General Data Protection Regulation (GDPR)
Data protection legislation sets out rules and standards for the use and handling (‘processing’) of information (‘personal data’) about living identifiable individuals (‘data subjects’) by organizations (‘data controllers’).
The law applies to organizations in all sectors, both public and private. It applies to all electronic records as well as many paper records. It doesn’t apply to anonymous information or to information about the deceased.
Regent University’s data protection policies and procedures are governed by the Family Educational Rights and Privacy Act with the Unites States and the General Data Protection Regulation (GDPR) (EU). The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. The General Data Protection Regulation (GDPR) (EU) is a regulation in EU law on data protection and privacy for all individuals within the European Union. It also addresses the export of personal data outside the EU. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
Data controllers processing personal data must follow – and be able to demonstrate that they are following – the data protection principles.
Under the GDPR, there are six principles. Personal data must be processed following these principles so that the data are:
- Processed fairly, lawfully and transparently – and only if there is a valid ‘legal basis’ for doing so
- Processed only for specified, explicit and legitimate purposes
- Adequate, relevant and limited
- Accurate (and rectified if inaccurate)
- Not kept for longer than necessary
- Processed securely – to preserve the confidentiality, integrity and availability of the personal data
Depending on the context, there are full or partial exemptions from the principles when processing personal data for specific purposes, including academic research.
An important aspect of complying with data protection legislation is being open and transparent with individuals about how their personal data will be used. The supply of this information – through documents variously known as ‘privacy notices’, ‘data protection statements’, ‘data collection notices’, ‘privacy policies’ and numerous other interchangeable terms – takes places in numerous targeted ways depending on the context of the interaction with the individual.
Under the GDPR, data subjects are given various rights:
- The right to be informed of how their personal data are being used – this right is usually fulfilled by the provision of ‘privacy notices’ as described above
- The right of access to their personal data – accessing personal data in this way is usually known as making a ‘subject access request’
- The right to have their inaccurate personal data rectified
- The right to have their personal data erased where appropriate – known as the right to be forgotten
- The right to restrict the processing of their personal data pending its verification or correction
- The right to receive copies of their personal data in a machine-readable and commonly-used format – known as the right to data portability
- The right to object: to processing (including profiling) of their personal data that proceeds under particular legal bases; to direct marketing; and to processing of their data for research purposes where that research is not in the public interest
- The right not to be subject to a decision based solely on automated decision-making using their personal data
A response to a rights request needs to be sent within one month. However, nearly all of these rights are qualified in various ways and there are numerous specific exemptions (for example, nearly all the rights do not apply if the personal data are being processed solely in an academic research context).
Data protection legislation imposes certain accountability obligations on all data controllers. Under the GDPR, the main obligations for large data controllers include:
- Implementing policies, procedures, processes and training to promote ‘data protection by design and by default’
- Where necessary, carrying out systematic Data Protection Impact Assessments (DPIAs) on ‘high risk’ processing activities
- Having appropriate contracts in place when sharing personal data – especially when outsourcing functions that involve the processing of personal data and/or transferring the personal data
- Maintaining records of the data processing that is carried out across the organization
- Documenting and reporting personal data breaches both to the ICO and the affected data subjects
- Where necessary, appointing an independent Data Protection Officer to advise on and monitor compliance
One of the most important accountability obligations concerns personal data breaches – that is, personal data held by the University is lost, stolen, inadvertently disclosed to an external party, or accidentally published. If a personal data breach occurs, this should be reported immediately to appropriate staff within your University Institution (e.g. senior administrative or IT staff), who should then inform:
- The Information Compliance Office/Registrar’s Office and/or
- If the breach is IT-related in any way, Information Technology Department
Remedial work can then be done so that the breach can be contained. On occasion, we need to report breaches to relevant external authorities, including the ICO, within a short timeframe.
This section provides information about the use of personal information provided by applicants to Regent University.
‘Personal information’ means any information which relates to or identifies you as an individual.
The information provided here applies to the use, sharing and disclosure of your personal information by Regent University as part of the admissions process.
Regent University will use the details you provide on your inquiry form, student application, together with the supporting documents requested and additional details provided by in interview processes.
Regent University will process the personal information provided on your application and the other information referred to above for the purposes of identifying you, processing your application, verifying the information provided, deciding whether to offer you enrollment, and communicating that outcome.
We may also use or disclose the information provided for the following statutory or public interest purposes:
- To prevent or detect fraud.
- For equal opportunities monitoring.
- To help us to make reasonable adjustments for any disability, as requested by you.
- To allow us to consider any future accommodation requirements.
- To provide statutory returns required by applicable legislation.
- For research and statistical purposes, but no information which could identify you will be published.
