Privacy at GW
- What is Privacy?
Privacy has been defined as the right to be let alone, or freedom from interference or intrusion. Information Privacy is the right of an individual to have some control over how their personal information is collected and used.
- What is Personal Data (or Personally Identifiable Information)?
Personal Information (personally identifiable information, PII, or personal data) is information that, when used alone or with other relevant data, can identify an individual. PII may contain direct identifiers (e.g., passport information) that can identify a person uniquely, or quasi-identifiers (e.g., race) that can be combined with other quasi-identifiers (e.g., date of birth) to successfully recognize an individual.
Examples of PII include, but are not limited to: an individual’s name, date of birth, place of birth, race, gender, religion, personal identification numbers (social security number -SSN, passport number, driver’s license number, taxpayer identification number, patient identification number, financial account number, or credit card number), contact information (home address, email address, telephone number) personal characteristics (photographic images, fingerprints, or handwriting; biometric data (retina scans, voice signatures, or facial geometry), etc.
- How does GW collect and use Personal Data?
Information about GW's collection and use of personal data can be found in GW's Statement of Privacy Practices.
- What is a data incident?
A "data incident" refers to any event where university non-public information (regulated or restricted) is compromised, potentially through unauthorized access, accidental disclosure, loss, or corruption, which could jeoperdize the confidentiality, integrity, or availability of that information. Data Incidents could be accidental (e.g. due to human error) or intentional (e.g. malicious cyberattack).
Examples of data incidents include:
- An employee accidentally sharing university non-public information with the wrong person;
- A phishing attack where an employee clicks on a malicious link, potentially exposing personal data;
- A system malfunction causing unauthorized disclosure of information;
- Theft, misuse or unauthorized access to Personal Information by unauthorized individuals;
- A university owned laptop containing sensitive data being lost or stolen;
- Paper documents that are stolen, lost, misdirected, or left vulnerable to unauthorized acquisition.
Use this form below to report a suspected or actual data incident involving University non-public information.
Fundamentals of GW's Privacy Program
GW established a Privacy Program that is based on a set of core privacy principles, addressing the collection, processing, transfer, deletion and other use of personal data, by the university, during the course of its operations. Our Privacy Program is designed to support the university in meeting its educational and operational objectives, while maintaining compliance with applicable privacy laws and regulations.
- Transparency/Notice
GW is transparent about our privacy policies and our practices with respect to personally identifiable information (PII). We provide clear and accessible notice regarding our collection, use, maintenance, and disclosure of personal information.
- Consent
Under applicable laws and to the extent practicable, GW’s may seek individual consent for the collection, use, maintenance, or disclosure of PII.
GW Privacy of Personal Information Policy
- Minimum Necessary
Limiting the collection and use of personal data to the minimum that is directly relevant and necessary to accomplish a specified purpose.
GW Privacy of Personal Information Policy
- Responsible Use
Use personal data only for the specific purposes for which it was collected (or otherwise with the explicit consent of the individual, or as authorized by law).
- Need to Know
Limit access to personal data to only those with legitimate need-to-know.
- Security Controls
GW implemented administrative, technical, and physical safeguards to protect PII commensurate with the risk and magnitude of the harm that would result from its unauthorized access, use, modification, loss, destruction, dissemination, or disclosure.
- Data Governance
GW established clear lines of responsibility with respect to governance of the personal data processed by the university.
- Third Parties
Personal Data can be shared with third parties only under university approved contractual agreements.
- Choice and Control
GW gives individuals choice and control as to how their personal information will be used and disclosed and provides them with the opportunity to correct or amend their personal information. The university also has established procedures to receive and address individuals' requests to exercise privacy rights, under applicable privacy laws and regulations.
- Incident Reporting
Promptly report any actual or suspected privacy incidents to the GW Privacy Office.
- Accountability and Enforcement
GW schools and departments are accountable for complying with GW privacy policies and privacy laws and regulations applicable to their collection and use of PII.