INFORMATION TECHNOLOGY

Web Privacy

UNIVERSITY OF TOLEDO (UT) WEB PRIVACY STATEMENT

 The University of Toledo, recognizes and values the privacy of the university community members and its guests. UT is committed to protecting your privacy and is taking a proactive approach to appropriately manage, secure, and keep private and confidential the personal data entrusted to us.

This UT Web Privacy Statement is meant to provide you a broad overview of our activities that require the processing of personal information and our approach to protecting privacy. Students, faculty, staff, and other users in our community are also directed to the Responsible Technology Use Policy.

The University of Toledo does not actively share personal information gathered from our Web servers.  However, because UT is a public institution, some information collected from the university website, including information from our server logs, e-mails delivered to the university, and information collected from Web-based forms, may be subject to the Ohio Public Records Act. This means that while we do not actively share information, in some cases we may be compelled by law to release information gathered from our Web servers.

The University of Toledo also complies with the Family Educational Rights and Privacy Act (FERPA), which prohibits the release of education records except in limited circumstances, (e.g., with the student's permission, to parents of dependent students, and in response to a valid court order). UT has a dedicated webpage detailing the ways in which UT complies with FERPA and Confidentiality. Although FERPA regulations apply only to students, University of Toledo is equally committed to protecting the privacy of all visitors to our website. UT also complies with the applicable provisions of the Health Insurance Portability and Accountability Act (HIPAA)

SHARING OF INFORMATION

Unless required by the Ohio Public Records Act, it is against university policy to release information gathered through the Web, such as pages visited or personalized preferences. The University of Toledo does not sell or rent your personal information.

UT will only share information about you to other parties when one or more of the following conditions apply:

• • We have your consent to share the information;
  • We need to share your information to provide the service or product you requested (e.g., the university receives test scores from testing agencies and will send transcripts to other schools at the student’s request).
  • We need to send your information to companies who work on behalf of UT to provide a service or product to you;
  • The information in question is considered directory information consistent with FERPA regulations. Directory information includes: student name: local address and local phone number; permanent zip code; college or major field of study; full-time or part-time enrollment status; class (e.g. freshman, sophomore, etc.); university e-mail address, dates of attendance; degrees, certificates and awards received, student activities; student photograph; and graduate medical education placement (MD students only); and, 
  • We have legal authorization to do so (e.g., respond to subpoenas, court orders, or any other legal process).

 IF YOU SEND US PERSONAL INFORMATION

Personal information is defined as any information that relates to an identified or identifiable individual. UT generally collects personal information in the following circumstances:

• • When you knowingly, voluntarily, and directly provide it to us by (e.g., sending emails, completing membership forms, registering for classes or other programs, responding to surveys, or ordering merchandise). If you provide us with personal information, we will normally respond to your inquiry, request, or order; we may also contact you to provide information about college activities, programs, membership and development opportunities, and special events that may interest you. It is university policy that confidential information you enter is used only for the purposes described in that transaction, unless an additional use is specifically stated on that site.
  • Through automated processes (e.g., through use of learning management tools, or interaction with our websites, including information you provide us through technology, such as through a cookie placed on your computer when you visit our websites); or
  • From other organizations for legitimate, specific purposes (e.g., transcripts for admissions purposes).

While it is difficult to provide a detailed picture of all the personal information we collect and use at the institutional level. In general, however, we collect and use the following categories of information at an institutional level:

• • About our prospective students: personal and family information related to the application and financial aid process (e.g., supporting documentation, identification, contact information, and data related to ethnic origin, if the prospective student wants to disclose such data);
  • About our students: information submitted as prospective students, information related to their academic record, their academic performance, and video images on campus;
  • About our faculty and staff: identification, contact information, biographic information, information related to remuneration, to benefits, to family members, information related to performance at work;
  • About visiting scholars and exchange students: identification, contact information, biographic information, possibly data related to health;
  • About subjects to our research projects: as needed, identification and contact information, together with all information that is produced and observed in relation to the subject as part of the research project;
  • About our alumni: identification and contact information, donor information;
  • About website visitors: the internet domain from which a visitor accesses the website, the IP address assigned to the visitor’s computer, the type of browser the visitor is using, the data and time of visit; and,
  • About patients treated through University of Toledo Medical Center or UTP: identification and contact information, data related to health and billing.