We consider the processing of your personal information for the above purposes to be either necessary for us to take steps with a view to creating a contractual relationship with you (e.g. to assess your application to study with us), or necessary for compliance with a legal obligation (e.g. equal opportunities monitoring), or necessary for the performance of tasks we carry out in the public interest (e.g. admissions research). We require you to provide us with the information we ask for during the application process in order to assess your application properly except where its supply is marked as optional. Admissions decisions are not automated.
As well as circulating your application and related materials to the appropriate staff at Regent University, we will share your personal information for the above purposes as relevant and necessary with:
- Your admission team.
- Where relevant and as required and/or notified to you, your specific school/college.
- Your examination boards or awarding bodies.
- Other support functions including financial aid and advising teams.
- Your funders and/or potential funders (i.e., the Student Loans Companies).
- Where relevant and as required, Visas and Immigration departments in order to act as your sponsor for visa purposes.
- Where relevant and as required, governmental bodies including local authorities, the Home Office, and the Department for Work and Pensions and its agencies.
- Other Higher Education organizations, in order to assist with tracking, transcript services, and research into access to Higher Education
- Companies or organizations providing specific services to, or on behalf of, the University and/or one or more Colleges.
If you are accepted as a student, we will use your personal information for the purposes described in our privacy statement and on the University Registrar’s FERPA website. Further information about this will be provided in your offer of admission.
If you are accepted, Regent University will also report data about you to the National Center for Education Statistics through the Integrated Postsecondary Education Data System (IPEDS) and other external agencies and funding bodies, as required.
You have the right to access the personal information that is held about you by Regent University.
You also have the right to ask us to correct any inaccurate personal information we hold about you, to delete personal information, or otherwise restrict our processing, or to object to processing or to receive an electronic copy of the personal information you provided to us.
Personal information during the inquiry and application phase can be viewed in the Regent University online applicationor in writing.
We store your personal information for the minimum time necessary to complete the application process. If you are successfully admitted, your information will be kept as part of your student record indefinitely.
If you have any questions about how your personal information is used, or wish to exercise any of your rights, please consult the Regent University Registrar’s Office.
If you are not happy with the way your information is being handled, or with the response received from us, you have the right to lodge a complaint with Regent University’s General Counsel at generalcounsel@regent.edu.
This webpage was last updated in Spring 2018. It is reviewed when necessary and at least annually. Any changes will be published here.
This section provides information about the use of personal information while you are a student at Regent University.
‘Personal information’ means any information which relates to or identifies you as an individual.
When you applied to become a student you were told how Regent University would use your personal information to process your application and admittance into the university. You were referred to this webpage for a fuller statement of the uses we make of your personal information while you are a student. In addition to the information published here, when you use specific services and facilities offered by the University, you will be told about any other uses of your personal information. For example, there are separate statements for users for students who engage with Counseling Services, Writing Services, or Disability Services.
The information published here applies to the use, sharing and disclosure of your personal information by Regent University. Your personal information will be used for a variety of academic, administrative and statistical purposes in accordance with agreed protocols.
The University will keep a record of the details you provided on your application form, any supporting documents requested as part of your admission and additional details provided by your admissions team. We will also maintain records about your studies at Regent University, and about your use of the academic and non-academic facilities and services offered. This personal information will include data such as your name, home address, date of birth, course studied, fee payments, and information about your examinations, assessments and results.
Your personal information is created, stored and transmitted securely in a variety of paper and electronic formats, including databases and systems. Access to your personal information is limited to University staff who have a legitimate interest in it for the purpose of carrying out their contractual duties, and our use of your personal information will not be excessive. Under contract, additional contracted resources may be used for specific administrative purposes and will be under the same polices/procedures as hired staff.
In addition to this, the University may process some information about you that is classed as ‘sensitive’ or ‘special category’ personal data, and which requires additional protections. This includes information concerning your social security number, financial aid or health/disability that we use for funding planning and monitoring purposes, or in order to provide care, help or suitable adjustments. For certain courses of study, other sensitive information may be processed, such as information about past criminal convictions, working with children or vulnerable adults, and your fitness to practice in certain regulated professions. Access to, and the sharing of, your ‘sensitive’ personal data are controlled very carefully. You will normally be given further details about our use of any such data when we collect it from you.
The University will process your personal information for a range of contractual, statutory or public interest purposes, including the following:
- To deliver and administer your education, record the details of your studies (including any placements with external organizations), and determine/confirm your academic achievements (e.g. results, scholarships).
- Where relevant (e.g. for PhD students), to monitor, evaluate and support your research activity.
- To administer the financial aspects of your relationship with us and any funders.
- To deliver facilities to you (e.g. IT, sport, libraries, accommodation, careers).
- To enable your participation at events (e.g. functions, graduation).
- To communicate effectively with you by text, email and phone, including the distribution of relevant newsletters and circulars.
- To operate security (including CCTV), governance, disciplinary (including plagiarism and academic misconduct), complaint, audit and quality assurance processes and arrangements.
