Privacy Notice

Table of Contents

Purpose

This Privacy and Protection of Personally Identifiable Information Policy describes our practices regarding the most common ways we collect and use personal information and assign accountability protection for Personally Identifiable Information ("PII").

Policy Statement

Garrett College ("Garrett") is committed to respecting the privacy of information and data that may be used to identify you (your "personal information"). Garrett has adopted this policy to govern the collection, use, and retention of PII.

Additionally, this policy offers guidance to employees on the protection of PII and the use of technology, as these are two of the College’s most important assets. It is everyone’s responsibility at Garrett to preserve and protect our data, especially PII, henceforth, compliance with this policy is of utmost importance to the college and is mandatory.

This policy applies to all PII collected, maintained, transmitted, stored, or otherwise used by Garrett in the conduct of its operations, regardless of the medium in which the information is stored. The audience for this policy includes all employees, contractors, and volunteers, and any third parties who have access to non-public Garrett PII or other Garrett technology resources.

Additional college policies that cover the privacy and protection of PII include: Privacy of Student Records Policy, Employee Records policy, and the Public Information Policy. Each of these policies are available on the Policies and Procedures page of the Garrett College website, at https://www.garrettcollege.edu/policy . If there is any conflict between this policy and any other Garrett policy, the policy that is more restrictive or privacy protective shall take precedence.

Definitions

"FERPA" – the Family Educational Rights and Privacy Act of 1974 (FERPA refers to a federal law (20 U.S.C. § 1232g; 34 CFR Part 99) that protects the privacy of student education records. The law applies to all schools receiving funds under any applicable program of the U.S. Department of Education. FERPA applies to all education records, credit and non-credit, of any student who is 18 years of age or older or who attends a post-secondary institution at any age.)

"GDPR" – stands for General Data Protection Regulation and is a European Union law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It also addresses the export of personal data outside the EU and EEA areas.

"PII" stands for Personally Identifiable Information and is any sensitive, non-public information that can be used to identify a specific individual, including but not limited to:

1. An individual’s name (first name or first initial and last name), phone number, or address, in conjunction with any of the following data elements:
   • Social security number;
   • Driver’s license number or other state identification number or foreign country equivalent;
   • Passport number;
   • Credit and/or debit card information;
   • Financial account number;
2. Any number or code, or combination of numbers or codes, such as an account number, security code, access code, or password, that allows access to or use of an individual’s financial or credit account.

COLLECTION, USE, AND DISSEMINATION OF PERSONAL INFORMATION

Applicants and Prospective Students

Personal Information Collected

Garrett collects and uses personal information about applicants and other prospective students (referred to collectively as "applicants"). If you are or have been an applicant, we may collect and use the following types of personal information about you:

• Information and supporting documentation that you provide in your application;
• Related application materials;
• Information that you have permitted a third party, such as The College Board, to release;
• Contact information for prospective students that we receive from other institutions and from vendors who conduct advertising activities for us;
• Financial information, including financial information about your family members (i.e., information collected in connection with applications for financial aid, loans, and scholarships).

How Personal Information Is Used

Your personal information is used primarily to evaluate your application and related activities, such as evaluating requests for financial aid, communicating with you about your application, and other administrative functions related to the admissions and enrollment process. We may also use or disclose your personal information for the following purposes:

• To consider requests for accommodations pursuant to the Americans with Disabilities Act;
• For research and statistical purposes;
• To provide you with information about Garrett and events that you might be interested in attending;
• For compliance with legal obligations, to respond to subpoenas, court orders, or other legal process, and to enforce our agreements;
• To prevent or investigate fraud or other unlawful activity, and to protect the security of Garrett’s property, website, and other systems;
• To meet the obligations of organizations tasked with accreditation of Garrett;
• To protect the health, safety, or rights of you, other students, faculty, staff, and visitors.

How Your Information Is Shared

We may share your information with the following individuals and entities:

• Your financial institutions and funders (as necessary for obtaining loans, scholarships, or other funding);
• Other educational institutions (in order to send you information about jointly hosted informational events);
• Vendors who provide services to Garrett (as necessary for obtaining loans);
• Governmental bodies as necessary for compliance with law, with law enforcement authorities when necessary, and other third parties to enforce our legal rights.

Students

NOTE: In regards to students, PII shall have the broader definition set forth in the Family Educational Rights and Privacy Act of 1974 ("FERPA") and include student records and any other information that could be used to identify a student. For more information on FERPA, please see the Privacy of Student Records – Family Educational Rights & Privacy Act (FERPA) Policy (available to review at https://www.garrettcollege.edu/policy ).

