1. Who is responsible for developing, posting, and maintaining the privacy notice?
ANSWER: Content owners and site managers have a shared responsibility for the privacy notice. This means that functional people or groups who own and/or direct the content for a site should work with the person or group that technically implements the site.
2. To what web sites does the policy apply? Does my web site need a privacy notice?
ANSWER: The scope of the policy applies to university web sites, web applications, and web services (collectively referred to as "sites") for sites hosted on university servers or external servers.
Asking whether your site “needs” a privacy notice is the wrong question. All sites should have privacy notices; however, a small list of permissive exceptions is included in the scope of the policy. See, “This does not include”.
3. Where do I put the notice on my site?
ANSWER: The policy requires that the privacy notice be accessible from at least the home page of the site, and on any page that actively solicits/collects user information, such as a page with a form on it. Some sites simply have a link to the notice in the footer of all pages.
4. What's the difference between passively and actively collected user information?
ANSWER: Passively collected user information refers to information that is collected automatically when people visit the site. Web server log information is an example of passively collected information.
Actively collected user information refers to information that site users voluntarily provide, such as through a form, or creating a profile, or choosing account settings.
As a content owner, even if you don't actively collect user information, you should talk with your technical person (i.e. site manager) to see what information, if any, is collected automatically by the web server.
5. What should be in my privacy notice?
ANSWER: With respect to collected user information, the general principle is that you should say what you do and do what you say. Regardless of the actual language you use, the privacy notice should accurately reflect your practices regarding the collection and use of information from/about users to your site. We have developed a privacy notice generator tool to assist you in this process.
For specific standards on what content is required, examine ISPP-24-S. It details: notice, choice, access, redress, security, privacy expectations, links to non-university sites, and a declaration of third party data management responsibility.
6. I have a web site that collects educational information about students that I don't want them changing later, and yet the policy talks about a user being able to, "modify, or delete" information they've provided. Is this a problem?
ANSWER: Often sites like this require users to login such that someone who isn't a university employee, student, or affiliate cannot access the site. In cases like this, the site does not fall within the scope of the policy.
For sites that do fall within the scope of the policy, note that the policy uses the language, "as appropriate," before the last two bulleted lists in the procedures section. These are lists of items you should address/consider, "as appropriate," within the context of the information involved and how your site is used. If, due to the circumstances, it's inappropriate for a user to change certain information, it's not required.
Let's say a student logs in to a web site/application to take a test. If the authentication mechanism prevents people from accessing the site who aren't part of the university community, then the site falls outside the scope of the policy.
Additionally, since it wouldn't be "appropriate" to allow a student to change test answers, it's not required to allow such changes.
7. I heard that by including social media icons / links / feeds on my site, user data may be collected from my site by the social media company or third party applications to which the social media company provides access. Is this true?
ANSWER: Yes. Often this is the unintended consequence of embedding code from social media sites. If your site includes embedded code from a social media site, it is important to provide notice to users.
Example of language you might include:
- User data may be collected by the social media company / third parties.
- IU is not responsible for the data collected by the social media company / third parties; and
- User’s should review the social media company / third party’s privacy notice.