Policy Governing the Personal Information of Employees, Job Applicants, Contractors and Others Working with the University

Policy Number: 124

The permanent link for this policy ishttps://policies.northeastern.edu/policy124/

I.    Purpose and Scope

Northeastern University and its subsidiaries and affiliates (collectively “Northeastern” or “the university”) are committed to protecting the privacy of the personal information of our (i) current and former employees, (ii) workers, contractors, co-ops, interns and volunteers, (iii) visiting and guest lecturers, (iv) applicants for any of the preceding and (v) board members and honorary position holders (collectively referred to as “individuals”) that the university collects, uses, stores, creates and shares (collectively referred to as “processing”) in connection with employment or other work with Northeastern.  This policy provides information on how the university endeavors to fulfill that commitment.

The university may update this policy from time to time for different reasons, including to accommodate changing operational practices and legal requirements.  The most up to date version of this policy will be available on the University Policies website (https://policies.northeastern.edu).  If there is an important change that the university wants to highlight, the university will notify individuals in another appropriate way (such as via a pop-up notice or a statement of changes on the Employee Hub).

II.  Definitions

Personal Information

As used in this policy, “personal information” means all information that relates to an identified or identifiable individual.  For example, an individual’s name, address, email address, educational and employment background, compensation, benefits, dependent information and performance details are all examples of personal information.  Personal information is also information related to an individual’s access to and use of Northeastern facilities or systems.

 

 

    III.    Policy

         A.  Types of Personal Information the University Processes and Collects

Northeastern processes personal information that individuals provide directly to the university and to the university’s third-party services providers, such as via forms submitted to local HR representative or online in Workday.

The university may also process personal information collected from other sources such as its third-party service providers and partners.  This may include information collected in connection with background or employment checks or in the context of investigations; information provided by insurance, payroll or retirement benefits providers; and information provided as part of training and career development.

The university may process the following types of personal information in connection with an individual’s work at Northeastern:

      1. Name, date of birth, government identifier and other legally required information and documentation necessary for employment purposes.
      2. Personal contact details such as email address, personal telephone or mobile number, home address and other contact details (including emergency contact).
      3. Health, family information, lifestyle and social circumstances, including health plans, medical conditions and treatment, marital status, nationality, number of children, and name(s) and health and other information about spouse and children.
      4. Employment details, such as employing entity name, location, job title and function; employment history, salary and other benefits; job performance, accommodations, leaves of absence and time off; training records, professional membership and other capabilities (such as language proficiency); government-issued and Northeastern identification numbers, and social security details.
      5. Information related to an individual’s use of Northeastern systems and facilities, such as communications, log data, device information, CCTV footage and photographs, carrier-related information, usage information and location.
      6. Education/qualification, CVs and resumes, references, right to work documentation, and results from background checks and other information an individual may provide as part of the work application process.
      7. Administrative, audit, accounting, financial and immigration information, including tax information, bank account information, insurance beneficiaries, and passport details.
      8. Photographs, including printed on an individual’s access badge, stored in security systems and uploaded into an individual’s Workday profile.
      9. Information gathered in connection with system and network monitoring and investigations, such as video footage and ID badge records; network, computer, email, phone and other communications or messaging systems; logs, data and files, including network traffic data and domain names of websites visited; files and files stored in Northeastern workspaces; imaging and forensic analysis of computing resources and any data stored on those resources.
      10. Disciplinary information, including information related to the investigation, adjudication and determination or outcome of any alleged violation of law or Northeastern policy.
      11. Call and meeting recording data, including from internal or external telephone or virtual meetings and other web-based technologies which may include both audio, video and text recordings and transcripts.
      12. Special or sensitive information such as marriage/partnership, race, religion, disability, health, gender or sexual identity, criminal history, or political affiliation.
      13. Data relevant to performing due diligence in connection with, or to facilitate in the orderly transition in the event of, a transaction such as a merger or acquisition, partnership or transfer of any Northeastern or another entity’s assets.

