Georgia Highlands College (GHC) stores the data it collects in accordance with United States law, State of Georgia law, and Board of Regents of the University System of Georgia Records Retention Schedules. Students and website visitors have the right to know how the institution uses and discloses the personal data it collects and what measures GHC puts in to place to protect student and website visitor privacy. Any individual wishing to exercise their rights under this policy should contact the institution’s designated privacy officer by emailing privacy[@]highlands.edu. Any GHC employee that suspects a data breach or unauthorized disclosure of data has occurred or is actively occurring must immediately notify the Information Security & Network Services unit of Information Technology by emailing infosec[@]highlands.edu.
This policy defines how Georgia Highlands College collects and manages information collected from individuals such as website visitors, students, employees, and third-parties operating at or on behalf of the institution.
- Business Associate
- HIPAA defines a business associate as a third-party operating for or on behalf of an organization that provides services that involve healthcare information.
- Cookies are small files or collections of text data stored by web browsers that are used for maintaining user information and website preferences.
- Data subject
- GDPR defines a data subject as any natural person whose personal data is collected or maintained by GHC. A legal entity such as a corporation is an artificial person.
- Family Educational Rights and Privacy Act (FERPA)
- FERPA is a federal law (20 U.S.C. § 1232g; 34 CFR Part 99) that protects the privacy of student educational records. All schools that receive funds through a U.S. Department of Education program are in scope of FERPA.
- Georgia Open Records Act (O.C.G.A § 50-18-70)
- Entities of the State of Georgia are subject to the Georgia Open Records Act. This law allows citizens to request (view) records of Georgia agencies.
- General Data Protection Regulation (GDPR)
- GDPR is a European Union (EU) law that defines data protection and privacy standards for individuals within the EU and personal data about EU citizens managed outside of the EU.
- Health Insurance Portability and Accountability Act of 1996 (HIPAA)
- HIPAA is a federal law that restricts how organizations store and communicate healthcare information.
- Personally Identifiable Information (PII)
- National Institute of Standards and Technology Special Publication 800-122 defines Personally Identifiable Information (PII) as “any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, Social Security number, date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.”
Content / Policy
Georgia Highlands College (GHC) is the operator of www.highlands.edu. Web hosting services and software tools, integrations, and programming frameworks may be provided by third-parties. GHC may collect information from each device used to visit www.highlands.edu such as Internet Protocol (IP) address, operating system version, web browser version, and the presence of web browser extensions/add-ons/plug-ins. GHC may collect other information provided by cookies stored on a user device. GHC may collect aggregate information about www.highlands.edu and other websites owned or operated by the institution. Examples of this information include web page usage statistics or how users navigate from one part of www.highlands.edu to another. This data collection is typically performed in order to improve the institution’s web services or for routine security monitoring.
Specific forms on www.highlands.edu may require you to submit your name, street address, phone number, and/or email address. You may make an appointment with the appropriate office(s) to visit in-person or provide this information through an alternate means, if possible and as appropriate. GHC utilizes physical, technical, and administrative controls to protect your data against unauthorized access or misuse, however we cannot guarantee the security of any information transmitted to the institution from a system or information technology resource outside the institution. GHC does not actively share personal information gathered from www.highlands.edu. However, there may be some situations where we share this data. These situations include compliance with a a lawful court order (or subpoena) or a Georgia Open Records Act request.
This policy does not define data privacy practices by third-parties or websites linked to from www.highlands.edu. Links to a third-party website are provided as a courtesy and do not constitute an endorsement of a third-party website or the content contained within.
Family Educational Rights and Privacy Act (FERPA)
The Office of the Registrar maintains the official academic transcript and a “personal folder” containing official documents of each student. Examples of these documents include applications for admission, immunization records, official transcripts from high school or previous college/university, the results of admissions tests, and copies of official correspondence concerning the admission status and other actions taken with respect to the student’s academic work or study. These records are available only to (1) employees who have a legitimate educational need to access them, (2) other parties that have obtained written permission of the student, or (3) when required by law. Academic transcripts provided by Georgia Highlands College (GHC) contain only information about the student’s academic status, except where disciplinary action is recorded in cases where it may affect the student’s eligibility to register for classes.
FERPA affords student certain rights with respect to their educational records. Students have the right to:
- inspect their official transcript and/or personal folder.
- request an interpretation/explanation of information recorded within these records.
- request an amendment of educational records that are incorrect, misleading, or violate their privacy rights and request a hearing to amend their educational records, if necessary.