- To support your training, medical, safety, welfare and religious requirements.
- To compile statistics and conduct research for internal and statutory reporting purposes.
- To fulfil and monitor our responsibilities under equalities, immigration and public safety legislation.
- To enable us to contact others in the event of an emergency (we will assume that you have checked with the individuals before you supply their contact details to us).
We consider the processing of your personal information for these purposes to be either necessary for the performance of our contractual obligations with you (e.g. to manage your student experience and welfare while studying at Regent University), or necessary for compliance with a legal obligation (e.g. equal opportunities monitoring), or necessary for the performance of tasks we carry out in the public interest (e.g. teaching and research), or necessary for the pursuit of the legitimate interests of the University or an external organization (e.g. to enable your access to external services). If we require your consent for any specific use of your personal information, we will collect it at the appropriate time and you can withdraw this at any time. We will not use your personal information to carry out any wholly automated decision-making that affects you.
As described above, your personal information is shared with relevant staff and faculty as required for your education. In addition, it is shared as permitted or required by law, on a considered and confidential basis, with a range of external organizations, including the following:
- Your funders and/or sponsors (e.g., as relevant, the Student Loans Company and the funders of any awards or scholarships).
- The providers of any external/collaborative learning and training placements or fieldwork opportunities.
- External examiners and assessors, and external individuals involved in relevant University committees or procedures.
- Relevant Government Departments (e.g. Department for Education, Home Office, Foreign and Commonwealth Office, Department of Health).
- Relevant executive agencies or non-departmental public bodies (e.g. Visas and Immigration).
- Relevant Higher Education bodies.
- Any relevant professional or statutory regulatory bodies.
- The relevant University student union(s) and student clubs and societies, in order to facilitate your membership of those bodies.
- On occasion and where necessary, the police and other law enforcement agencies.
- On occasion and where necessary, auditors.
- On occasion and where necessary, subsidiary companies of the University
- Companies or organizations providing specific services to, or on behalf of, the University in which a contract is required
We will normally confirm details of your results and degrees awarded to external enquirers or organizations, and will provide references to third parties. Your name and the type of degree awarded will be published in the relevant graduation program.
We will include your basic contact details in our internal systems which include your name and email address (i.e. email systems and learning management systems).
Other than as set out above, we will not normally publish or disclose any personal information about you to other external enquirers or organizations unless you have requested it or consented to it, or unless it is in your vital interests to do so (e.g. in an emergency situation).
After you graduate a core record of your studies is retained indefinitely so that the details of your academic achievements can be confirmed and for statistical or historical research. Your contact and core personal details are passed to the Development and Alumni Relations office while you are still a student so that you can be added to the alumni database. You will receive more details at the appropriate time during your senior year.
You have the right to access the personal information that is held about you by the University.
You also have the right to ask us to correct any inaccurate personal information we hold about you, to delete personal information, or otherwise restrict our processing, or to object to processing or to receive an electronic copy of the personal information you provided to us.
We store your personal information as part of your student record indefinitely (and it may be used as part of our assessment of any future application you make for further studies at Regent University).
If you have any questions about how your personal information is used, or wish to exercise any of your rights, please consult the University’s data protection webpage.
If you are not happy with the way your information is being handled, or with the response received from us, you have the right to lodge a complaint with Regent University’s General Counsel at generalcounsel@regent.edu.
This webpage was last updated in Spring 2018. It is reviewed when necessary and at least annually. Any changes will be published here and you will be notified via this webpage and/or by email.
This section provides information about the use of personal information when you graduate from Regent University.
‘Personal information’ means any information which relates to or identifies you as an individual.
When you applied to become a student you were told how Regent University would use your personal information to process your application and admittance into the university. You were referred to this webpage for a fuller statement of the uses we make of your personal information while you are a student. In addition to the information published here, when you use specific services and facilities offered by the University, you will be told about any other uses of your personal information. For example, there are separate statements for users for students who engage with Counseling Services, Writing Services, or Disability Services.
The information published here applies to the use, sharing and disclosure of your personal information by Regent University. Your personal information will be used for a variety of academic, administrative and statistical purposes in accordance with agreed protocols.
The University will keep a record of the details you provided on your application form, any supporting documents requested as part of your admission and additional details provided by your admissions team. We will also maintain records about your studies at Regent University, and about your use of the academic and non-academic facilities and services offered. This personal information will include data such as your name, home address, date of birth, course studied, fee payments, and information about your examinations, assessments and results.
Your personal information is created, stored and transmitted securely in a variety of paper and electronic formats, including databases and systems. Access to your personal information is limited to University staff who have a legitimate interest in it for the purpose of carrying out their contractual duties, and our use of your personal information will not be excessive. Under contract, additional contracted resources may be used for specific administrative purposes and will be under the same polices/procedures as hired staff.