 WHY WE PROCESS YOUR PERSONAL INFORMATION

We only process your personal information for legitimate and specific purposes and to facilitate the various operations of the University.

While it is difficult to provide a detailed picture of all the personal information we process at the institutional level. In general, however, we process the following categories of information at an institutional level:

• • Personal information of our undergraduate and graduate students and prospective students to facilitate admission and to provide higher education services;
  • Personal information of our permanent or temporary faculty members and staff to manage their employment;
  • Personal information of visiting scholars and of exchange students to facilitate their visit to our campus. Personal information of subscribers to our online courses to provide them those courses and track their attendance and involvement in the course;
  • Personal information of persons who register to participate to conferences, symposia and other events we organize;
  • Personal information of our alumni to keep them engaged in our community;
  • Personal information of patients for the purposes of delivering healthcare;
  • Personal information of individuals who agree to participate to our research projects;
  • Personal information of visitors to our general website or to our other affiliated websites; and,
  • Video images recorded by our video security system for the purposes of ensuring physical security and to protect our property.

We may occasionally process other personal information for various legitimate and specific purposes. When these situations occur, we will endeavor to inform you of such occasional processing activities.

WHO HAS ACCESS TO YOUR INFORMATION

UT does not sell your information to third parties, and does not share it with third parties for purposes other than supporting the legitimate interests and operations of the University.

We use a variety of third-party services to help fulfill the University’s business. We strive to be diligent with confidentiality, privacy and security standards that we require from all our service providers, and we strive to require that they only use your personal information for the purposes of providing those services.

Linking

Within our website there are links to non-UT websites. When you link to third-party websites, you leave UT's website and no longer will be subject to our privacy policy. The University of Toledo is not responsible for the privacy practices or the content of non-UT websites, and such links are not intended to be an endorsement of those sites nor their content.

HOW WE SECURE YOUR INFORMATION

UT recognizes the importance of maintaining the security of the information it collects and maintains, and we endeavor to protect information from unauthorized access and damage. UT strives to ensure reasonable security measures are in place, including physical, administrative, and technical safeguards to protect your personal information.  UT follows the guidelines prescribed in the university’s Information Security Framework policy.

Encryption

UT uses encryption to prevent third parties from accessing sensitive data, such as passwords, e-commerce information, etc. You are normally required to enter a UT User ID and password when you request data about yourself or to ensure that you are a member of the university community. For example, students who want to check their grades or staff members who complete time sheets must enter their UT User ID and password so the system knows who is requesting the data. This login process uses Secure Sockets Layer (SSL) so the user name and password are encrypted between the Web browser and our Web server.

Several sites within University of Toledo enable you to pay for products or services online with a credit card. These transactions are encrypted. Questions about security concerns involving credit card transactions may be directed to ITSecurityOffice@utoledo.edu

INFORMATION COLLECTED AND STORED AUTOMATICALLY

Information Collected

If you visit our website, we automatically gather and store the following information about your visit so that we can track the use of our website to make improvements. This automatically collected information is stored and used in the aggregate only, and is not under normal circumstances used to contact you personally. Information may include:

• • The IP address from which you access our website;
  • The name of the domain from which you access the Internet (e.g., aol.com, if you are connecting from an America Online account);
  • The type of browser and operating system used to access our website;
  • The date and time you access our site;
  • The pages, files, documents, and links that you visit; and,
  • The Internet address of the website from which you linked to this website.

 In addition, the University of Toledo collects information from users that visit utoledo.edu or through University of Toledo contracted-for third-party advertising and marketing providers (e.g., Google Analytics, and Google Adworks). Information collected may include:

• • Content viewed during the visit
  • Date and time of visit
  • Amount of time spent on the website
  • Visitor location based on IP address
  • Demographic information

The University of Toledo website also may provide opportunities for site visitors to voluntarily provide personally identifiable information, such as their email address, name, telephone number or street address.

WHAT CHOICES YOU CAN MAKE ABOUT YOUR INFORMATION

To enhance your experience, we may place “cookies” on your computer or device. Cookies are small pieces of data stored by the Web browser, often used to remember information about preferences and pages you have visited. By setting preferences in your browser, you can refuse to accept cookies, disable cookies, and remove cookies from your hard drive.  Some University of Toledo Web servers use cookies so you will not have to repeatedly enter user names and passwords when you go to different parts of the website.