Personal Information Collected

When you are a student at Garrett, we maintain records containing your personal information. We may collect and use the following types of personal information about you, as applicable:

• Your contact information;
• Application materials and supporting documents;
• Copies of identification documents and other official documents;
• Educational records;
• Academic work product and related information;
• Records about your other on-campus activities (extracurriculars, athletics);
• Financial information;
• Health information needed to accommodate special needs or as required for student activities.

How Personal Information Is Used

We use this information for the following purposes as applicable:

• To provide educational or related services;
• To administer the financial aspects of the relationship;
• To enable your participation at events and in other opportunities;
• To protect the educational integrity of the college;
• To accommodate special needs;
• For research and statistical purposes related to our educational and/or other services;
• To provide basic contact information in student directories;
• For the general operations of Garrett and related administrative functions;
• For compliance with legal obligations, to respond to subpoenas, court orders, or other legal process, and to enforce our agreements;
• To prevent or investigate fraud or other unlawful activity, and to protect the security of Garrett’s property, website, and other systems;
• To meet the obligations of organizations tasked with accreditation of Garrett;
• To protect the health, safety, or rights of you, other students, faculty, staff, and visitors.

How Your Personal Information Is Shared

We may share your personal information with the following (additional FERPA guidelines may apply):

• College officials or those with a legitimate educational interest;
• Your lenders, funders, and/or other sponsors;
• Providers of any external program;
• Student clubs and related organizations;
• Individuals or entities inquiring about your enrollment history;
• Vendors who provide services to Garrett;
• Governmental bodies as necessary for compliance with law, with law enforcement authorities when necessary, and other third parties to enforce our legal rights.

Faculty and Staff

NOTE: The Employee Records Policy defines the information to be contained in an employee’s personnel file and monitors who may have access to this information. For more information on this policy, please visit https://www.garrettcollege.edu/policy.php .

Personal Information We Collect

When you are a member or prospective member of the faculty and staff at Garrett, we maintain records containing your personal information. We may collect and use the following types of personal information about you, as applicable:

• Your contact and biographical information;
• Employment application materials and supporting documents;
• Copies of identification documents and other official documents;
• Employment and/or educational records;
• Academic work product and related information;
• Financial information necessary to facilitate payroll, retirement, and/or other benefits;
• Health information necessary to accommodate special needs and/or benefit plans.

How We Use Your Personal Information

We use this information for the following purposes as applicable:

• To provide employment and/or related services;
• To administer the financial aspects of the relationship;
• To administer employee benefit plans;
• To enable your participation at events and in other opportunities;
• To protect the educational integrity of the college;
• To accommodate special needs;
• For research and statistical purposes related to our educational and/or other services;
• To provide basic contact information in faculty and/or staff directories;
• For the general operations of Garrett and related administrative functions;
• To share with the Garrett College Foundation for events and solicitation. This covers both current and former employees who may request to be removed by contacting the Payroll Office;
• For compliance with legal obligations, to respond to subpoenas, court orders, or other legal process, and to enforce our agreements;
• To prevent or investigate fraud or other unlawful activity, and to protect the security of Garrett’s property, website, and other systems;
• To meet the obligations of organizations tasked with accreditation of Garrett;
• To protect the health, safety, or rights of you, other students, faculty, staff, and visitors.

How We Share Your Personal Information

We may share your personal information with the following:

• Individuals or entities inquiring about your employment history at Garrett;
• Vendors who provide services to Garrett (such as payroll, benefits, or other services);
• Governmental bodies as necessary for compliance with law, with law enforcement authorities when necessary, and other third parties to enforce our legal rights.

Alumni and Other Supporters

Personal Information Collected

Garrett holds personal information related to its alumni and other supporters (such as donors, prospective donors, volunteers, and family members of students). If you are an alum or other supporter, we may collect and use the following types of personal information about you:

• Academic information;
• Biographical information;
• Contact information;
• Your activities at Garrett, such as extracurriculars or athletics;
• Your involvement with Garrett and other interests;
• Family information, as relevant;
• Financial information, as necessary to process donations;
• Employment information of alumni.

We collect data about alumni and other supporters from various sources, including directly from the individual. We also retain information from your student records if you studied here. We also collect information from publicly available sources, such as social media, and from third parties.

