Effective Date: February 3, 2019
True Partnership Christian Academy (TPCA) is committed to the responsible use of personal information and sensitive information collected from and about its students, faculty, staff, business partners and others who provide such information to the school. This commitment is in accordance with both state and federal regulations concerning the use of sensitive information. Such sensitive information includes information that could be used to cause financial harm or reputational harm to any individual. This policy applies to personally identifiable sensitive information and how it is collected.
2. Objective / Purpose
The purpose of this policy is to protect the privacy of individuals who have sensitive information stored (either in electronic or paper form) on assets owned by True Partnership Christian Academy, while at the same time providing the school the ability to share this information with authorized entities as required by legitimate academic or business need or by law.
4.1 Limits on Use of and Access to Sensitive Information
The responsible use of sensitive information requires that the school respect individual privacy, protect against unauthorized access to or use of information, and comply fully with all laws and government regulations in the collection, use, storage, display, distribution and disposal of such information. Authorized uses of sensitive information within the school are limited to uses which a) are necessary to meet legal and regulatory requirements; b) facilitate access to services, transactions, facilities, and information; or c) support efficient academic and administrative processes.
Access to sensitive information is limited to:
- the individual whose information is produced or displayed;
- a school official or agent of the school with authorized access based upon a legitimate academic or business interest and a need to know;
- an organization or person authorized by the individual to receive the information;
- a legally authorized government entity or representative;
- other circumstances in which the school is legally compelled to provide access to information, such as the Georgia Open Records Act;
- or other individuals or entities, as allowed by law, for purposes judged to be appropriate or necessary for the reasonable conduct of school business.
4.2 Social Security Numbers
Social Security numbers are always considered confidential and are therefore subject to the limits of use and access described above. In addition, the school will continue to collect and process Social Security Numbers limited only to instances in which that number is required by law or contract or instances where there is a legitimate business or academic need authorized by TPCA administration. This includes, but is not limited to, all enrolled students who are U.S. citizens or permanent residents.
TPCA, its faculty, staff, and students must abide by all state legal regulations pertaining to Social Security Number protection.
It is against both state law and TPCA policy to:
- Publicly post or display the Social Security number in any manner;
- Require an individual to transmit his or her Social Security number over the Internet unless the connection is secure or the number is encrypted; or
- Require an individual to use his or her Social Security number to access an Internet site unless a unique password or PIN is also required.
- Print the Social Security number on any card required to access services; or
- Establish a new process that requires the printing of a Social Security number on any materials that are mailed unless required by other state or federal agency.
4.3 Online Collection of Information
5. European Union General Data Protection Regulation (EU GDPR) Privacy Notice
5.1 Lawful Basis for Collecting and Processing of Personal Data
The school is an institute of higher education involved in education, research, and community development. In order for the school to educate its students both in class and online, engage in world-class research, and provide community services, it is essential, necessary, and the school has lawful bases to collect, process, use, and maintain data of its students, employees, applicants, research subjects, and others involved in its educational, research, and community programs. The lawful bases include, without limitation, admission, registration, delivery of classroom, online, and study abroad education, grades, communications, employment, research, development, program analysis for improvements, and records retention. Examples of data that the school may need to collect in connection with the lawful bases are a name, email address, IP address, physical address or other location identifier, photos, as well as some sensitive personal data obtained with prior consent.
For more information regarding the EU GDPR, please review the school’s European Union General Data Protection Regulation Compliance Policy.
Most of the school’s collection and processing of personal data will fall under the following categories:
a) Processing is necessary for the purposes of the legitimate interests pursued by the school or third parties in providing education, employment, research and development, community programs. b) Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. This lawful basis pertains primarily but not exclusively to research contracts. c) Processing is necessary for compliance with a legal obligation to which the school is subject. This lawful basis pertains primarily but not exclusively to compliance with state and federal laws. Examples are providing enrollment data to the US Department of Education and providing employment and payroll data as required by the US Internal Revenue Service. d) The data subject has given consent to the processing of his or her personal data for one or more specific purposes. This lawful basis pertains primarily but not exclusively to the protection of research subjects, providing medical and mental health services.
There will be some instances where the collection and processing of personal data will be pursuant to other lawful bases.
