Policies

Policy on Privacy for Students, Applicants, and Alumni

Policy Number: 126

Governance and Legal

The permanent link for this policy is: https://policies.northeastern.edu/policy126/

I. Purpose and Scope

 

Northeastern University and its subsidiaries and affiliates (collectively “Northeastern,” “the university,” or “we”) are committed to protecting the privacy of the personal information of our students, former students, applicants, and alumni (“you”). This policy describes how we endeavor to fulfill that commitment.

The university may update this policy from time to time; the most up-to-date version is available on the University Policies website. If there is an important change the university wants to highlight, the university will notify you via a pop-up notice, a statement of changes on the Student Hub, or in some other appropriate way.

For students whose education records are subject to the U.S. Family Educational Rights and Privacy Act (“FERPA”), this policy incorporates by reference the university’s Policy on Student Rights Under the Family Educational Rights and Privacy Act (FERPA) (“FERPA Policy”). If there is a direct conflict between this policy and the FERPA Policy, the applicable provision of the FERPA Policy applies.

Information about Northeastern’s collection and processing of information related to your online activities when interacting with university websites and systems (such as information collected by cookies about your device, IP address, files viewed, and other browsing actions or usage patterns) is addressed in Northeastern’s general Privacy Policy.

II. Definitions

Personal Information means all information that relates to an identified or identifiable individual. For example, your name, address, e-mail address, educational records, financial information, employment information, and giving history as a donor are all examples of personal information. Personal information is also information related to your access to and use of Northeastern facilities and systems.

III. Policy

 

We may collect and use your personal information when providing educational programs or services offered by Northeastern, when processing your application, or when engaging with you to keep in touch and support our alumni. In addition to describing the type of personal information we collect and how we use it, this policy also describes your rights and our privacy practices.

A. Types of Personal Information We Collect and Process

Examples of types of personal information we may collect and process include:

  • personal details such as name, date of birth, government identifier, and other legally required information and documentation necessary for enrolling at the university
  • contact details such as address, home telephone or mobile number, e-mail address, and other (including emergency contact and parental contact information)
  • government identifiers as required by law for applicants for admission and financial aid and the last four digits for sponsored network account applicants
  • online account information, including username and password
  • country of nationality and domicile
  • immigration information (such as passport and visa details and language proficiency)
  • special or sensitive information such as marriage/partnership, race, religion, disability, health, gender or sexual identity, criminal history, or political affiliation, as well as information about criminal convictions, offenses, and barred-list status
  • materials submitted in support of your application, including test scores, essays, transcripts, prior educational experience and attainment, references, or other supporting data
  • financial information related to the funding of your chosen course or program
  • time, date, and closed-circuit TV records related to access to our facilities
  • academic performance including grades, tests or quizzes, essays, or other materials submitted as part of a course as well as attendance and progression in a course or program
  • financial aid, invoicing, banking, and payment information, which may include financial information about your parents
  • information concerning any alleged or actual academic misconduct or your conduct generally, including disciplinary and grievance information such as reports; complaints; and the investigation, adjudication, and determination or outcome of any alleged violation of law or Northeastern policy
  • health and health insurance information, including health insurance plan information
  • appearance, voice, and distinguishing features through audio, video, and photograph, including printed on an individual’s access badge, stored in security systems, and uploaded into an individual’s profile, as well as call and meeting recording data from internal or external telephone or virtual meetings and other web-based technologies
  • work and employment information before, during, and after attending the university, including participation in co-ops
  • information about your health, ethnicity, religion, or other characteristics for the purposes of statutory reporting we are legally required to undertake
  • information related to your engagement with and financial support for the university, including giving capacity and history
  • information gathered in connection with facility, system, and network use; monitoring and investigations, such as logs, data, and files, including network traffic data and domain names of websites visited as well as video footage and ID badge records; facilities, systems, and software used in academic programming and residential life; network, computer, e-mail, phone, and other communications or messaging systems; files and files stored in Northeastern workspaces; imaging and forensic analysis of computing resources and any data stored on those resources
  • information relevant to performing due diligence in connection with, or to facilitate orderly transition in the event of, a transaction such as a merger or acquisition, partnership, or transfer of any Northeastern or another entity’s assets

We may collect this information either (i) directly from you through forms or when you interact with our websites and systems, (ii) when you provide information to our service providers, or (iii) from other third parties.