B.  How the University Uses Personal Information

Northeastern uses an individual’s personal information for purposes consistent with this policy and any other purposes specified at the time of collection, except as otherwise authorized or required by law.  The table below includes specific uses for which the university may use an individual’s personal information (as well as the legal bases for employees based in the UK or EEA):

 

Purpose Description Legal Basis (if applicable in an individual’s jurisdiction)
Communications The university uses an individual’s personal information to communicate with them and answer their questions regarding their work relationship (including an application for work) with Northeastern or to communicate with an individual or their dependents in the case of an emergency.  For example, Northeastern may inform individuals about Northeastern activities and events or about updates to university policies and benefits.

·Necessary for the performance of an individual employment agreement (or other applicable terms if the individual is not an employee)

· Legitimate interest to enhance employee satisfaction and employee engagement

Compliance with Legal Obligations

The university may process personal information to comply with applicable laws and regulations.  For example, this could be for finance, tax, immigration or human resources related obligations or for whistleblowing purposes.

The university may also need to disclose personal information to government agencies or supervisory authorities for legal compliance purposes but will do so only to the extent required by applicable law.

·Compliance with a legal obligation
Human Resources Management & Payroll Administration

The university processes personal information for human resources and personnel management, from hiring until after employment.  This may include recruiting activities, background checks, terms of employment, assessing eligibility to undertake work at Northeastern, performance reviews and conduct, health and other benefit administration, accommodations and assistance plans, internal conflict resolution, leaves of absence and time off management, pension plan administration, job mobility and immigration, terminations, and travel management and expense reporting.

In addition, the university processes personal information for payroll administration and other financial aspects of an individual’s relationship with us, including tax reporting and, where relevant, to keep track of working hours and overtime, eligibility for bonuses or other compensation.

· Necessary for the performance of an employment agreement (or other applicable terms if the individual is not an employee)

· Legitimate interest to promote an inclusive work environment

·Compliance with a legal obligation

HR Operations

For employees, the university processes personal information as part of our HR operations supporting an individual’s employment.  This may include managing work allocation, maintaining internal employee directories, data analysis and reporting (including for diversity, equity and inclusion purposes), managing HR processes, and managing Northeastern and employee assets, including IT assets, libraries, parking and offices.

In addition, the university processes personal information to be able to prepare and perform management audit, reporting and analysis activities, including employee surveys and learning more about an individual’s views and opinions.

· Necessary for the performance of employment agreement (or other applicable terms if the individual is not an employee)

· Legitimate interest to operate the university in an efficient and effective manner

· Legitimate interest to enable an individual to perform assigned tasks in the regular course of business in an efficient and productive manner

· Compliance with a legal obligation

Monitoring & Investigations

Northeastern monitors systems and accounts in its network and systems to protect its network, systems and confidential information and to check and enforce compliance with university policies, standards and other requirements (including laws and regulations).

Use of personal or Northeastern resources to perform job functions may also be monitored as specified in the Policy on Appropriate Use of Computer and Network Resources.  The university does so regardless of whether an individual uses a personal or Northeastern device to access or use Northeastern computing systems or our network.

If an individual is suspected or accused of behavior or actions that are not in compliance with Northeastern policies or applicable laws and regulations, the university may initiate an internal investigation and generate and process additional personal information to make a determination about such behavior, including information gathered from the use of Northeastern systems and networks.  The university could, for example, initiate such an investigation in the event of a prohibited transfer of Northeastern confidential information or fraud or bribery.

· Compliance with a legal obligation

· Legitimate interest to enforce applicable laws and regulations and Northeastern policies

· Legitimate interest to protect university systems and networks and confidential information, protect public safety, and to foster a compliance-driven culture within Northeastern

Occupational Health & Safety

The university processes personal information to maintain and develop its occupational health program designed to prevent accidents and occupational illness and absence, and to foster a health and safety culture in the workplace.

The university may also process personal information to provide workplace health and safety training, guidance, supervision, and assistance to employees, including to specific groups of employees such as pregnant employees and employees with a medical condition.

