Yuba CCD Data Security & Privacy Protection:  Exhibit A

European Union General Data Protection Regulation (EU GDPR) Administrative Procedure

APPLICATION:  This administrative procedure applies to all individuals who collect, use, or share district information.  Those individuals include, but are not limited to, staff, faculty, those working on behalf of the district, and individuals authorized by affiliated institutions and organizations.
DATA PROTECTION OFFICER:  Director of IT Infrastructure and Security

Purpose

Yuba Community College District seeks to ensure appropriate treatment and use of personal data in adherence with EU data protection laws.

Scope

EU GDPR applies to personal data collected from or shared with individuals or organizations in the EU.  EU GDPR does not apply to data shared or collected from EU citizens outside of the EU by non-EU entities; however, it does apply, as an example, to non-EU citizens while they are in the EU.  District employees are required to be cognizant of data collected and maintained in order to comply with EU GDPR. The District’s administrative procedure is to rigorously maintain the privacy of all personal data collected, mindful of the additional requirements of the EU GDPR.

For the sake of this administrative procedure, personal data is any information that can identify or provide information about an individual that the district or authorized agents collect, use electronically or physically, or share with others.

The collection, use, and release of some of this information may be covered by other laws or regulations, including but not limited to the Family Educational Rights and Privacy Act (“FERPA”) and the Health Insurance Portability and Accountability Act (“HIPAA”).

Data Classifications

Personal data should be classified per Yuba Community College District’s Data Security & Privacy Protection Administrative Procedure and minimized or anonymized as much as possible.

Data Collection

Personal data should only be collected by authorized personnel where it is specifically needed for a legitimate district business requirement or to meet a statutory or regulatory requirement. The district strongly discourages the collection or retention of this information except where absolutely necessary and no other alternative exists.

For all personal data being collected, individuals must provide informed and affirmative consent to its collection, use, and sharing; and may revoke it at any time.  The data being collected cannot be required or compelled and consent must be tracked and maintained. (e.g., who, when, how, to what)

Data Transparency, Integrity & Control

EU data subjects have the rights to receive copies of their data, correct inaccuracies, and request that the data be deleted.  As an organization, YCCD can deny requests if it has a contractual or legal basis to maintain the data, or if the data is anonymized.

Data Sharing

Personal data can only be shared if it is legally required or explicitly approved by the data subject. As a condition to receiving such information, all recipients must agree to comply with the EU GDPR.

Protection of Personal Data

• All personal data must be protected per YCCD’s Data Security & Privacy Protection Administrative Procedure
• All third-party contracts involving personal data must contain clauses requiring that the third parties to comply with GDPR where appropriate.
• Personal data breach notifications are handled per the security incident response procedure.

 

More information about the EU GDPR is available on the EU Data Protection website.

Enforcement

Staff, faculty, or students found in violation of this administrative procedure may be adjudicated per their respective handbooks.

Questions, comments, or concerns regarding this administrative procedure or the protection of data should be directed to the Data Protection Officer at helpdesk@yccd.edu.