Policy on Personal Information (CAN)

Policy Number: 707-CAN

University Records and Information Systems

The permanent link for this policy is: https://policies.northeastern.edu/policy707-CAN/

This policy applies to Northeastern University Canadian Campuses only.

I. Purpose and Scope

The university is committed to protecting the privacy of the personal information of applicants, students, parents, employees and other individuals from whom it collects, uses, discloses, and maintains personal information in its operations.

This policy applies to the university’s handling of personal information collected in Canada and reiterates the university’s commitment to maintaining the privacy of personal information.

II. Definitions

For purposes of this policy,

A. Personal Information

1. Information about an identifiable individual (which may include but is not limited to name, age, home address and phone number, social insurance number, marital status, education, and employment information).

2. This definition does not include business contact information such as an individual’s name, title, business address, business telephone number or business e-mail address.

B. Employee Personal Information

Personal Information, in respect of an individual who is a potential, current or former employee, reasonably required for the purposes of:

• Establishing, managing or terminating an employment or volunteer-work relationship, or

• Managing a post-employment or post-volunteer-work relationship, but does not include Personal Information about the individual that is unrelated to that relationship.

III. Policy

A. Collecting Personal Information

Northeastern collects Personal Information that is necessary for operating its business, including Personal Information needed to:

• Process applications for admission to Northeastern’s undergraduate and graduate programs and enrollment in courses and programs;

• Administer and assess educational programs;

• Fulfill public safety obligations;

• Deliver and administer education, record the details of studies (including any placements with external organizations for co-op or academic coursework taken at another institution), and determine/confirm academic achievements (e.g. results, prizes);

• Administer the financial aspects of the relationship between Northeastern, its students and any funding agencies or lenders;

• Provide facilities (e.g. IT, sport, libraries, accommodation);

• Operate security, governance, disciplinary, complaint, audit and quality assurance processes and arrangements;

• Support training, medical, safety and welfare requirements;

• Compile aggregated data for historical descriptive analysis of enrollment trends, required regulatory reporting, and accreditation purposes;

• Notify designated emergency contact(s) of an emergency or crisis;

• Prevent fraud or criminal activity, misuse of products or services, and protect the security of IT systems, architecture and networks; and

• Meet legal and regulatory requirements.

In general, Northeastern only collects Personal Information directly from the individuals to whom the information applies. However, Northeastern may collect information from other people with the consent of the individuals to whom the information applies, or as authorized by law.

B. Employee Personal Information

1. To the extent permitted by applicable privacy laws, the university may collect, use or disclose Employee Personal Information of any potential, current or former employee without the consent of the employee for the purposes of establishing, managing or terminating the employment relationship, or managing the post-employment relationship.

2. Where the employee personal information relates to a current employee, the university will provide the employee with notice that their employee personal information will be collected, used or disclosed, including the purposes for which the information will be collected, used or disclosed.

3. Employee personal information and Personal Information regarding employees may be collected, used and disclosed for purposes including, but not limited to:

• Hiring, promotion, compensation and tax reporting;

• Compliance with legal requirements and obligations;

• Compliance with requirements of applicable professional governing bodies;

• Provision and administration of health and welfare benefits and programs;

• Human resources and payroll administration;

• Professional development and performance management; and

• Enforcement of university policies and procedures.

4. Except as otherwise permitted by applicable privacy laws, all employee personal information and personal information in respect of employees shall be treated in the same manner as other personal information, in accordance with the terms of this policy. Unless otherwise indicated, the provisions of this policy shall apply to all employee
personal information and personal information relating to employees.

C. Consent

1. The university will ask for consent to collect, use or disclose personal information, except:

a. For the purposes set forth above in sections III.A & III.B, or

b. In circumstances other than those set forth in section III.A & III.B and where collection, use or disclosure of personal information without consent is authorized or required by law.

2. In certain cases and subject to important exceptions (e.g. most of the purposes set forth in sections III.A and III.B), an individual may withhold or withdraw their consent for the university to use or disclose their personal information. Withholding or withdrawing consent to the use or disclosure of personal information may restrict the university’s
ability to provide certain products or services if it does not have the necessary personal information.

