Administrative Procedure 3.905
Elgin Community College regularly collects and uses data from students and employees. Data informs the programs and services we offer, the partnerships we participate in, and the initiatives we undertake. In general, three (3) general types of data are collected by the college:
- Public data
- Internal administrative data
- Personal identifiable data
Public data and internal administrative data are the most widely available forms and are easily accessible. Examples of public data include press releases and reports. Examples of internal administrative data include memos, emails, and internal newsletters. Public and internal administrative data are principally operational used to conduct everyday business. For this reason, they not considered private, sensitive, or confidential and, as such, not covered in this procedure.
Personal identifiable data is the last category of data and the focus of this procedure. Personal identifiable data1 contains information related to an individual person’s identity, location, or behaviors, and as such, is sensitive and restricted. If compromised, identifiable data can violate personal privacy, create risk, or impose legal action. The practices outlined in this document help to maintain the confidentiality, use, and limitations regarding the distribution of personal data.
Personal Data We Collect
Types and examples of personal data we collect include:
Individual identifying and demographic data. Individual demographic data includes, but is not limited to, a person’s name (first and last); phone numbers; addresses (street name, street number, city, state/province, zip/postal code); email address; date of birth; and social security number or tax identification number (TIN). Demographic data also includes information about an individual’s race, ethnicity, and gender.
1We gather personal data only from individuals who are over the age of 13. Individuals who are 13 years old and younger must get parental consent to send personal information through the ECC website or via email. For more information on the Children’s Online Privacy Protection Act of 1998 please visit the Federal Trade Commission’s website at http://www.ftc.gov/ogc/coppa1.htm.
Enrollment and participation data. Enrollment data includes an individual’s attendance in courses or involvement in events. For students, this can include course enrollment data (course prefix, number, and course title), course location (buildings and rooms), instructors, days and times of classes, and formats of classes (face-to-face or online). For employees, data can include involvement in committees, meetings, and professional courses or workshops. Information we collect includes names of committees or workshops, meeting locations or modalities, leaders or instructors, days and times of workshops or meetings, and other related information.
Official records. Performance data includes judgments about an individual’s aptitude or skills. For students, examples of performance data include course grades, and grades or evaluations made by instructors or evaluators on measures of learning, such as tests and quizzes, writing assignments, portfolios, or presentations. For employees, performance data includes job performance evaluations and actions taken because of decisions made from evaluations or approved meeting notes.
Use of educational services. Usage data includes information about an individual’s use of services provided by the college. For students, usage data includes library circulation data (books or resources signed out and dates), use of certain labs, tutoring services, testing services, or participation in events, such as guest lectures. For employees, usage data includes use of services such as the library or the fitness center. Different campus services track usage to different degrees. Some routinely log every visitor who uses a service, whereas others track usage sporadically.
Financial data. Financial data we collect from students includes payment history, payment status, and banking information, including credit cards. We use third-party billing companies for collecting tuition payments, and those companies may request credit card or bank account information. For students on financial aid, we collect all data supplied on the FAFSA, which includes income, public assistance, loan information and history, and credit information, such as bankruptcies. Some student scholarships also require financial information such as income. Certain employee positions that handle money also require credit checks and scores from credit bureaus.
Health data. The college collects certain health records from employees and students who participate in the health insurance program, clinics offered by the Health Professions Division, or who request accommodations through the Americans with Disabilities Act (ADA) Compliance Officer. Health Insurance Portability and Accountability Act (HIPPA) and ADA rules are followed regarding the collection and use of this data. Employee and student health information is also used in certain programs. For example, truck driving and Health Professions programs require drug and alcohol use information. For further information, please see Administrative Procedures 3.405 and 3.406. For students or employees who request tuition assistance through the Tuition Adjustment Advisory Council, we collect information medical status, including data on the nature of an individual’s disability.