How Your Personal Information is Used

Your personal information is used for the following purposes:

• Sending you informational materials;
• Providing services;
• Sending you information about fundraising campaigns, events, and volunteer opportunities that may be of interest to you;
• For administrative, research and statistical purposes;
• To publicly acknowledge gifts;
• For compliance with legal obligations, to respond to subpoenas, court orders, or other legal process, and to enforce our agreements;
• To prevent or investigate fraud or other unlawful activity, and to protect the security of Garrett’s property, website, and other systems;
• To protect the health, safety, or rights of you, other students, faculty, staff, and visitors.

How Your Personal Information is Shared

We may share your information with the following:

• Garrett departments, clubs, and interest groups;
• Other Garrett alumni;
• Vendors who provide services to Garrett, such as the entities that process donations and coordinate communications;
• Governmental bodies as necessary for compliance with law, with law enforcement authorities when necessary, and other third parties to enforce our legal rights.

Web Site Visitors

Personal Information Collected

The Garrett Web site is an information system intended to provide information about the college to prospective students, alumni, members of the Garrett community, and others with an interest in Garrett. If you visit this site to view or download information, or submit information to us, we or our third-party vendors may automatically collect the following types of personal information:

• The name of the domain from which you access the Internet;
• The date and time of your visit;
• The page(s) you visit;
• Your computing platform;

Some of this information may be collected through the use of cookies, which are text files that are placed on your hard disk by a web server, or similar technologies, such as web beacons. Some of these cookies are managed by third parties that we do not control, such as Google Analytics. You have the ability to accept or decline cookies by changing your browser settings. If you choose to decline cookies, some features on this Web site may not work properly.

If you use our Web site to complete forms, use our applications, or submit information to us, we will collect the information that you provide to us, as well as related information such as your login ID.

How Your Personal Information is Used

The data collected with cookies and similar technologies are used in the aggregate for purposes of analyzing site traffic, managing the site, and providing accountability regarding the usefulness of our work. If you provide us with information, we will use that information for the purposes described on the form or registration pages.

We may also use your personal information for the following purposes:

• For compliance with legal obligations, to respond to subpoenas, court orders, or other legal process, and to enforce our agreements;
• To prevent or investigate fraud or other unlawful activity, and to protect the security of Garrett’s property, Web site, and other systems;
• To meet the obligations of organizations tasked with accreditation of Garrett;
• To protect the health, safety, or rights of you, other students, faculty, staff, and visitors.

How Your Personal Information is Shared

Personal information collected automatically on this Web site is not disclosed to third parties unless the third party is an institutionally authorized provider of services to Garrett. Information collected through Web site forms is used as specified on the form or as otherwise described in this policy.

This Web site may contain links to many sites that are beyond our control. Garrett is not responsible for the privacy practices or content of these other sites. Users of these services are subject to the privacy policies established by the third-party provider.

GENERAL DATA PROTECTION REGULATION (GDPR)

With respect to personal information subject to the GDPR, the college relies on the following lawful bases for processing:

• Our legitimate interests, such as conducting admissions activities, fulfilling our educational mission, maintaining alumnae relations, and conducting fundraising activities;
• To provide you with services or perform on contractual obligations, such as processing admissions applications, providing educational services, managing your employment relationship, providing certain alumnae services;
• For compliance with our legal obligations;
• With your consent, when applicable.

INDIVIDUAL RIGHTS UNDER THE EUROPEAN UNION

If you are located in the European Union ("EU"), you may have the following legal rights under applicable law with respect to the personal information processed by Garrett:

• To withdraw consent at any time, if we are processing your personal information on the basis of consent;
• To access the information that Garrett has about you;
• To request that Garrett rectify or erase your information;
• To request that Garrett restrict the way it uses your information;
• To object to the way Garrett uses your information;
• To ask Garrett to transfer your information to someone else;
• To lodge a complaint with a data protection authority in the EU.

Garrett’s ability or obligation to comply with your requests may be limited by applicable law. To request to exercise one of these rights, please contact us at the Office of Business and Finance/CFO, Garrett College.

COMMUNICATIONS FROM GARRETT

Garrett periodically sends marketing communications to members of the Garrett community, such as newsletters, event invitations, and fundraising information. If you would like to request that Garrett limit or stop these marketing communications with you, please contact us at 301-387-3091.

If you request to be removed from our mailing lists, we will retain your contact information to ensure that we do not continue to contact you for these purposes. If applicable, we will also continue to process your personal information for other purposes consistent with this policy.