5.2 Types of Personal Data collected and why
The school collects a variety of personal and sensitive data to meet one of its lawful bases, as referenced above. Most often the data is used for academic admissions, enrollment, educational programs, job hiring, provision of medical services, participation in research, development and community outreach. Data typically includes name, address, transcripts, work history, information for payroll, research subject information, medical and health information (for student health services, or travel), and donations. If you have specific questions regarding the collection and use of your personal data, please contact the Office of Information Security at firstname.lastname@example.org
If a data subject refuses to provide personal data that is required by the school in connection with one of the school’s lawful bases to collect such personal data, such refusal may make it impossible for the school to provide education, employment, research or other requested services.
Where the TPCA gets Personal and Sensitive Personal Data
TPCA receives personal and sensitive data from multiple sources. Most often, TPCA gets this data directly from the data subject or under the direction of the data subject who has provided it to a third party (for example, application for admission to the school through the use of the Common App).
Individual Rights of the Data Subject under the EU GDPR
Individual data subjects whose information is collected under the school’s European Union General Data Protection Regulation Compliance Policy will be provided the following information at the time the information is collected from them:
a) information about the controller collecting the personal data;
b) contact details for the data protection officer (if assigned);
c) the purposes and lawful basis of the data collection/processing, including the legitimate interest for the processing (if applicable);
d) who the recipients or categories of recipients of the personal data are;
e) whether the school intends to transfer personal data to another country or international organization;
f) the period for which the personal data will be stored;
g) the existence of the right to access, make corrections to, or erase personal data, the right to restrict or object to processing, and the right to data portability;
h) the existence of the right to withdraw consent at any time (if applicable);
i) the right to lodge a complaint with a supervisory authority (established in the EU);
j) justification for why the personal data are required and possible consequences of the failure to provide the personal data;
k) the existence of automated decision-making, including profiling; and
l) if the collected personal data are going to be further processed for a purpose other than that for which it was collected.
Individual data subjects whose information is collected under the school’s European Union General Data Protection Regulation Compliance Policy will be provided the following rights (as applicable), provided that the school determines that the exercise of the right is permitted and/or required by the EU GDPR:
a) the right to receive confirmation from TPCA as to whether the data subject’s personal data is being processed by TPCA, and if so, the right to access such personal data and the right to receive information regarding, among other things, the categories of personal data collected and how such personal data is being used;
b) the right to correct inaccurate personal data concerning the data subject;
c) the right to obtain the erasure of personal data concerning the data subject;
d) the right to restrict or object to the processing of the data subject’s personal data; and
e) the right to request a copy of personal data concerning the data subject.
Any data subject who wishes to exercise any of the above-mentioned rights may do so by filing such request with the Office of Information Security at email@example.com.
Cookies are files that many websites transfer to users’ web browsers to enable the site to deliver personalized services or to provide persistent authentication. The information contained in a cookie typically includes information collected automatically by the web server and/or information provided voluntarily by the user. Our website uses persistent cookies in conjunction with a third-party technology partner to analyze search engine usage and web traffic patterns. This information is used in the aggregate to monitor and enhance our web pages. It is not used to track the usage patterns of individual users.
5.4 Security of Personal Data subject to the EU GDPR
All personal data and sensitive data collected or processed by the school under the scope of the European Union General Data Protection Regulation Compliance Policy must comply with the security controls and systems and process requirements and standards set forth in the school’s Data Classification and Protection Standard.
We will not share your information with third parties except:
• as necessary to meet one of its lawful purposes, including but not limited to,
– its legitimate interest,
– contract compliance,
– pursuant to consent provided by you,
– as required by law;
• as necessary to protect the school’s interests;
• with service providers acting on our behalf who have agreed to protect the confidentiality of the data.
6. Enforcement and Implementation
6.1 Roles and Responsibilities
Each school department/unit is responsible for implementing, reviewing and monitoring internal policies, practices, etc. to assure compliance with this policy.
The Office of Information Technology is responsible for enforcing this policy.
6.2 Consequences and Sanctions
Violation of this policy may incur the same types of disciplinary measures and consequences as violations of other school policies, including progressive discipline up to and including termination of employment, or, in the cases where students are involved, reporting of a Student Code of Conduct violation.
434 CONYERS RD. LOGANVILLE, GA 30052
TPCA is fully accredited by the Georgia Accrediting Commission (GAC) and is
also a member of the Association of Christian Schools International (ACSI)