· Compliance with a legal obligation

·To protect an individual’s vital interests, for example when they have a medical condition that colleagues or a manager need to be aware of in connection with the individual’s employment

Research, Service Delivery & Reporting The university may process personal information to conduct research, to perform services as a service provider for Northeastern customers, and may aggregate personal information for analysis, regulatory reporting and accreditation purposes.

· Compliance with a legal obligation

· Necessary for the performance of tasks the university carries out in the public interest (i.e., teaching and research)

· Legitimate interest to provide services to customers pursuant to the terms of a contract

· Legitimate interest to understand and report employment statistics and trends

Security & Integrity In addition to the system and network monitoring specified above, the university may employ physical security procedures at its facilities to monitor and maintain security as well as public safety, including the use of closed-circuit television and ID card access.  These activities are performed in accordance with applicable law and Northeastern policies.

· Compliance with a legal obligation

· Legitimate interest to enforce applicable laws and regulations and Northeastern policies, to protect our systems and networks and confidential information, and to foster a compliance-driven culture within Northeastern

Training and Development

The university may process personal information to offer individuals opportunities for career development, including training, education, coaching or other forms of career development.

In addition, the university processes personal information to train individuals on Northeastern policies, processes and requirements related to their employment or engagement with the university.

· Compliance with a legal obligation

· Legitimate interest to invest in employment development and contribute toward improving compliance and the organizational culture.

 

C. When Personal Information May Be Shared

     1.     Sharing Within Northeastern

As a global university, an individual’s personal information may be shared within Northeastern’s global organization, including to other Northeastern entities outside the country in which the individual resides.  The following is a list of Northeastern entities, their registered addresses and contact details:

Northeastern University
360 Huntington Avenue
Boston, MA 02115 USA
1-617-373-2000

KRI at Northeastern University, LLC
141 South Bedford Street
Burlington, MA 01803 USA
1-781-238-8440

Northeastern University – London
Devon House, 58 St Katharine’s Way
London, E1W 1LP, United Kingdom
44-(0)20 7637 4550

   The categories of recipients of personal information within Northeastern for the purposes set forth      in Section III.B above may include the following functions:

    • HR functions such as Accommodations, Benefits, Compensation, Hiring, Investigations, Mobility, Performance Management, Terminations and Training
    • Finance functions such as Accounting and Payment Operations
    • IT functions such as Enterprise Productivity and Collaboration
    • Legal functions such as Immigration, Labor and Employment, Privacy and Litigation
    • Security functions such as Network Management, NU Police Department, and Investigations
    • Advancement functions such as Annual Giving and Events
    • Reporting functions such as University Decision Support
    • Research functions such as NU Research (but only when aggregated and/or de-identified)
    • The employee’s manager, employee’s management chain and senior leaders
    • Stakeholders involved in the employment application process

    Northeastern employees are authorized to access personal information only to the extent        necessary to serve the applicable operational purpose and to perform the employees’ job functions.

   2.  Sharing with Third Parties

Where necessary, personal information may be shared with third parties in the following circumstances:

    • Third-party partners and service providers (such as those providing payroll, bank, audit, travel, benefits, legal, telecommunications, IT, background or employment verification, recruiting, training, career development, and other similar types of services) in order for those service providers to perform operational and compliance functions for or on behalf of Northeastern.
    • Public and governmental authorities and agencies when there is a legal basis for doing so, including as necessary in order to comply with applicable laws and respond to legally required requests in response to law enforcement or other government agencies.
    • Customers of Northeastern in the course of providing services, such as when customers request or require personal information about the Northeastern resources who are performing services for them under the terms of a contract.
    • Institutions or other entities in the course of engaging in research, co-ops or providing references as necessary for the coordination of such activities, including the administration of such activities as well as the record-keeping and other legal requirements of these entities.
    • To comply with applicable laws, protect the university’s rights and/or those of an individual and others, protect the safety of individuals, others and the public, and protect Northeastern against legal liability.

