Data Privacy Policy

Administrative Procedure 3.905

Elgin Community College regularly collects and uses data from students and employees. Data informs the programs and services we offer, the partnerships we participate in, and the initiatives we undertake. In general, three (3) general types of data are collected by the college:

public data
internal administrative data
personal identifiable data

Public data and internal administrative data are the most widely available forms and are easily accessible. Examples of public data include press releases and reports. Examples of internal administrative data include memos, emails, and internal newsletters. Public and internal administrative data are principally operationally used to conduct everyday business. For this reason, they are not considered private, sensitive, or confidential and, as such, not covered in this procedure.

Personal identifiable data is the last category of data and the focus of this procedure. Personal identifiable data¹ contains information related to an individual person's identity, location, or behaviors, and as such, is sensitive and restricted. If compromised, identifiable data can violate personal privacy, create risk, or impose legal action. The practices outlined in this document help to maintain the confidentiality, use, and limitations regarding the distribution of personal data.

Personal Data We Collect

Types and examples of personal data we collect include:

Individual identifying and demographic data. Individual demographic data includes, but is not limited to, a person's name (first and last); phone numbers; addresses (street name, street number, city, state/province, zip/postal code); email address; date of birth; and social security number or tax identification number (TIN). Demographic data also includes information about an individual's race, ethnicity, and gender.

Enrollment and participation data. Enrollment data includes an individual's attendance in courses or involvement in events. For students, this can include course enrollment data (course prefix, number, and course title), course location (buildings and rooms), instructors, days and times of classes, and formats of classes (face-to-face or online). For employees, data can include involvement in committees, meetings, and professional courses or workshops. Information we collect includes names of committees or workshops, meeting locations or modalities, leaders or instructors, days and times of workshops or meetings, and other related information.

Official records. Performance data includes judgments about an individual's aptitude or skills. For students, examples of performance data include course grades, and grades or evaluations made by instructors or evaluators on measures of learning, such as tests and quizzes, writing assignments, portfolios, or presentations. For employees, performance data includes job performance evaluations and actions taken because of decisions made from evaluations or approved meeting notes.

Use of educational services. Usage data includes information about an individual's use of services provided by the college. For students, usage data includes library circulation data (books or resources signed out and dates), use of certain labs, tutoring services, testing services, or participation in events, such as guest lectures. For employees, usage data includes use of services such as the library or the fitness center. Different campus services track usage to different degrees. Some routinely log every visitor who uses a service, whereas others track usage sporadically.

Use of technology services. Technology use a special class of usage data in that it is less tangible and can occur without an individual's overt knowledge of it. Data includes information entered into web browsers and any information sent to us from browsers. Such information can include a computer's internet protocol address (e.g., IP address), browser type, browser version, web pages that are visited, the time and date of each visit, the time spent on those pages, unique device identifiers, and other diagnostic data. On a mobile device, this information includes usage data, such as the type of device being used, the device unique identifier (ID), the IP address of the device, the mobile operating systems used, and the type of mobile internet browser used, unique device identifiers, and other diagnostic data. We use cookies, beacons, tags and similar tracking technologies to track the activity on our systems, and we hold certain information. Cookies are small files stored on devices (computers or mobile devices) to remember an individual's preferences, session settings, and security information.

Financial data. Financial data we collect from students includes payment history, payment status, and banking information, including credit cards. We use third-party billing companies for collecting tuition payments, and those companies may request credit card or bank account information. For students on financial aid, we collect all data supplied on the FAFSA, which includes income, public assistance, loan information and history, and credit information, such as bankruptcies. Some student scholarships also require financial information such as income. Certain employee positions that handle money also require credit checks and scores from credit bureaus.

Health data. The college collects certain health records from employees and students who participate in the health insurance program, clinics offered by the Health Professions Division, or who request accommodations through the Americans with Disabilities Act (ADA) Compliance Officer. Health Insurance Portability and Accountability Act (HIPPA) and ADA rules are followed regarding the collection and use of this data. Employee and student health information is also used in certain programs. For example, truck driving and Health Professions programs require drug and alcohol use information. For further information, please see Administrative Procedures 3.405 Drug and Alcohol Testing of Truck Driving Program Students and 3.406 Criminal Background Checks and Drug Testing of Health Professions Program Students. For students or employees who request tuition assistance through the Tuition Adjustment Advisory Council, we collect information medical status, including data on the nature of an individual’s disability.