D. Using and Disclosing Personal Information

1. Northeastern will only use or disclose personal information for purposes consistent with this policy or other purposes for which the information was collected and specified at the time of collection, except as authorized or required by law. If the university wishes to use or disclose personal information for any additional purpose not covered by the prior sentence, the university will ask for consent unless consent is not required by law.

2. The university may, from time to time, transfer personal information to university systems or third-party service providers located in the United States. Such entities may receive, process and handle personal information for the purposes described in this policy and will provide a level of protection for personal information that is comparable
to that provided by Northeastern.

3. The university will endeavor to ensure that its contracts with third-party service providers limit the retention, use and disclosure of personal information by the thirdparty service providers solely for purposes consistent with carrying out the contracted services and provide a level of protection for personal information that is comparable to that provided by the university.

E. Retaining Personal Information

The university will retain personal information for as long as is reasonable to fulfill the purposes for which the information was collected, or as required for legal, compliance or business purposes. Unless otherwise noted in this policy, all personal information will be retained in accordance with the Policy on Retention and Disposition of University Records and Information and its corresponding schedule.

F. Accuracy of Personal Information

The university will make reasonable efforts to maintain the accuracy of the personal information used and disclosed.
Individuals may request a correction if there is an error or omission in their personal information. An individual must make a request in writing to correct their personal information, which request must provide sufficient detail to identify the personal information and the correction being sought.

For faculty and staff:

Updating personal information:

https://service.northeastern.edu/hr?id=kb_article&sys_id=d4fa65bc877ba990ba9a0fad0eb
b352f&table=kb_knowledge

For students:

Updating personal information:

https://registrar.northeastern.edu/article/updatingpersonal-information/

Updating educational records:

https://policies.northeastern.edu/policy106/

For all other requests please contact the privacy@norteastern.edu account.

If personal information is demonstrated to be inaccurate or incomplete, the university will correct the information to the extent required and send the corrected information to any organization to which it disclosed the personal information in the previous year. If the university decides not to correct the personal information, the university will note that a correction was requested but not made in the file.

G. Securing Personal Information

The university will protect personal information in a manner appropriate to the sensitivity of the information in accordance with the Policy on Confidentiality of University Records and Information and the corresponding Data Classification Guidelines. The university will make reasonable efforts to prevent loss, misuse, disclosure, copying, modification, disposal or destruction of personal information or any unauthorized access to personal information.
Employee access to personal information is limited to those employees who require such personal information to carry out their responsibilities.

Northeastern continually reviews and updates its security policies and controls as technology changes to promote ongoing Personal Information security.

H. Access to Personal Information

Individuals may access their own personal information in the university’s custody or control, subject to certain exceptions. In such cases where exceptions to access apply, the university may withhold that information and provide the remainder of the information.

Except as otherwise covered in the Policy on Personnel Files and the Policy on Student Rights Under the Family Educational Rights and Privacy Act, a request to access personal information must be made in writing to privacy@northeastern.edu. The request should provide sufficient detail to identify the personal information being sought. Individuals may also request information about the university’s use of their personal information and any
disclosure of that information to persons outside the university.

The university will respond to an individual’s request within the time limits specified by applicable laws and will indicate whether the individual is entitled to access the information. If access is refused, in whole or in part, the university will provide reasons for the refusal, the name of the person who can answer questions about the request and advise of the right to have the decision reviewed by the Privacy Commissioner of British Columbia or the Privacy Commissioner of Canada.

The university may charge a minimal fee for providing access to personal information, however, no fee will be charged for providing access to employee personal information. Where a fee will apply, the university will provide the individual making the access request with an estimate of the fee before providing access.

IV. Additional Information

The university will only use personal information to provide marketing information, including but not limited to updates and information about new programs and services, upcoming events or other promotions or news, if the individual has consented to Northeastern doing so. Individuals may opt out of receiving marketing communications at any time by emailing Northeastern at privacy@northeastern.edu.

V. Contact Information

Any inquiry or complaint about this policy or the collection, use and disclosure of Personal
Information by Northeastern should be directed in writing to:

Chief Privacy Officer
privacy@northeastern.edu
716 Columbus Place Suite 301
Boston, MA 02120
United States of America

If an individual is not satisfied with a response or has a complaint, the individual may contact the Privacy Commissioner of British Columbia or the Privacy Commissioner of Canada.