Frequently Asked Questions About ISPP-24
ANSWER: Content owners and site managers have a shared responsibility for the privacy notice. This means that functional people or groups who own and/or direct the content for a site should work with the person or group that technically implements the site.
ANSWER: The scope of the policy applies to university web sites, web applications, and web services (collectively referred to as "sites") hosted on university servers or external servers.
Acording to policy, all sites should have privacy notices. There is a small list of permissive exceptions included in the scope of the policy. See, “This does not include”.
ANSWER: The policy requires that the privacy notice be accessible from at least the home page of the site, and on any page that actively solicits/collects user information, such as a page with a form on it. Some sites simply have a link to the notice in the footer of all pages.
ANSWER: Passively collected user information refers to information that is collected automatically when people visit the site. Web server log information is an example of passively collected information.
Actively collected user information refers to information that site users voluntarily provide, such as through a form, or creating a profile, or choosing account settings.
As a content owner, even if you don't actively collect user information, you should talk with your technical person (i.e. site manager) to see what information, if any, is collected automatically by the web server.
ANSWER: With respect to collected user information, the general principle is that you should say what you do and do what you say. Regardless of the actual language you use, the privacy notice should accurately reflect your practices regarding the collection and use of information from/about users to your site. We have developed a privacy notice generator tool to assist you in this process.
For specific standards on what content is required, examine ISPP-24-S. It details: notice, choice, access, redress, security, privacy expectations, links to non-university sites, and a declaration of third party data management responsibility.
ANSWER: Often sites like this require users to login such that someone who isn't a university employee, student, or affiliate cannot access the site. In cases like this, the site does not fall within the scope of the policy.
For sites that do fall within the scope of the policy, note that the policy uses the language, "as appropriate," before the last two bulleted lists in the procedures section. These are lists of items you should address/consider, "as appropriate," within the context of the information involved and how your site is used. If, due to the circumstances, it's inappropriate for a user to change certain information, it's not required.
Example:
Let's say a student logs in to a web site/application to take a test. If the authentication mechanism prevents people from accessing the site who aren't part of the university community, then the site falls outside the scope of the policy.
Additionally, since it wouldn't be “appropriate” to allow a student to change test answers, it's not required to allow such changes.
ANSWER: Yes. Often this is the unintended consequence of embedding code from social media sites. If your site includes embedded code from a social media site, it is important to provide notice to users.
Example of language you might include:
- User data may be collected by the social media company / third parties.
- IU is not responsible for the data collected by the social media company / third parties; and
- User’s should review the social media company / third party’s privacy notice.