Additional information related to what personal information Northeastern University London may process is available in the Supplemental Privacy Notice for Northeastern University London Students, Applicants, and Alumni.

B. How We Use Your Personal Information

We use your personal information for purposes consistent with this policy and any other purposes specified at the time of collection, except as otherwise authorized or required by law.  The table below provides examples of how we may use your personal information [as well as our legal bases for persons subject to the EU General Data Protection Regulation (GDPR) or the UK GDPR]:

 

Purpose Description GDPR/UK GDPR
Legal Basis
Academic Program Delivery, Assessment, and Improvement Provision of educational programs and related services, including assessment of student performance (including attendance), delivery of materials and courses in person and remotely, coordinating with other institutions for global experience programs, and course evaluation and improvement.

Necessary for the purposes of performing a contract between the university and either you or your sending institution (as applicable)

Legitimate interest to improve the university’s academic programs and services
Administration Information used to administer your attendance at the university and provide related services, including confirmation of attendance and graduation, awarding of prizes and scholarships, and delivery of facility and library services. Necessary for the purposes of performing a contract between the university and either you or your sending institution (as applicable)
Advancement & Alumni Relations Information used to communicate with you (and in some cases, your parents) about university events and activities, and engage in fundraising activities. Necessary for the university’s legitimate interests for marketing, fundraising, and maintaining an alumni network
Athletics & Recreation Information used to administer team and recreational sports and other activities.

Necessary for the purposes of performing a contract between the university and either you or your sending institution (as applicable)

Legitimate interest to increase your satisfaction and engagement
Audit & Compliance with Legal Obligations

Information used to carry out audits or inspections by internal or external audit professionals.

Information used to comply with applicable laws and regulations. For example, this could be for finance, tax, immigration, or other statutory obligations or for whistleblowing purposes.

The university may also need to disclose personal information to government agencies or supervisory authorities for legal compliance purposes but will do so only to the extent required by applicable law.

Necessary for the university’s legitimate interests in maintaining internal controls, and/or preventing, detecting, and investigating fraud

Compliance with a legal obligation
Communications Information used to communicate: with you and answer questions regarding administration, enrollment, financial aid, academic program delivery, and assessment; with you or your family in the case of an emergency, about Northeastern activities and events, or about updates to university policies and benefits.

Necessary for the purposes of performing a contract between the university and either you or your sending institution (as applicable)

Legitimate interest to increase satisfaction and engagement with the university
Co-ops,  Experiential Learning, & Career Advancement Information to facilitate student co-ops, experiential learning, and employment with internal and external entities and to support career opportunities after attending the university, including the provision of letters of recommendation.

Necessary for the purposes of performing a contract between the university and the entity providing the co-op or experiential learning position

Legitimate interest to enhance the university’s academic programming

Consent
Enrollment Identifying individuals of interest to promote applying to the university, responding to queries about applying to the university, processing applications, assessing eligibility for admission to the university, and managing related communications and engagement. Necessary for the purposes of preparing to enter into a contract with the university
Financial Aid Information gathered for the purpose of the application, award, and administration of financial aid to students, such as family assets, income, and required contribution; matriculation status; academic progress; and anticipated graduation date. Necessary for the purposes of entering into a contract with the university
IT services Information used for providing and improving relevant IT and other modes of academic program delivery, including virtual learning environments and the development of new IT functionality for university and vendor systems.

Necessary for the purposes of performing a contract between the university and either you or your sending institution (as applicable)

 
Marketing Information used in the university’s marketing materials and media to promote the university and its teaching, research, and reputation.

Legitimate interest when used for the purposes of marketing and promotion

Consent if using personally identifying information
Physical and System Security & Integrity

Northeastern monitors systems and accounts in its network and systems to protect its network, systems, and confidential information and to check and enforce compliance with university policies, standards, and other requirements (including laws and regulations). Use of personal resources on the university network may also be monitored as specified in the Policy on Appropriate Use of Computer and Network Resources.