- consent to disclosures of Personally Identifiable Information (PII) contained in the student’s education records, except to the extent that FERPA authorizes disclosure without consent.
FERPA permits the disclosure of a student’s educational records without consent to school officials with legitimate educational interests. A school official, as defined in FERPA, is a person employed by the institution in an administrative, supervisory, academic or research, or support staff position (including law enforcement unit personnel and health staff); a person or company with whom the institution has contracted (such as an attorney, auditor, or collection agent, or official of the National Student Loan Clearinghouse); a person serving on the Board of Trustees; or a student serving on an official committee, such as a disciplinary or grievance committee, or assisting another school official in performing his or her tasks. A school official has a legitimate educational interest if the official needs to review an education record in order to fulfill their professional responsibility.
In certain other circumstances, GHC may disclose education records:
- to comply with a court order or a lawfully issued subpoena.
- to appropriate parties in a health or safety emergency.
- to officials of another school, upon request, in which a student seeks or intends to enroll.
- in connection with a student’s request for or receipt of financial aid, as necessary to determine the eligibility, amount, or conditions of the financial aid, or to enforce the terms and conditions of the aid.
- to certain officials of the U.S. Department of Education, the Comptroller General, and/or to state and local educational authorities in connection with certain state or federally supported education programs.
- to accrediting organizations to carry out their respective functions.
- to organizations conducting certain studies for or on behalf of the institution.
- as part of a disciplinary proceeding against a student who is alleged of criminal conduct.
GHC designates the following as public or “directory information”: student name, mailing address, telephone number, major, degree sought, expected date of completion of degree requirements and graduation, degrees and honors awarded, dates of attendance, weight and height (of students participating in athletic programs) and participation in officially recognized activities. Directory information does not include student email address, GPA, grades, citizenship status, race, ethnicity, gender, or federally protected information such as a student’s Social Security number. Students may make request the nondisclosure of their directory information. This request must be made in writing and becomes a permanent part of the student’s record until the student instructs GHC, in writing, to have the request removed.
Students have the right to file a complaint with the U.S. Department of Education concerning alleged failures by GHC to comply with the requirements of FERPA. The name and address of the office where these complaints should be filed is:
Family Policy Compliance Office
U.S. Department of Education
400 Maryland Ave SW
Washington, DC 20202-4605
The address for the Office of the Registrar is:
Office of the Registrar
Georgia Highlands College
3175 Cedartown Hwy
Rome, GA 30161
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Georgia Highlands College (GHC) is a designated as a hybrid entity under HIPAA. The Heritage Hall dental clinic is the only component of the institution subject to HIPAA. Employee and student records subject to the Family Education Rights and Privacy Act (FERPA) are excluded.
An individual’s health information may be used by GHC for treatment, payment, and healthcare operations in the dental clinic (as defined by HIPAA) after the institution has provided to the individual a copy of this policy and has made a good faith effort to obtain an acknowledgment of its receipt, except in the event of an emergency. Additionally, GHC may use an individual’s health information for other purposes or may disclose an individual’s health information to external entities for other purposes upon obtaining a valid authorization from the individual giving permission for that stated use or disclosure. GHC may use and disclose an individual’s health information without prior permission or authorization where the health information has been sufficiently “de-identified”, so as to hide the identity of the individual(s), is part of a “limited data set”, or for other uses where allowable by law.
GHC maintains personal healthcare information about employees and, under certain circumstances, students. GHC will allow individuals to inspect and obtain copies of their own health information that has been collected by the institution. Individuals may also request information regarding disclosures of their health information made to third-parties. GHC will allow an individual to amend information in their health record where it is incomplete or inaccurate. Information maintained by GHC for purposes related to the administration of employee wellness and fitness programs will not be used for employment related purposes, including but not limited to, annual evaluations, employee discipline, promotion, retention or termination. GHC strictly segregates functions related to health plan administration from employment decisions.
GHC’s privacy officer coordinates the institution’s HIPAA compliance and is responsible for gathering information sought by individuals who have a right to access it. Further, the privacy officer is responsible for receiving HIPAA complaints. GHC may also designate one or more HIPAA coordinators to assist the privacy officer with HIPAA compliance obligations. The institution’s designated a security officer is responsible for the implementation of security policies and technical controls that conform to the HIPAA Security Rule. Divisions and departments of the college that collect, process, or store healthcare information are required to develop and conduct HIPAA training for their employees and students serving as interns or employees. Further, each division and department is responsible for implementing the appropriate procedures to protect the confidentiality of healthcare information in verbal, written, and electronic communications.