Criminal background data. Certain programs and positions in the college require crime information from students and employees. Criminal background checks are conducted for new employees as part of the hiring process and at regular intervals for positions in campus safety and in certain programs, such as criminal justice.

Audiovisual data. From time to time, the college or the ECC Foundation, a related not-for-profit organization, may record audio or use photographs or video of an individual's participation in events and may publish and use recordings or representations of individuals for promotion and educational purposes.

Perceptual and attitudinal data. From time to time, the college or external partners may request perceptual or attitudinal information related to an individual's use or satisfaction with services. This type of data is commonly collected through web surveys, interviews, or focus groups. Specific practices for the collection of this type of data are contained in Administrative Procedure 3.906 Survey Use and Administration. While reports of perceptual data are summarized in aggregate and identifying information is redacted in shared reports, identifying information can at times be contained in open-ended questions, and for this reason, this type of data represents another form the college collects.

Other behavioral data. At times college employees and students are invited to participate voluntarily in research internal or external to the college that involves data collection. Types of data collected are specific to each research project, and researchers are required by the Elgin Community College Internal Review Board to gather informed consent from participants. Specific practices related to the collection of this type of data are contained in the Administrative Procedure 3.103 Data Collection Involving People at Elgin Community College and follow accepted practices of the U.S. Department of Health and Human Services.

Use and Retention of Personal Data

We use the above forms of collected data for the following purposes:

To create and improve the quality of academic programs and educational services
To perform financial transactions or create and strengthen financial and business services
To create and maintain technology and network systems, monitor their usage, and improve their functionality and security
To notify individuals about changes to our instructional, financial, or technological services or systems
To create new campus events or design new promotional materials
To comply with legal obligations, resolve disputes, or enforce legal agreements and policies
To provide information about emergency closings or safety notifications

To carry out the above uses, we retain records in the form of both paper files and digital data linked to an individual's name. Administrative Procedure 3.102 Records Retention and Disposal, details the length of time that certain hard copies of records are kept, but because paper files are typically converted into digital files for recordkeeping and analysis, individuals should assume that data is stored in perpetuity to be retrieved as needed for any of the above uses.

Validity of Data

Data should be collected and maintained with assurance of its validity. Everyone who supplies or works with data has a responsibility to ensure its accuracy, timeliness, and consistency. Students and employees who provide information should ensure that it is up-to-date. Employees tasked with entering, coding, or reporting data should take steps to ensure its accuracy.

The college employs quality standards in regards to data validity. First, we staff data analysts in key functional areas – technology, research, academic affairs, finance, and human resources – who conduct soundness checks as part of their assigned responsibilities. Second, we maintain standing bodies (offices or committees) to act as “stewards” of the data within their charge. For example, student success and learning outcomes data are overseen by councils who assume responsibility for the validity of the data they oversee. Third, we rely on external bodies (e.g., Illinois Community College Board, National Community College Benchmarking Project, etc.) to ensure that data is cross-checked, benchmarked, and reflects the college accurately and completely. Fourth, we use best practices in data sharing and communicating to ensure that data are regularly discussed and understood.

Access, Security, and Use of Third Parties

Information regarding access to and security of data is contained in Administrative Procedures 3.407 Red Flag Identify Theft Prevention Program and Administrative Procedure 7.106 Information Security Program. In general, oversight for data access and security is distributed throughout the college. Every department has some degree of access to personally identifiable data during the normal course of work, and each person who uses data is expected to:

Understand the nature of confidential information in their care
Manage that data with safeguards
Understand the consequence that might result from improper handling or unauthorized access

These administrative procedures also describe the college's processes for providing regular training to employees and tracking participation in training to ensure that data remains valid and secure.

In addition to our own employees, the college also provides access to data to third-party service providers, contractors, and organizations with whom we do business. These organizations help us perform a variety of functions: connect us to employees, students, or community members; gather and process data; and conduct business transactions. We also use providers to inform and optimize web visits using information gathered from cookies, beacons, and log files. While the list of service providers is ever-changing, it generally includes the following types of organizations:

Governmental or accreditation agencies
Data partnerships or consortia
Educational institutions or consortia
Online survey providers (such as Qualtrics)
Course management providers (such as Desire2Learn)
ERP systems (such as Ellucian Colleague)
Data management and reporting systems (such as Tableau)
Employee record-keeping systems (such as timekeeping and payroll systems)
Financial agencies and payment processors (such as PayPal/Braintree and related providers via the PCI Security Standards Council)
Publishing companies
Web analytics systems (such as Google Analytics)
Behavioral remarketing systems (such as Google Adwords, Bing Ads Remarketing, AdRoll, Perfect Audience, and AppNexus)
Social media systems (such as Twitter, Facebook, or Snapchat)
Communications systems (such as CampusCast and MailChimp)
Customer relationship data (such as Salesforce)