The university may also employ physical security procedures at its facilities to monitor and maintain security as well as public safety, including the use of closed-circuit television and ID card access. These activities are performed in accordance with applicable law and Northeastern policies.

Compliance with a legal obligation

Legitimate interest to enforce applicable laws and regulations and Northeastern policies; to protect our systems, networks, and confidential information; to safeguard our community members; and to foster a compliance-driven culture within Northeastern
Research & Reporting Information used to conduct research (which may involve aggregating personal information for analysis) and for regulatory reporting and accreditation purposes.

Compliance with a legal obligation

Necessary for the performance of tasks the university carries out in the public interest (i.e., teaching and research)

Legitimate interest to understand and report enrollment and learning statistics and trends
Student Affairs Information used for managing and improving student life at the university, including food, housing, and health services; supporting affinity groups; making reasonable adjustments for disabilities and ill health; administering complaints, grievances, and appeals related to allegations of violations of law; and regulating the university’s community (including enforcing the university’s policies and procedures for academic and other conduct).

Necessary for the purposes of performing a contract between the university and either you or your sending institution (as applicable)

Necessary for the university to comply with its legal obligations

Legitimate interest in maintaining academic and behavioral standards and safety

Consent
Treasury Information needed to manage the payment of fees.

Necessary for the purposes of performing a contract between the university and either you or your sending institution (as applicable)

Legitimate interest in securing payment for the programs and services the university provides

 

Additional information related to how Northeastern University London may use your personal information is available in the Supplemental Privacy Notice for Northeastern University London Students, Applicants, and Alumni.

Note: Please be aware that if the basis of processing your personal data is consent or a contractual necessity, and you don’t provide us the personal data we need, we may not be able to process your application or provide you with the program or service you requested or for which you have applied.

 

C. When We May Share Your Personal Information

1. Sharing within Northeastern

As a global university, we may share your personal information within our global organization, including to other Northeastern entities outside the country in which you reside. The following is a list of Northeastern entities, their registered addresses, and contact details:

Northeastern University
360 Huntington Avenue
Boston, MA 02115 USA
+1-617-373-2000

KRI at Northeastern University, LLC
141 South Bedford Street
Burlington, MA 01803 USA
+1-781-238-8440

Northeastern University – London
Devon House, 58 St Katharine’s Way
London, E1W 1LP, UNITED KINGDOM
+44-(0)20 7637 4550

Dublin Innovation Institute
Suite 3, One Earlsfort Centre, Lower Hatch Street
Dublin 2, D02 X288 IRELAND
+353-1-6644214

The categories of recipients of your personal information within Northeastern may include the following functions:

 – Administration functions such as Student Record Maintenance, Student Academic Progress, and Reporting

 – Student Affairs functions such as Wellness, Housing, Learning Support, Equity and Compliance, and Student Conduct & Conflict Resolution

 – Enrollment functions such as Admissions, Financial Aid Services and Pre-College Programs, and Marketing & Communications

 – Finance functions such as Accounting and Payment Operations

 – IT functions such as Enterprise Productivity and Collaboration

 – Global Experience functions such as Study Abroad, NU-in, Global Scholars, Travel, and Network Mobility

 – Library functions such as book loan and physical and system access

 – Legal functions such as Immigration, Labor and Employment, Privacy, and Litigation

 – Athletics & Recreations functions such as Team and Club Sports Administration, Recreational Program Administration, Title IX Compliance,
     Recruiting, and Travel

 – Security functions such as Network Management, NU Police Department, and Investigations

 – Advancement and Alumni Relations functions such as Annual Giving, Events, and Communications

 – Reporting functions such as University Decision Support

 – Research functions such as NU Research (but only when aggregated and/or de-identified unless your consent is provided)

 – Stakeholders involved in the application process

Northeastern employees are authorized to access your personal information only to the extent necessary to serve a specific operational purpose consistent with their job function.

2. Sharing with Third Parties

Where necessary, we may share your personal information with third parties in the following circumstances:

 – Third-party partners and service providers (such as those providing IT, housing, food, financial, enrollment, global experience, audit, travel, legal,
     telecommunications, and other similar types of services) so those service providers can perform academic program, operational, and compliance
     functions for or on behalf of Northeastern.