    When third parties are given access to an individual’s personal information, the university requires the third party (where applicable) to abide by    contractual provisions designed to ensure that personal information is processed only for the purpose for which it is provided, consistent with this policy, and in accordance with applicable law.  In some cases, third parties such as certain travel or benefits and compensation providers may collect information directly from an individual and/or establish a direct relationship with the individual, in which case the terms of their privacy policies will apply.

  • In addition, the names and other work-related personal information of Northeastern faculty, staff, lecturers and directors may be published on Northeastern websites.

D.  Retention of Personal Information

The university retains the personal information of individuals for as long as it is reasonable to fulfill the purposes for which the information was collected or as required for the purposes set forth in Section 3.  The university follows the retention practices set forth in the Northeastern Policy on Retention and Disposition of University Records (Retention Policy) and the Record Retention Schedule (Retention Schedule).  The retention practices followed by Northeastern University – London are set forth in the Data Protection Policy.

E.  Global Transfers of Personal Information

Northeastern is a global university with operations in many countries around the world.  As a result, personal information may be transferred to, accessed from and/or stored in the United States and other global jurisdictions where Northeastern has campuses and operations (including the jurisdictions of its service providers).  If an individual’s personal information is transferred to another Northeastern entity or to a third party in a country that does not provide the same level of protection as the country in which the individual resides, Northeastern will take measures to ensure that personal information is adequately protected and handled in a manner consistent with the terms of this policy and applicable law.

F.   Securing Personal Information

Northeastern has implemented appropriate technical, physical and organizational measures designed to protect individuals’ personal information against accidental or unlawful loss, damage, alteration, disclosure or access as well all other unlawful forms of processing and in accordance with the Northeastern Information Security Program, the Policy on Confidentiality of University Records and Information and the corresponding Data Classification Guidelines.  The university continually reviews and updates its security policies and controls as technology changes to strengthen our information security practices related to the handling of individuals’ personal information.

Access to personal information by Northeastern employees is limited on a need-to-know basis and employees accessing personal information are required to keep personal information confidential as described in the Northeastern Policy on Confidentiality of University Records and Information as well as comply with other applicable Northeastern Policies and Office of Information Security policies, standards and practices.

G.  Individual Rights

 

1.    Consent

Where required by applicable law, the University will ask for consent to process an individual’s personal information at the time of collection or when the university wishes to process an individual’s personal information for any additional purpose not covered in Section III.B.  If an individual decides to withdraw consent, the university will stop processing their personal information for that purpose, unless there is another lawful basis permitting university use and will inform the individual if that is the case.

Northeastern may use the personal information of individuals to provide them with promotional information such as updates and information about new programs and services, requests for financial support, upcoming events or other promotions or news, subject to applicable law.  Individuals may opt out of receiving such communications by opting out in the link provided in the communication or by emailing privacy@northeastern.edu.

2.     Accuracy

Northeastern makes reasonable efforts to maintain the accuracy of personal information.  As a general matter, an individual may update personal information in Northeastern’s Workday system (or equivalent employment management system if the individual’s campus has not yet integrated with Workday) or other self-service applications into which they have submitted and have access to their personal information.  For records not available via self-service, individuals may request a correction if there is an error or omission by submitting a request to privacy@northeastern.edu that specifies in sufficient detail the personal information at issue and the correction sought.  The university will correct the error or omission where required, and if it decides not to, will note that a correction request was requested but not made in the file.  Please refer to the Policy on Personnel Files for additional information.

        3.      Automated Decision-Making

In the event that the university uses the personal information of an individual to carry out wholly automated decision-making (including profiling) which produces legal or similarly significant effects concerning an individual, the university will inform them at the point where any such data is collected and request consent where required by law.