When you access utoledo.edu, the following cookies may be placed on your device, depending on your web browser settings. Our website uses the following types of cookies:

DoubleClick Cookies
Purpose: DoubleClick, which is run by Google, uses cookies to improve advertising. The cookies collect information specific to your browsing activity and keep it linked to your unique cookie ID. See DoubleClick’s cookie policy . 
Opt-out: You can opt out of Google’s add personalization from Google Ads Settings .

Google Analytics Cookies
Purpose: Google Analytics cookies count visits and traffic sources in order to measure and improve the performance of our website. See details about Google Analytics’ usage of cookies on websites and privacy policy . 
Opt-out: Find out more about managing cookies through your browser .

CrazyEgg Cookies
Purpose: CrazyEgg Cookies provide information on how visitors use our website. See here the Privacy Policy and the Cookie Policy of CrazyEgg. 
Opt-out: Find out here on how to opt out .

Responsible Internet advertisers also have tools to opt-out or control advertisements and tracking: 

• • http://www.networkadvertising.org/choices/
  • https://choice.microsoft.com/
  • https://support.google.com/ads/answer/2662922?hl=en
  • https://www.facebook.com/help/769828729705201/

Social Media Plugins

Some of the pages on our website have embedded social media sharing buttons. Social media platforms use cookies or other tracking technologies when a button is embedded on our website. We do not have access to, or control of, any information collected through these buttons. The social media platforms are responsible for how they use your information. For specific privacy controls on how these buttons track how users access our website, see the cookies policies of Twitter , Facebook , Pinterest , LinkedIn , Instagram and YouTube .

Directory Information

Students may also restrict the release of their Directory Information[1] by selecting the Update Directory Information/Release Status option in the Student tab on the myUT portal or by contacting the Office of the Registrar.

HOW THIS INFORMATION IS USED

The University of Toledo collects and uses information about user visits to allow the university to monitor website performance, make improvements to site navigation and content, and better market to prospective students and other audiences.

The university may also collect and use personal information provided by site visitors for educational programs (e.g., related to admission), administrative purposes (e.g., related to employment), or university engagement (e.g., attending a university sponsored event).

We may occasionally process other personal information for other legitimate and specific purposes. When these situations occur, we will endeavor to inform you of such occasional processing activities, since transparency is one of our core principles for using personal information for the purposes for which it was collected.

NOTICE SPECIFIC TO PERSONS WITHIN THE EUROPEAN UNION: European Union General Data Protection Regulation (GDPR) Privacy Notice

If you are located in the EU, then our processing of your personal information may fall under Regulation 2016/679 (the General Data Protection Regulation, or the “GDPR”).  The GDPR webpage contains additional information and resources.

GENERALLY

GDPR provides broad privacy protections to individuals physically located in the European Union European Economic Area (data subject(s)).  Under certain circumstances, GDPR may apply to University of Toledo’s activities in the European Union (EU) and the European Economic Area (EEA)[2] (e.g., when a student attends a study abroad program or when a faculty member is temporarily working in the EU/EEA).

GDPR explicitly confers numerous rights upon data subjects located in the EU, and requires covered organizations to put significant safeguards in place regarding the use and processing of personal data of EU subjects.  Personal data is defined very broadly under GDPR, and consists of any information relating to an identified or identifiable person and includes a person’s name, identification number, location data, online identifier, or to one or more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity of that person.

The University of Toledo must comply with the regulation and ensure that personal data is: 

• • Processed lawfully, fairly and in a transparent manner;
  • Collected for specific, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
  • Limited to what is necessary in relation to the purposes for which they are processed;
  • Accurate and kept up to date;
  • Retained only as long as necessary; and
  • Secure.

SPECIFICALLY

CONSENT

The conditions for consent have been strengthened under GDPR, as companies are no longer able to utilize long illegible terms and conditions full of legalese. The request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent, meaning it must be unambiguous. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.​  Explicit consent is required only for processing sensitive personal data – in this context, nothing short of “opt in” will suffice. However, for non-sensitive data, “unambiguous” consent will suffice.

