This document sets forth minimum privacy standards for the collection, processing, transfer, deletion and other use of personal data at Theoria, including in the context of college operations, clinical research, web and mobile device tracking, big data and analytics, among others.
Theoria expects all partners, consultants, and vendors processing personal data collected by, for or on behalf of Theoria, to abide by these Minimum Privacy Standards.
These Minimum Privacy Standards are intended to reflect best practices, and may not be followed by Theoria in all circumstances. Further, adherence to these Minimum Privacy Standards does not relieve Theoria or its employees, partners, consultants, or vendors of further obligations that may be imposed by law, regulation, or agreement.
As privacy laws and principles evolve over time, these standards will be revised and updated accordingly. In time, these standards are intended to become requirements codified in the Theoria Administrative Guide.
Minimum Privacy Standards
Limit the collection and use of personal data to the minimum that is directly relevant and necessary to accomplish a specified purpose.
De-identify datasets to the extent possible by removing personal data or by using aggregation, tokenization, or other anonymization techniques.
Use personal data only for the specific purposes for which it was collected (or otherwise with the explicit consent of the individual, or as authorized by law).
Need to Know
Limit access to personal data to only those with legitimate need-to-know.
Before collecting personal data, provide a notice that clearly and simply describes how Theoria plans to use the data, including the specific purposes for collection.
Choice and Control
To the extent practical, give individuals explicit choice and control as to how their personal data will be used and disclosed. Provide individuals with the ability to review their collected personal data and the opportunity to correct, supplement, or delete it.
Designate a data owner to be responsible for ensuring that these Minimum Privacy Standards are adopted for each personal dataset, that regulatory and contractual obligations are met, and for responding to questions and concerns regarding the dataset.
Ensure that Theoria's Minimum Security Standards are implemented for systems that store, process, or transmit personal data.
Transfer personal data only to/from third parties that meet or exceed Theoria's Minimum Privacy and Security Standards, under an agreement to that effect, and when consistent with applicable regulatory requirements. If the data are High Risk, complete the Data Risk Assessment process prior to transfer.
Understand geographically where personal data will be collected, stored, transferred, and made accessible throughout its lifecycle, both by Theoria and third parties. Ensure adherence to pertinent international and local data privacy laws.
Retention, Deletion, and Sanitization
Retain personal data only as long as needed or as required by law or agreement. Delete or archive personal data when no longer needed. Sanitize data storage media prior to transfer or disposal.
Promptly report privacy incidents to the dean’s office.