In addition to this, the University may process some information about you that is classed as ‘sensitive’ or ‘special category’ personal data, and which requires additional protections. This includes information concerning your social security number, financial aid or health/disability that we use for funding planning and monitoring purposes, or in order to provide care, help or suitable adjustments. For certain courses of study, other sensitive information may be processed, such as information about past criminal convictions, working with children or vulnerable adults, and your fitness to practice in certain regulated professions. Access to, and the sharing of, your ‘sensitive’ personal data are controlled very carefully. You will normally be given further details about our use of any such data when we collect it from you.
The University will process your personal information for a range of contractual, statutory or public interest purposes, including the following:
- To deliver and administer your education, record the details of your studies (including any placements with external organizations), and determine/confirm your academic achievements (e.g. results, scholarships).
- Where relevant (e.g. for PhD students), to monitor, evaluate and support your research activity.
- To administer the financial aspects of your relationship with us and any funders.
- To deliver facilities to you (e.g. IT, sport, libraries, accommodation, careers).
- To enable your participation at events (e.g. functions, graduation).
- To communicate effectively with you by text, email and phone, including the distribution of relevant newsletters and circulars.
- To operate security (including CCTV), governance, disciplinary (including plagiarism and academic misconduct), complaint, audit and quality assurance processes and arrangements.
- To support your training, medical, safety, welfare and religious requirements.
- To compile statistics and conduct research for internal and statutory reporting purposes.
- To fulfil and monitor our responsibilities under equalities, immigration and public safety legislation.
- To enable us to contact others in the event of an emergency (we will assume that you have checked with the individuals before you supply their contact details to us).
We consider the processing of your personal information for these purposes to be either necessary for the performance of our contractual obligations with you (e.g. to manage your student experience and welfare while studying at Regent University), or necessary for compliance with a legal obligation (e.g. equal opportunities monitoring), or necessary for the performance of tasks we carry out in the public interest (e.g. teaching and research), or necessary for the pursuit of the legitimate interests of the University or an external organization (e.g. to enable your access to external services). If we require your consent for any specific use of your personal information, we will collect it at the appropriate time and you can withdraw this at any time. We will not use your personal information to carry out any wholly automated decision-making that affects you.
As described above, your personal information is shared with relevant staff and faculty as required for your education. In addition, it is shared as permitted or required by law, on a considered and confidential basis, with a range of external organizations, including the following:
- Your funders and/or sponsors (e.g., as relevant, the Student Loans Company and the funders of any awards or scholarships).
- The providers of any external/collaborative learning and training placements or fieldwork opportunities.
- External examiners and assessors, and external individuals involved in relevant University committees or procedures.
- Relevant Government Departments (e.g. Department for Education, Home Office, Foreign and Commonwealth Office, Department of Health).
- Relevant executive agencies or non-departmental public bodies (e.g. Visas and Immigration).
- Relevant Higher Education bodies.
- Any relevant professional or statutory regulatory bodies.
- The relevant University student union(s) and student clubs and societies, in order to facilitate your membership of those bodies.
- On occasion and where necessary, the police and other law enforcement agencies.
- On occasion and where necessary, auditors.
- On occasion and where necessary, subsidiary companies of the University
- Companies or organizations providing specific services to, or on behalf of, the University in which a contract is required
We will normally confirm details of your results and degrees awarded to external enquirers or organizations, and will provide references to third parties. Your name and the type of degree awarded will be published in the relevant graduation program.
We will include your basic contact details in our internal systems which include your name and email address (i.e. email systems and learning management systems).
Other than as set out above, we will not normally publish or disclose any personal information about you to other external enquirers or organizations unless you have requested it or consented to it, or unless it is in your vital interests to do so (e.g. in an emergency situation).
After you graduate a core record of your studies is retained indefinitely so that the details of your academic achievements can be confirmed and for statistical or historical research. Your contact and core personal details are passed to the Development and Alumni Relations office while you are still a student so that you can be added to the alumni database. You will receive more details at the appropriate time during your senior year.
You have the right to access the personal information that is held about you by the University.
You also have the right to ask us to correct any inaccurate personal information we hold about you, to delete personal information, or otherwise restrict our processing, or to object to processing or to receive an electronic copy of the personal information you provided to us.
We store your personal information as part of your student record indefinitely (and it may be used as part of our assessment of any future application you make for further studies at Regent University).
If you have any questions about how your personal information is used, or wish to exercise any of your rights, please consult the University’s data protection webpage.
If you are not happy with the way your information is being handled, or with the response received from us, you have the right to lodge a complaint with Regent University’s General Counsel at generalcounsel@regent.edu.
This webpage was last updated in Spring 2018. It is reviewed when necessary and at least annually. Any changes will be published here and you will be notified via this webpage and/or by email.