Criminal background data. Certain programs and positions in the college require crime information from students and employees. Criminal backgrounds checks are conducted for new employees as part of the hiring process and at regular intervals for positions in campus safety and in certain programs, such as criminal justice.
Audiovisual data. From time to time, the college or the ECC Foundation, a related not-for-profit organization, may record audio or use photographs or video of an individual’s participation in events and may publish and use recordings or representations of individuals for promotion and educational purposes.
Perceptual and attitudinal data. From time to time, the college or external partners may request perceptual or attitudinal information related to an individual’s use or satisfaction with services. This type of data is commonly collected through web surveys, interviews, or focus groups. Specific practices for the collection of this type of data are contained in Administrative Procedure 3.906 (Survey Use and Administration). While reports of perceptual data are summarized in aggregate and identifying information is redacted in shared reports, identifying information can at times be contained in open-ended questions, and for this reason, this type of data represents another form the college collects.
Other behavioral data. At times college employees and students are invited to participate voluntarily in research internal or external to the college that involves data collection. Types of data collected are specific to each research project, and researchers are required by the Elgin Community College Internal Review Board to gather informed consent from participants. Specific practices related to the collection of this type of data are contained in Administrative Procedure 3.103 (Data Collection Involving People at Elgin Community College) and follow accepted practices of the US Department of Health and Human Services.
Use and Retention of Personal Data
We use the above forms of collected data for the following purposes:
- To create and improve the quality of academic programs and educational services.
- To perform financial transactions or create and strengthen financial and business services.
- To create and maintain technology and network systems, monitor their usage, and improve their functionality and security.
- To notify individuals about changes to our instructional, financial, or technological services or systems.
- To create new campus events or design new promotional materials
- To comply with legal obligations, resolve disputes, or enforce legal agreements and policies.
- To provide information about emergency closings or safety notifications.
To carry out the above uses, we retain records in the form of both paper files and digital data linked to an individual’s name. Administrative Procedure 3.102 details the length of time that certain hard copies of records are kept, but because paper files are typically converted into digital files for recordkeeping and analysis, individuals should assume that data is stored in perpetuity to be retrieved as needed for any of the above uses.
Validity of Data
Data should be collected and maintained with assurance of its validity. Everyone who supplies or works with data has a responsibility to ensure its accuracy, timeliness, and consistency. Students and employees who provide information should ensure that it is up-to-date. Employees tasked with entering, coding, or reporting data should take steps to ensure its accuracy.
The college employs quality standards in regards to data validity. First, we staff data analysts in key functional areas – technology, research, academic affairs, finance, and human resources – who conduct soundness checks as part of their assigned responsibilities. Second, we maintain standing bodies (offices or committees) to act as “stewards” of the data within their charge. For example, student success and learning outcomes data are overseen by councils who assume responsibility for the validity of the data they oversee. Third, we rely on external bodies (e.g., Illinois Community College Board, National Community College Benchmarking Project, etc.) to ensure that data is cross-checked, benchmarked, and reflects the college accurately and completely. Fourth, we use best practices in data sharing and communicating to ensure that data are regularly discussed and understood.
Access, Security, and Use of Third Parties
Information regarding access to and security of data is contained in Administrative Procedures 3.407 and 7.106. In general, oversight for data access and security is distributed throughout the college. Every department has some degree of access to personally identifiable data during the normal course of work, and each person who uses data is expected to:
- Understand the nature of confidential information in their care.
- Manage that data with safeguards.
- Understand the consequence that might result from improper handling or unauthorized access.
These administrative procedures also describe the college’s processes for providing regular training to employees and tracking participation in training to ensure that data remains valid and secure.