 – Public and governmental authorities and agencies when there is a legal basis for doing so, including as necessary to comply with applicable laws and
     respond to legally required requests in response to law enforcement or other government agencies.

 – Institutions or other entities in the course of engaging in research, co-ops, or providing references as necessary for the coordination of such
     activities, including the administration of such activities as well as the record-keeping and other legal requirements of these entities.

 – To comply with applicable laws; protect the university’s rights and/or those of an individual and others; protect the safety of individuals, others, and
     the public; and protect us from legal liability.

When third parties are given access to your personal information, we require them (where applicable) to agree to contractual provisions designed to ensure that your personal information is processed only for the purpose for which it is provided, consistent with this policy, and in accordance with applicable law. In some cases, third parties may collect information directly from you and establish a direct relationship with you, in which case the terms of their privacy policies will apply.

Additional information related to the third parties that Northeastern University London may share personal data with is available in the Supplemental Privacy Notice for Northeastern University London Students, Applicants, and Alumni.

D. Global Transfers of Personal Information

Northeastern is a global university with operations in many countries around the world. As a result, personal information may be transferred to, accessed from, and/or stored in the United States and other global jurisdictions where we have campuses and operations (including operations supported by our service providers). If your personal information is transferred to a country that does not provide the same level of protection as the country in which you reside, we will take measures to ensure your personal information is adequately protected and handled in a manner consistent with the terms of this policy and applicable law.

E. Retention of Personal Information

We retain the personal information of individuals for as long as it is reasonable to fulfill the purposes for which the information was collected or as required for the purposes set forth in Section III. The university follows the retention practices set forth in its Policy on Use, Retention, and Deletion of University Records (Retention Policy) and its University Record Retention Schedule (Retention Schedule). The retention practices followed by Northeastern University – London are set forth in its Data Protection Policy.

F. Securing Personal Information

We have implemented appropriate technical, physical, and organizational measures designed to protect individuals’ personal information against accidental or unlawful loss, damage, alteration, disclosure, or access; other unlawful forms of processing; and in accordance with the Northeastern Information Security Program, the Policy on Protecting Confidential Information, and the corresponding Data Classification Guidelines. We continually review and update our security policies and controls as technology changes.

Access to personal information by Northeastern employees is limited on a need-to-know basis. Employees accessing personal information are required to keep personal information confidential in accordance with the university’s Policy on Protecting Confidential Information and other applicable Northeastern policies, standards, and practices.

G. Individual Rights

1. Consent

Where required by applicable law, we will ask you for consent to process your personal information at the time of collection, or when the university wishes to process your personal information for any additional purpose not covered in Section III.B. If you decide to withdraw consent, the university will stop processing your personal information for that purpose, unless there is another lawful basis permitting our use; we will inform you if the latter is the case.

We may use your personal information to provide you with promotional information such as updates and information about new programs and services, requests for financial support, upcoming events, or other promotions or news, subject to applicable law. You may opt out of receiving such communications by opting out as provided in the communication or by e-mailing privacy@northeastern.edu.

2. Accuracy

We make reasonable efforts to maintain the accuracy of personal information. As a general matter, you may update personal information in the applicable Northeastern self-service application into which you have submitted and have access to your personal information. For records not available via self-service, individuals may request a correction to an error or omission by submitting a request to privacy@northeastern.edu that specifies in sufficient detail the personal information at issue and the correction sought. We will correct the error or omission where required; if we decide not to, we will note in the file that a correction was requested but not made.

3. Automated Decision-Making

In the event we use your personal information to carry out wholly automated decision-making (including profiling) that produces legal or similarly significant effects, we will inform you when we collect your personal information for such a purpose and request your consent where required by law.

4. Other Rights

Depending on where you live (such as Canada or the UK) and subject to specific exceptions under applicable laws, you may be entitled to exercise one or more of the following rights:

     – Access your personal information
     – Take your personal information (i.e., the right of portability)
     – Delete your personal information
     – Object to or restrict use of your personal information
     – Withdraw consent to processing of your personal information

We will comply with such requests in a timely manner consistent with applicable data protection law and to the extent appropriate given the purposes for which Northeastern collected and is using your personal information. We will facilitate the same, where possible, with third parties with whom we may have shared your personal information.

