EEA Privacy Notice and General Data Privacy Regulation (GDPR)

European Economic Area Privacy Notice and General Data Privacy Regulation (GDPR)

Rice is committed to safeguarding the privacy of personal data. This European Economic Area (“EEA”) Privacy Notice outlines the collection, use, and disclosure of personal information provided to the University by individuals who are located in the EEA. When information is submitted to Rice, or you use the University's websites and other services, you consent to the collection, use, and disclosure of that information as described in this EEA Privacy Notice.

For purposes of this EEA Privacy Notice, “information” refers to information concerning a natural person that is created by or provided to Rice from or concerning individuals who are located in the EEA.  “Sensitive information” refers to information concerning such a natural person’s race, ethnic origin, religious or philosophical beliefs, health data, sexual orientation and criminal convictions.

This EEA Privacy Notice is a supplement to the Rice University Privacy Notice, which also contains important information relevant to individuals in the EEA and GDPR, please visit www.rice.edu/privacy. {NOTE: this website is being updated, and will be back online shortly}

Throughout this document “Rice” or “we” or “our” refers to William Marsh Rice University, a not-for-profit institution of higher education with a main campus at 6100 Main Street, Houston, Texas  77005 USA, incorporated as a 501(c)3 in the State of Texas. 

1. Who is our Data Protection Officer, and how do I contact that person?

Rice has designated the Chief Information Security Officer as the Data Protection Officer for the purposes of GDPR.  He can be contacted with questions or concerns at GDPR@rice.edu or at 1-713-348-5735, or by mail at:

Marc Scarborough
CISO, Office of Information Technology
Rice University - MS 119, P.O. Box 1892
Houston, TX 77251-1892  USA

2. How does Rice collect and use your personal information?

There are many ways that individuals may interact with Rice, and that will affect the data collected and how it is used. For the sake of clarity, most individuals will fall into one of these categories (each of which will be discussed below):

A) Prospective Students, Applicants, Admitted and Enrolled Students, and other Learners

B) Faculty and Staff 

C) Individuals involved in research

D) Alumni, donors, and other community members

E) Visitors at Rice for specific purposes

1. Information for Potential Students, Admitted Students, and other Learners

Rice may collect your personal data in a numbers of ways, including by you providing it to us through an application for admission or financial aid, email, phone call or in-person meeting.  We may receive information about you from third parties acting on your behalf (such as high school guidance counselors, community organizations with which you are affiliated, or your parents). We may also receive information about you from third parties at our request (such as application or testing services).  

The types of data we collect are mainly driven by the extent to which you either provide information to Rice, or to the extent you use Rice programs or services.  As you attend Rice, in person or online, we may collect information about your participation and performance, including information such as the courses you take, your grade or performance in a course, and information about your attendance or participation. 

If you use an online learning platform (such as Canvas, EdX, Coursera, OpenStax Tutor), information about your online activities will be associated with your log in, which may include what pages you visit, how long you were there, forum postings, and any correspondence with the instructor or other students.

If you use other Rice services or programs, we may collect personal information from you that is relevant to providing that service or program. Examples of these services and programs include academic advising, career services, financial aid, work study, health center or counseling, athletics, disability services, library, information technology, housing, dining, parking, wellness center, clubs and student activities, student judicial programs, equal opportunity or Title IX coordinators, police or emergency medical services.

Importantly, there are laws that affect how your data may be used or shared by Rice, and may provide you with additional rights. The primary law affecting student information is the Family Education Rights and Privacy Act (FERPA), which is a federal law designed to protect the privacy of and limit access to student educational records (as defined in that law).  In some cases, FERPA allows certain information to be shared without your permission. More information about FERPA is available at https://registrar.rice.edu/ferpa.  

2. Information for Faculty and Staff

Rice may collect your personal data in a number of ways, including you providing it to Rice as part of an employment application or during the hiring process. Rice will also collect any information necessary to comply with the law and relevant regulations (e.g. Immigration Form I-9), or as required by our accreditors (e.g. degree or transcript information).  

