for ensuring that the data is handled in compliance with GDPR.  According to Article 4, the data controller is  "the natural or legal person, public authority, agency, or other body, which alone or jointly with others, determines the purpose and means of the processing of personal data"; and 

The data processor makes sure that the data is processed in adherence with the conditions set forth in the Data Processing Agreement.  By definition, the data processor is "a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the [data] controller".  

Personal data (i.e. information that allows for the identification of an individual) and sensitive data (i.e. special set of data to be treated with additional security) are both covered by GDPR including, but not limited to the following examples:

Personal Data

• Name
• Email address
• Phone number
• Social Security Number and other identifying numbers such as military ID, drivers license, state identification card ,etc.
• Location data
• User names
• Online identifiers
• IP addresses
• Online cookie data
• Voice

Sensitive Personal Data

• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Physical or mental health information
• Sex life and sexual orientation
• Genetic and biometric data

• Research involving human subjects that contains personal data.
• Research involving animals that collects personal information about the owners of animals.  

Note: The protections provided by GDPR expand beyond the immediate subjects to include third parties. 

Typically, personal data is protected even if it was previously disclosed publicly because GDPR involves both privacy as well as how such data is used.

If data is anonymized, then GDPR does not apply as to the personal data. However, to be considered anonymous, a key cannot exist that will make it possible to identify individuals. Hence, HIPAA de-identification information is only considered pseudonymized because using the key to the data exists that allows the data to be re-identified.

Individuals located in the EEA.  It does not matter if the individual is a EEA citizen or EEA resident.  

If a citizen of the EEA is located outside of the EEA while participating in a research study, GDPR will not apply as long as none of the organizations involved in the study are in the EEA and the data is not transferred into the EEA. 

Generally, children under the age of 16 cannot consent to have their data processed (including having their responses to research processed) unless such processing is authorized by an individual who is parentally responsible for the child consents.  

NOTE: Member states can consider a child to be less than 16 but no younger than 13 years of age. (See Article 8 of the GDPR)

 

Although the General Data Protection Recital 27 indicates that GDPR does not apply to the personal data of deceased individuals, each EEA member state can issue rules relative to the processing of the personal data of deceased individuals.  Some EEA member states have passed such regulations- see personal data of deceased persons. 

If the data is fully anonymized before receipt and your team does not receive a key to reidentify, then GDPR does not apply.  

However, if you receive pseudonymized or personal data that has not been anonymized, then GDPR will apply if any of the following are true:

the data was collected by an organization located in the EEA;
collected from individuals while they were located in the EEA; or
transferred out of the EEA

Yes, GDPR applies if the personal data is currently being processed even if it was collected before the effective date if the data was collected by an organization located in the EEA; collected from individuals located in the EEA; or transferred out of the EEA. It does not matter when the data was originally collected just that it falls under one of the three criteria for being subject to GDPR.

If you can exclude the collection, storage, etc. of personal data from the EEA without adversely affecting your study, then you can apply methods aimed at excluding the collection of such data such as:

Using a question to identify if the individual responding to your survey study is in the EEA.  Then if the individual answers self-identifies themselves as being in the EEA, discontinuing the survey based on that criteria. 

If you are conducting telephone surveys, always ask those who you call if they are in the EEA if you are calling them based on a phone number that is not a landline tied to a specific location.

If you are mailing surveys, do not mail out surveys to individuals in the EEA. 

1) Collect and process only the minimal amount of personal data. Collecting minimal amounts of personal data limits risks to privacy and lessens the risk of noncompliance. 

2) To the degree possible, avoid collecting sensitive information or special/sensitive personal data such as: 

• racial or ethnic origin
• political opinions
• religious or philosophical beliefs
• trade union membership
• physical/mental information
• sexual orientation and sex life
• Genetic and biometric data

3) Avoiding collection of information about criminal offenses or convictions as those can only be collected and processed if the research is being conducted under the control of an official authority of an EEA country or if the processing is authorized by EEA or the laws of a member state. 

4) If you cannot anonymize the data, pseudonymize it.  Pseudonymization means that you can identify who provided the data using a key that is kept separate from the data set as well as being protected from both technical and administrative measures.  Keep in mind that reversing pseudonymization without an authorization represents a personal breach of data if it places the data subject at risk. 

 

What are the University's breach notification obligations?

In the event that there is a data breach involving covered personal data of students, employees, alumni, or vendors, the University will notify the appropriate supervisory authorities within 72 hours, where feasible, after becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of data subjects.

If the breach is likely to result in a high risk to their rights and freedoms, The University will also notify individual data subjects of a data breach regarding their personal data. The notification to data subjects will include the nature of the breach and recommended steps the data subject should take in order to mitigate potential adverse effects. Initial notification may be general in nature and as additional information is known a supplemental notice will be issued.

How does the University handle data transfers?

As needed, The University may transfer personal data outside of the EU and may also share personal data with third party organizations both within and outside of the EU. Where personal data is shared, The University will require that appropriate safeguards be implemented to protect the personal data. Safeguards include but are not limited to: requiring third parties to sign data security contracts (i.e. Data Protection Agreements (DPAs), and anonymizing data.