In providing access to third parties, we take all necessary steps to ensure data is handled securely, and no transfer of personal data takes place until adequate controls are in place. We use commercially acceptable means to protect data, such as data encryption and uploading/downloading data to/from secure sites. We require that access to digital information is protected by strong passwords, which are periodically updated and never shared.

Third-party data-sharing parameters are spelled out in written contracts that define the contexts in which data are used or shared, stored, and deleted. Contracts are kept on file in the college's Business and Finance and/or Legal Affairs Offices. With regard to student educational records, we comply with the Family Educational Rights and Privacy Act and do not share information without students' written consent. For further information about students records, use and privacy, see Administrative Procedure Student Academic Records 4.103.

Because third parties have their own affiliates and systems, it is possible for personal data to be transferred outside of the state, province, or country from which it originated and sent to locations where data security protocols may differ from those where the data originated. For students located outside of the United States, we transfer data, including personal data, to the United States for processing. Our systems may contain links to other sites that are not operated by us. If users click a third-party link, they will be directed to that third party's site. Users are strongly advised to review the privacy policy of every site they visit, as the college has no control over and assumes no responsibility for the content, privacy policies, or practices of any third-party sites or systems.

Limitations to the College's Use of Data

While the college relies on complete data, individuals can limit how their data is collected or used:

Individuals may opt-out of receiving certain communications from the college by following the unsubscribe link within the software platform. Requests to be removed from mailing lists can also be made directly to the pertinent department.
Forms filled out as part of student enrollment and employee hiring acknowledge that, from time to time, the college takes photographs and/or videos of attendees at campus events. Students who wish not to be photographed or video recorded should notify Marketing and Communications at marketingteam@elgin.edu. Employees who wish not to be photographed or video recorded should notify Human Resources at staffliaison@elgin.edu.
Individuals can configure their browsers to refuse cookies or notify them when a cookie is sent. However, doing so may render some web functionality unusable. Individuals may also opt-out of website tracking by setting the Do Not Track preference in the settings of web browsers. The college does not support the Do Not Track (DNT) signals under the California Online Protection Act (CalOPPA).
Students or employees may opt-out of receiving text messages about safety or emergency closing notifications sent through Rave Mobile Safety by texting the word STOP to 67283 or 226787 at the time of receipt or by logging into Rave Alerts and deleting their subscription. However, doing so may mean important campus information is missed.
Students who are citizens of the European Union and the European Economic Area (EEA) have rights under the GDPR (General Data Protection Regulation) to correct, amend, delete, or limit the use of their personal data. Specifically, EEA residents have:
- The right to access, update or delete the information the college has collected. Students can access, update, or request deletion of personal data within account settings of accessECC or with assistance from the Records and Registration Office at 847-214-7386 or records@elgin.edu.
- The right of rectification – i.e., the right to have information rectified if that information is inaccurate or incomplete
- The right to object – i.e., the right to object to the college's processing of personal data
- The right of restriction – i.e., the right to request that the college restrict processing of personal information
- The right to data portability – i.e., the right to be provided with a copy of the information the college has in a structured, machine-readable, and commonly used format
- The right to withdraw consent – i.e., the right to withdraw consent at any time for data in which the college relied on consent to process that information
- The right to complain to a Data Protection Authority about the college's collection and use of personal data

For any right listed above, the college will ask for verification before responding to such requests.

Communication of Changes to this Document

Any changes made to this administrative procedure will be updated promptly on the college's employee and student portals and on the public website at Elgin.edu/datapolicy. Additionally, any documents that reference this procedure, such as Student Terms and Conditions, are also updated whenever updates to this procedure are made.

Students and employees are advised to review this procedure periodically for changes. Changes are effective when they are posted at Elgin.edu/datapolicy. Any questions about this administrative procedure should be sent via email to privacy@elgin.edu.

¹We gather personal data only from individuals who are over the age of 13. Individuals who are 13 years old and younger must get parental consent to send personal information through the ECC website or via email. Please visit the Federal Trade Commission's website for more information on the Children's Online Privacy Protection Act of 1998.