In some cases, however, we may not agree to some or all of your request if: we are not permitted or required under applicable law or contractual obligation; continued processing of your personal information is necessary for the purpose for which it was collected; processing of your personal information is for public health, research, or statistical purposes; the request is not consistent with the university’s legal obligations or your personal information is necessary for the defense of legal claims; or your personal information is necessary for the performance of a contract between an individual and Northeastern. In such cases, we will provide reasons for our refusal and the name of the person who can answer questions about the request.

If there are general questions about accessing personal information or if you would like to exercise established rights under applicable law with respect to your personal information that is not stored in a self-service application, you may submit a request to privacy@northeastern.edu.

When submitting a request to exercise a right under Section III.G, you must include:

     – Your full name, e-mail, and physical address and function  
     – Sufficient details to enable us to identify the records (for example, the individual’s ID number or dates of employment)
     – A description of your request, in as much detail as possible, including the reason for the request

To process the request, we will need original proof of identity, and if making the request on behalf of another individual, evidence of authorization to do so. We will process received requests promptly and within the timeframe required by applicable law.

Additional questions about your rights can be directed to privacy@northeastern.edu.

H. Entity Responsible for Processing Personal Information

The Northeastern entity that collects your personal information (referred to under some laws as the “data controller”) is responsible for the processing of your personal information in accordance with this policy. Details about this entity are included in your contract for educational programs or services. Northeastern University, registered at 360 Huntington Avenue, Boston MA 02115 USA; Northeastern University – London; and Dublin Innovation Institute, registered at Suite 3, One Earlsfort Centre, Lower Hatch Street, Dublin 2, D02 X288 IRELAND may also act as data controllers with respect to the processing of personal information as set forth in Section III.C.1. Northeastern University – London is registered as a data controller with the UK Information Commissioner’s Office, registration number Z3136922.

IV. Additional Information

N/A

 

V. Contact Information

Northeastern has appointed a Chief Privacy Officer. If there are any questions or complaints related to the handling of your personal information, including if you believe that your personal information has been used in a way that is not consistent with this policy, please contact privacy@northeastern.edu or write to:

Chief Privacy Officer
Northeastern University
716 Columbus Avenue
Boston MA 02115 USA

Northeastern University – London has also appointed a Data Protection Officer, whose contact information is:

Data Protection Officer
Northeastern University – London
Devon House, 58 St. Katharine’s Way
London E1W 1LP UNITED KINGDOM
Dpo@nulondon.ac.uk

Residents of Ireland and Canada who are not satisfied with the university’s response to a request or complaint under this policy may have it reviewed by the data protection authority that is authorized to hear those concerns, which may include the Ireland Data Protection Commission, the Office of the Information and Privacy Commissioner of British Columbia, the Information and Privacy Commissioner of Ontario, or the Office of the Privacy Commissioner of Canada (as applicable).  The process for contacting the UK Information Commissioner’s Office is set forth in the Supplemental Privacy Notice for Northeastern University London Students, Applicants, and Alumni.

Responsible Office/Department(s)

Office of the General Counsel

 

Related Policies

Policy on Appropriate Use of Computer and Network Resources

Policy on Data Access

Policy on Protecting Confidential Information

Policy on Use, Retention, and Deletion of University Records

Policy on Privacy for Employees, Job Applicants, Contractors, and Others Working with the University

Northeastern University London Data Protection Policy

Northeastern University Privacy Policy

Supplemental Privacy Notice for Northeastern University London Students, Applicants, and Alumni

 

Related Procedures

University Records Retention Schedule (Requires a Northeastern Office365 Account)

Data Classification Guidelines (Requires a Northeastern Office365 Account)

 

Supersedes

Policy 707-CAN Policy on Personal Information (in its entirety)

Northeastern University Privacy Policy (to the extent it applied to students, applicants, and alumni)

Northeastern University – London Privacy Notice for Applicants, Students and Alumni

 

Keywords

Personal Information, privacy, collection of data, collection of information, data retention, transfer of information, sharing information

Version History

Last Revision Date: August 11, 2025

Issued: July 2, 2025