In addition to our own employees, the college also provides access to data to third-party service providers, contractors, and organizations with whom we do business. These organizations help us perform a variety of functions: connect us to employees, students, or community members; gather and process data; and conduct business transactions. We also use providers to inform and optimize web visits using information gathered from cookies, beacons, and log files. While the list of service providers is ever changing, it generally includes the following types of organizations:
- Governmental or accreditation agencies
- Data partnerships or consortia
- Educational institutions or consortia
- Online survey providers (such as Qualtrics)
- Course management providers (such as Desire2Learn)
- ERP systems (such as Ellucian Colleague)
- Data management and reporting systems (such as Tableau)
- Employee record-keeping systems (such as timekeeping and payroll systems)
- Financial agencies and payment processors (such as PayPal/Braintree and related providers via the PCI Security Standards Council)
- Publishing companies
- Web analytics systems (such as Google Analytics)
- Behavioral remarketing systems (such as Google Adwords, Bing Ads Remarketing, AdRoll, Perfect Audience, and AppNexus)
- Social media systems (such as Twitter, Facebook, or Snapchat)
- Communications systems (such as CampusCast and MailChimp)
- Customer relationship data (such as Salesforce)
In providing access to third parties, we take all necessary steps to ensure data is handled securely, and no transfer of personal data takes place until adequate controls are in place. We use commercially acceptable means to protect data, such as data encryption and uploading/downloading data to/from secure sites. We require that access to digital information is protected by strong passwords which are periodically updated and never shared.
Third-party data sharing parameters are spelled out in written contracts that define the contexts in which data are used or shared, stored, and deleted. Contracts are kept on file in the college’s Business and Finance and/or Legal Affairs Offices. With regard to student educational records, we comply with the Family Educational Rights and Privacy Act (www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html) and do not share information without students’ written consent. For further information about students records, use and privacy, see Administrative Procedure 4.103.
Limitations to the College’s Use of Data
While the college relies on complete data, individuals can limit how their data is collected or used:
- Individuals may opt out of receiving certain communications from the college by following the unsubscribe link within the software platform. Requests to be removed from mailing lists can also be made directly to the pertinent department.
- Forms filled out as part of student enrollment and employee hiring acknowledge that, from time to time, the college takes photographs and/or videos of attendees at campus events. Students who wish not to be photographed or videorecorded should notify Marketing and Communications at firstname.lastname@example.org. Employees who wish not to be photographed or videorecorded should notify Human Resources at email@example.com.
- Students or employees may opt out of receiving text messages about safety or emergency closing notifications sent through Rave Mobile Safety by texting the word STOP to 67283 or 226787 at the time of receipt or by logging into getrave.com/login/elgin/ and deleting their subscription. However, doing so may mean important campus information is missed.
- Students who are citizens of the European Union and the European Economic Area (EEA) have rights under the GDPR (General Data Protection Regulation) to correct, amend, delete, or limit the use of their personal data. Specifically, EEA residents have:
- The right to access, update, or delete the information the college has collected. Students can access, update, or request deletion of personal data within account settings of accessECC or with assistance from the Records and Registration Office at 847-214-7386 or firstname.lastname@example.org.
- The right of rectification – i.e., the right to have information rectified if that information is inaccurate or incomplete
- The right to object – i.e., the right to object to the college’s processing of personal data
- The right of restriction – i.e., the right to request that the college restrict processing of personal information
- The right to data portability – i.e., the right to be provided with a copy of the information the college has in a structured, machine-readable, and commonly used format
- The right to withdraw consent – i.e., the right to withdraw consent at any time for data in which the college relied on consent to process that information
- The right to complain to a Data Protection Authority about the college’s collection and use of personal data
For any right listed above, the college will ask for verification before responding to such requests.
Communication of Changes to this Document
Any changes made to this administrative procedure will be updated promptly on the college’s employee and student portals and on the public website at elgin.edu.datapolicy. Additionally, any documents that reference this procedure, such as Student Terms and Conditions, are also updated whenever updates to this procedure are made.
Students and employees are advised to review this procedure periodically for changes. Changes are effective when they are posted at elgin.edu/datapolicy/. Any questions about this administrative procedure should be sent via email to email@example.com.