Rice uses a third party vendor to conduct background checks on designated prospective employees that may include things such as your criminal history.

If you use other Rice services or programs, we may collect personal information that you provide and that is relevant to providing that service or program (for example, if you obtain a parking pass, Rice will keep your license plate number; or if you purchase athletics season tickets Rice will keep information about the transaction). Other examples of these services or programs include payroll, library, human resources, disability services, information technology,, dining, parking, recreation center, equal opportunity or Title IX, police or emergency medical services.

Importantly, there are laws that affect how your data may be used or shared by Rice, and may provide you with additional rights.

In addition to this EEA Privacy Notice, you should be aware that Rice maintains the following university policies applicable to all Faculty and Staff that are related to privacy:

Protection of University Data and Information (Policy 808)

Appropriate Use of Information Technology (Policy 832)

3.  Information for individuals involved in research

Rice may collect your personal data in a numbers of ways, including by you providing it to us as part of an agreement to participate in research with Rice. Rice may also be provided your information by a third party with whom you have agreed to allow information to be shared.

These agreements are often contained in an “Informed Consent” document that you sign with Rice or with a third party.  This Informed Consent document will contain additional important information about how your data may be used.

For any research that involves human subjects, Rice follows the principles outlined in the Belmont Report, the U.S. “Common Rule,” and other applicable law.

Rice may also receive your information as part of a research collaboration with federal, state, or local governmental authorities.

Importantly, there are laws that affect how your data may be used or shared by Rice, and may provide you with additional rights.

4.  Information for Alumni, Donors, and other Community Members

Rice may collect your personal data in a numbers of ways, including by you providing it to us as part of alumni outreach efforts, by making a contribution to Rice, by participating in Rice sponsored events or by personal knowledge or recommendation of other alumni, students, faculty, or staff.  Rice may also receive your personal information from third parties that Rice has contracted with to provide information about alumni or potential donors.

This data is used by Rice to provide you with information about our programs, opportunities for collaborations and engagement, and to foster involvement between current Rice students, alumni, and the community.

Development and Alumni Relations does not lend, sell or rent your personal information to any third party. Your name, address, phone number and credit card information will not be used outside of our organization.  If you have comments or questions regarding Rice University’s Donor Privacy Policy, please contact Constituent Relations at 713-348-4615 or e-mail stewardship@rice.edu.

More information is available at:

https://giving.rice.edu/donor-resources/donor-privacy-bill-of-rights

Importantly, there are laws affect how your data may be used or shared by Rice, and that may provide you with additional rights.

5.  Information for Visitors at Rice

Rice may collect your personal data in a numbers of ways, including if you give it to Rice as part of participating in a campus function or event, purchasing tickets, making donations, or using Rice services.

If you use Rice certain programs or services such as the recreation center, library, disability services, parking, police or emergency medical services we may collect personal information from you that is relevant to providing that program or service. This information may also be used to contact you regarding other Rice activities or outreach efforts.

Additionally, for visitor services related to academic collaboration, information technology, some library services, and physical access privileges, you may be asked to submit additional information via our visitor information portal (https://portal.rice.edu/visitor-portal-status).  Information obtained from this form will be used to administer the services you are requesting.

If you are involved in an activity that involves interactions with minors, Rice may conduct a background check on you that may include things such as your criminal history. Rice ordinarily uses a third party vendor to conduct such background checks.

Importantly, there are laws that affect how your data may be used or shared by Rice, and may provide you with additional rights.