PROTECTION OF PII

All PII must be protected with the safeguards appropriate to its sensitivity. The following rules apply to everyone working for or on behalf of Garrett:

Collect PII Only as Authorized

• Provide clear and conspicuous notice at or before the time of collection, and obtain appropriate consent for any intended uses.
• Describe the choices available and explain the consequences of denying or withdrawing consent.
• Ensure the notice explains the purpose, uses, retention, and disclosure of the information and identifies the entities and activities covered by the notice.
• Comply with all other Garrett policies that pertain to the collection of PII.

Limit Use of PII

• Access PII only when you need to know the information as part of your job duties.
• Do not access PII for any non–job-related reason.
• Use must be compatible with the notice given at the time of collection.
• If PII is to be used for new purposes not previously identified, new notice and consent must generally be obtained.
• Confirm with your supervisor if you are unsure whether a specific use or disclosure is appropriate.

Share PII Only as Authorized

• You may share PII with another Garrett employee or contractor only if the recipient’s need for the information relates to their job duties.
• You may disclose PII to third parties only for the purposes identified in the notice at the time of collection and with appropriate consent.
• Disclosure may also occur as needed for routine business operations where consent is reasonably inferred.

Minimize Collection of PII

• Limit the collection of PII to what is needed to fulfill the purposes described in the notice.

Maintain Quality

• Collect, maintain, and use PII that is accurate, complete, and relevant.
• Departments must establish procedures for authenticating identity, assessing accuracy over time, and allowing individuals to submit updates and corrections.

Provide Access and Opportunity for Correction

• Provide individuals with access to their PII in an understandable form for review, correction, and update, within a reasonable timeframe and cost.

Follow Records Retention and Disposal Policies

• Garrett retains personal information about students and alumni indefinitely for alumnae relationships, academic record-keeping, and archiving.
• Other personal information is retained only as long as necessary to complete Garrett’s legitimate purpose.

Secure PII

• Treat PII in accordance with applicable records retention protocols.
• Retain extracted information only as long as needed.
• Protect against unauthorized disclosure, including shoulder surfing, eavesdropping, or overhearing.
• Store PII on shared drives only if access is restricted to those with a need to know.
• If someone sends you PII in an unprotected manner, you must still secure it once received.

Security Standards for PII

• PII must not be stored on devices or electronic folders that are not password‑protected.
• Storage of PII on external hard drives, thumb drives, or unsecured network drives is not appropriate.
• If someone sends you PII in an unprotected manner, you must still secure it once you receive it.

ROLES & RESPONSIBILITIES

• The Chief Information Officer, or his/her designee, shall coordinate with the Information Technology department to establish, maintain, update, and enforce a comprehensive information security program to protect PII against loss, misuse, and unauthorized access, disclosure, alteration, and destruction.
• Contracts and other agreements involving the collection, use, and retention of PII must be reviewed for consistency with Garrett’s privacy policies and procedures.
• Management shall reasonably confirm that third parties from whom PII is collected are reliable sources that collect information fairly and lawfully, and shall take remedial action in response to misuse of PII by a third party to whom Garrett has transferred such information.
• Management shall annually review the assignment of personnel, budgets, and allocation of other resources to its privacy program.
• Garrett shall ensure that employees responsible for protecting the privacy and security of PII are qualified and trained for such responsibility through pre-hire background and reference checks. The Garrett Human Resource Manual agreed to by all employees shall address the need for confidentiality of PII.
• All employees shall receive periodic training on privacy protection and Garrett’s privacy policies and procedures.

MONITORING & ENFORCEMENT

• Garrett shall monitor and enforce compliance with privacy laws, internal policies and procedures, and its contractual commitments.
• Garrett shall maintain mechanisms to address internal and external privacy‑related inquiries, complaints, and disputes.
• Garrett shall have processes to document compliance, submit assessment reports to senior management, and develop remediation plans where appropriate.
• Staff and any vendors with whom Garrett shares PII will be informed that compliance with privacy and security controls will be enforced.
• Failure to comply with Garrett’s privacy policy is subject to discipline, up to and including termination.

TRAINING

• All employees shall be educated on the terms of this Privacy and Protection of PII Policy at the time of their initial orientation and training.
• Each employee shall sign an acknowledgment regarding his or her knowledge of these policies (located on the Information Technology Internal/Intranet Departmental page; for questions, call the IT Help Desk at Ext. 3027).
• In the event of changes to the policy, all employees shall be notified.

CONTACT INFORMATION

Questions, concerns, requests, or complaints regarding this policy and the processing of personal information by Garrett should be directed to:

The Office of Business and Finance/CFO
Garrett College
687 Mosser Rd
McHenry, MD 21541