        4.      Other Rights

Depending on the individual’s country of residence (such as Canada or the UK) and subject to specific exceptions under applicable laws, individuals may be entitled to exercise of one or more of the following rights:

            • Access and/or take personal information
            • Delete personal information
            • Object to or restrict use of personal information
            • Withdraw consent

            The university will comply with requests in a timely manner consistent with applicable data protection law and to the extent appropriate given the purposes for which Northeastern collected and is using an individual’s personal information.  The university will facilitate the same, where possible, with third parties with whom it may have shared the individual’s personal information.  In some cases, however, Northeastern may not agree to some or all of an individual’s request if:  it is not permitted or required under applicable law or contractual obligation; continued processing is necessary for the purpose for which it was collected; processing is for public health, research or statistical purposes; the request is not consistent with the university’s legal obligations or is necessary for the defense of legal claims; or it is necessary for the performance of a contract between an individual and Northeastern.  In such cases, Northeastern will provide reasons for its refusal and the name of the person who can answer questions about the request.

          •  
          • If there are general questions about accessing personal information or if an individual would like to exercise established rights under applicable law with respect to the individual’s personal information that is not stored in a self-service application, that individual may submit a request to privacy@northeastern.edu.
          • When submitting a request to exercise a right under Section III.G, the individual must include:
            • The individual’s full name, email and physical address and function
            • Sufficient details to enable Northeastern to identify the records (for example, the individual’s ID# or dates of employment)
            • A description of request, in as much detail as possible, including the reason for the request

        In order to process the request, the University will need original proof of identity, and if making the request on the behalf of another individual,evidence of authorization to do so.  The university will process received requests promptly and within the timeframe required by applicable law.

        A description of request, in as much detail as possible, including the reason for the request

      •  

Additional questions about an individual’s rights can be directed to privacy@northeastern.edu.

H.        Entity Responsible for Processing Personal Information

The Northeastern entity that pays employees or collects an individual’s personal information in other non-employment contexts (referred to under some laws as the “data controller”) is responsible for the processing of employees’ personal information in accordance with this policy.  Details about this entity are included in an individual’s employment, service or other contract (if applicable) and/or in their Workday profiles (if applicable).  Northeastern University (if different from the individual’s local employment entity), registered at 360 Huntington Avenue, Boston MA 02115 USA, may also act as a data controller with respect to the processing of personal information as set forth in Section C.1.  Northeastern University – London is registered as a data controller with the UK Information Commissioner’s Office, registration number Z3136922.

 

IV. Additional Information

N/A

V. Contact Information

Northeastern has appointed a Chief Privacy Officer.  If there are any questions or complaints related to the handling of an individual’s personal information, including if an individual believes that said individual’s personal information has been used in a way that is not consistent with this policy, please contact privacy@northeastern.edu or write to:

Chief Privacy Officer
Northeastern University
716 Columbus Avenue
Boston, MA 02115 USA

Northeastern University – London has also appointed a Data Protection Officer, whose contact information is:
Data Protection Officer
Northeastern University – London
Devon House, 58 St. Katharine’s Way
London E1W 1LP
Dpo@nulondon.ac.uk
Chief Privacy Officer

 

Residents of the United Kingdom and Canada who are not satisfied with the university’s response to a request or complaint under this policy may have it reviewed by the data protection authority that is authorized to hear those concerns, which may include the UK Information Commissioner’s Office or the Privacy Commissioner of British Columbia or the Privacy Commissioner of Canada (as applicable).

Responsible Office/Department(s)

Office of the General Counsel

Related Procedures

Records Retention Schedule (Requires a Northeastern Office365 Account)
Data Classification Guidelines (Requires a Northeastern Office365 Account)
Updating Personal Information (Faculty/Staff)

Supersedes

Policy 707-CAN Policy on Personal Information (to the extent it applied to employees and other workers)
Northeastern Privacy Statement (to the extent it applied to employees and other workers)
Northeastern University – London Privacy Notice for Employees, Job Applicants and Others Working at the University
Northeastern University – London Data Protection Policy (to the extent it applied to employees and other workers)

Keywords

Personal Information, privacy, collection of data, collection of information, data retention, transfer of information, sharing information

Version History

Last Revision Date: N/A

Issued: April 4, 2024