3. Other Potential Third Party Uses of Sensitive Information

We may disclose your Sensitive Information and other Information as follows:

• Consent: We may disclose Sensitive Information and other Information if we have your consent to do so.
• Emergency Circumstances: We may share your Information, or your Sensitive Information, when necessary to protect your interests and when you are physically or legally incapable of providing consent.
• Employment Necessity: We may share your Sensitive Information when necessary for administering benefits in accordance with applicable law and subject to the imposition of appropriate safeguards to prevent further unauthorized disclosure.
• Charitable Organizations: We may share your Information with other not-for-profit organizations in connection with charitable giving subject to the imposition of appropriate safeguards to prevent further unauthorized disclosure.
• Public Information: We may share your Information and Sensitive Information if you have manifestly made it public.
• Archiving: We may share your Information and Sensitive Information for archiving purposes in the public interest, and for historical research, and statistical purposes.
• Performance of a Contract: We may share your Information when necessary to administer a contract you have with the University.
• Legal Obligation: We may share your Information when the disclosure is required or permitted by international, federal, or state laws and regulations.
• Service Providers: We use third parties who have entered into a contract with the University to support the administration of University operations and policies. In such cases, we share your Information with such third parties subject to the imposition of appropriate safeguards to prevent further unauthorized disclosure.
• University Affiliated Programs: We may share your Information with parties that are affiliated with the University for the purpose of contacting you about goods, services, charitable giving or experiences that may be of interest to you.
• De-Identified and Aggregate Information: We may use and disclose Information in de-identified or aggregate form without limitation.

4. Legal Basis under GDPR

Rice will only process your information for lawful purposes under the GDPR. In most cases the lawful basis to collect and process your information is because it is necessary for the performance of a contract with you (e.g. to provide you with education services).

In many cases, the lawful basis will be the legitimate interests of Rice. In cases where “legitimate interest” is the legal basis, Rice will apply a balancing test to determine if our interest outweighs your fundamental rights in protecting such data.

Where neither of these two bases are appropriate, or if we are collecting sensitive information (what the GDPR refers to as “special categories of personal data”) then Rice will obtain your prior consent. 

5. Security

We implement appropriate technical and organizational security measures to protect your information when you transmit it to us and when we store it on our information technology systems. 

6. Cookies and Other Technology

The University's use of cookies and other data from information technology can be found at www.rice.edu/privacy.

Retention and Destruction of Your Information

Your information will be retained by the University in accordance with applicable international, state, or federal laws. Your information will generally be destroyed upon your request unless applicable law requires destruction after the expiration of an applicable retention period, or unless there is a legitimate reason to retain the information and that reason is recognized by the GDPR The manner of destruction shall be appropriate to preserve and ensure the confidentiality of your information given the level of sensitivity, value and criticality to the University.

You should be aware that some data is considered part of a student’s “Permanent Record,” and as such it will be securely maintained in perpetuity.  More information about retention may be found in the following two policies:  Student Record Retention, Access, and Disposition Policy (Policy 837);  Records Management (Policy 812)

8. Consent for Data leaving the European Union and Processing in the United States

Most of the personal information and sensitive information we process about you will be transferred to, and stored at, a destination outside of the EEA, particularly the United States.  Transferring this data is essential to providing you the services you are requesting, and Rice cannot provide these services without transferring this data.  By using Rice websites, online platforms, applying to Rice, attending Rice, or requesting services from Rice you are consenting to having your data processed in the United States.

9. Your Rights

Individuals in the EEA have the right to request access to, a copy of, rectification of, restriction in the use of, or erasure of personal information in accordance with all applicable laws, and subject to the limitations outlined in the GDPR. For individuals outside the EEA and data that was not collected within the EEA, the erasure of your information shall be subject to the retention periods of applicable state and federal law. If you have provided consent to the use of your information, you have the right to withdraw consent without affecting the lawfulness of the University's use of the information prior to receipt of your request.

You may exercise these rights by emailing gdpr@rice.edu. We will ask you for information verifying your identity, and we will respond to your request within a reasonable timeframe.

If you feel the University has not complied with the applicable provisions of the GDPR regulating your information, you have the right to file a complaint with the appropriate supervisory authority in the EEA.

10. Updates to this Notice

We may update or change this policy at any time. Your continued use of the University's website and third-party applications after any such change indicates your acceptance of these changes.

This was Notice was issued on May 25, 2018, and last updated on June 1, 2018.