 LEGAL BASIS FOR PROCESSING

When subject to GDPR, the University of Toledo must have a lawful basis to process a data subject’s personal data.  Although there will be some instances where the processing of personal data will be pursuant to other lawful bases (e.g. processing necessary to protect the vital interests or safety of a data subject, processing related to legal action involving the university, etc.), generally speaking, University of Toledo will likely process personal data relying on one or more of the following lawful bases: 

• • For the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (e.g., online applications you submit; the information provided when enrolling; the payment information we process for tuition; employment agreements, etc.);
  • For the purposes of the legitimate interests pursued by UT or by a third party (e.g., our legitimate interest to maintain a community for alumni);
  • For compliance with any other legal obligation to which UT is subject; and;
  • Pursuant to the consent of a data subject for special categories of personal data and/or one or more specific purposes.

 TYPES OF PERSONAL DATA PROCESSED

 In order for the university to achieve its core mission, it is essential and necessary for the University of Toledo to process personal data of its students, employees, applicants, research subjects, alumni, and others involved in the university’s educational, research, and community programs.  UT processes personal information for various lawful reasons, including, without limitation, academic admissions and enrollment; student registration; residence life; delivery of classroom, on-line, and study abroad education programs; administration and oversight of recreation programs, student organizations, and other various student affairs activities; distribution of grades, materials, and other communications by and among students, faculty, and staff; employment; applied research; program development and analysis; job hiring and employment; provision of medical services or health insurance; engagement with the community at-large; compliance with its internal policies, procedures, and guidelines, as well as all applicable federal, state, and local laws; and records retention. 

 Personal data processed by the university typically includes name, address, email, phone number, transcripts, work history, financial information, information for payroll, research subject information, medical and health information (for admissions, student health services, travel, etc.), and donations. If you have specific questions regarding the collection and use of your personal data, please email us at GDPRinfo@utoledo.edu

 If a data subject refuses to provide personal data that is required by the University of Toledo in connection with one of UT’s lawful bases to collect such personal data, such refusal may make it impossible for UT to provide education, employment, research, or other requested services.

 WHERE THE UNIVERSITY OF TOLEDO GETS PERSONAL DATA

 UT receives personal data from multiple sources, most often directly from the data subject or under the direction of the data subject who has provided it to a third party (e.g., application for admission to UT through use of the Common App, UT App, profession specific apps, etc.).

INDIVIDUAL RIGHTS OF THE DATA SUBJECT UNDER GDPR

The University of Toledo is committed to facilitating the exercise of the rights granted to you by GDPR in a timely manner. Subject to all other applicable laws and regulations, including all laws of the United States of America and the State of Ohio (USA), data subjects have following rights under GDPR: 

• • To access personal data;
  • To be provided with information about whether and how we process your personal data;
  • To correct or modify your personal data;
  • To have a copy of your personal data that allows for further use, including by other data controllers;
  • To object and/or restrict how we process your personal data;
  • To have your personal data deleted (erased); and,
  • To withdraw consent at any time, for all the processing operations that are based on your consent.

To exercise the above rights, data subjects should email us at GDPRinfo@utoledo.edu. Please note that when you make requests based on these rights, if we are not certain of your identity, we may need to ask you for further personal information to be used only for the purposes of replying to your request. UT will consider and process a data subject’s request within a reasonable period of time.  Please be aware that under certain circumstances, GDPR or other applicable law may limit a data subject’s exercise of the above rights.

 SECURITY OF PERSONAL DATA SUBJECT TO GDPR

 University of Toledo will comply with all of its published data protection polices in the processing of a data subject’s personal data. UT follows the guidelines prescribed in the university’s Information Security Framework policy.

 DATA RETENTION

We strive to keep personal data in our records only as long as necessary for the purposes they were collected and processed. Retention periods are specified in the Records Retention Manual and the Medical Records Retention Policy.   

CONCERNS

If you have any concerns or questions about how your personal data is used, please email us at GDPRinfo@utoledo.edu.  We will promptly respond to your request and do our best to address your concern. However, if you believe we have not been able to deal with your concern appropriately, in accordance with Article 77 of the GDPR, you have a right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement of the GDPR.

PRIVACY NOTICE CHANGES

This privacy notice is updated, as necessary, to reflect current collection methods and usage of website visitor information. 

CONTACT

If you have any questions about this Privacy Statement, or if you find UT Web pages that do not adhere to this statement, please email us at ComplianceOffice@utoledo.edu.