Healthcare records maintained in physical documents will be kept secured in a locked location. Electronic records will be protected by technical controls such as encryption and access restrictions. Each employee with access to healthcare records is required to use passwords that are unique to (1) that employee and (2) to systems and information technology resources that contain healthcare records. Physical access to secure (controlled) areas and systems containing healthcare information will be revoked upon termination of an employee or when a contract with an authorized third-party ends. Healthcare records may not be collected, processed, or stored on employee or student personal devices. Healthcare records may not be communicated through text messages, chat, meeting, and conference software, or social media for any reason. Health information may only be accessed by authorized employees and is restricted to the minimum amount of access necessary for their respective job function(s).
The use or disclosure of health information by a third-party service provider or third party operating on behalf of GHC must comply with this policy. Health information provided to such a third-party must be pursuant to an assurance that the third-party, and its sub-contractors, will use the information only for the purpose(s) intended, will restrict access to the information on a “need to know” basis only, and will otherwise take appropriate measures to safeguard the information in its possession. There must be a valid, signed business associate agreement in place before identifiable health information may be provided to a third-party by the institution. If GHC determines that a business associate has violated a material term or obligation under the agreement relating to HIPAA compliance, GHC will seek to immediately remedy the breach or, if that is not possible, to alter or terminate the agreement. Violations may also be reported to the Board of Regents of the University System of Georgia.
General Data Protection Regulation (GDPR)
It is necessary for Georgia Highlands College (GHC) to collect, process, use, and maintain data about students, employees, applicants, and other individuals involved with its educational programs and ancillary programs such as research or community outreach. These individuals may be classified as data subjects if they are European Union (EU) citizens or if GHC collects, processes, uses, and/or maintains their personal data within the European Economic Area. Examples of data that GHC may collect include: names, email addresses, IP addresses, physical addresses, location identifiers, photos, academic transcripts, medical information, and other forms of sensitive or federally protected personal data obtained with prior consent. Typically, data collection and processing at GHC is performed in order to 1) directly support the education and employment of individuals 2) fulfill contractual obligations where one or more data subject is a party to, such as the processing of financial aid or payments 3) fulfill legal obligations of the institution and 4) perform specific functions where GHC has obtained consent from the data subject. GHC will not share a data subject’s personal information with third parties, with the following exceptions: contract compliance, pursuant to content provided from a data subject, as required by law, as necessary to protect the institution’s interests, and/or with service providers that have agreed to protect the confidentiality of data and are acting on the institution’s behalf.
Data subjects have the following rights in accordance with GDPR:
- to receive information about how GHC collects and uses their data and the legal basis/legitimate interest of those activities.
- to receive contact information for the institution’s designated privacy officer.
- to information about persons or entities that receive personal data from GHC.
- to know if GHC intends to transfer personal data to another country or international organization.
- to know how long GHC will store personal data.
- to access, update (correct), or request the erasure of personal data.
- to withdraw consent of the use or storage of personal data at any time.
- to file a complaint with a supervisory authority, such as the Board of Regents of the University System of Georgia.
- to receive information about the existence of automated decision-making processes.
- to know if data collected by GHC is going to be used for a purpose other than for which it was originally collected.
- The right to inspect and review the student’s education records must be granted by GHC within 45 days after the institution has received a formal, written request that identifies the record(s) they wish to inspect. An employee of the Office of the Registrar will make an appointment with the student for the records inspection. If the records are not maintained by the Office of the Registrar, the Registrar shall advise the student of the correct official to whom the request should be addressed.
- Students seeking to request one or more amendments to an educational record must submit a formal, written request to the Office of the Registrar clearly identify the part of the record that may be inaccurate, misleading, or violates their privacy rights and specify why it is inaccurate, misleading or violates their privacy rights. FERPA does not provide a process to challenge qualitative judgments which are correctly recorded. For example, a student may not challenge a grade in a course because they felt a higher grade should have been assigned. If the institution does not to amend record(s) as requested by the student, the Office of the Registrar will notify the student of the decision and advise the student of his or her right to a hearing regarding the request for amendment. Additional information regarding the hearing procedures will be provided to the student when notified of the right to a hearing.
- 2018 Reform of EU Data Protection Rules, European Commission, https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en (2018)
- Georgia Open Records Act (O.C.G.A. § 50-18-70), Georgia Institute of Technology Legal Affairs, http://www.legal.gatech.edu/sites/default/files/images/186385699r1.pdf Health Information Privacy (HIPAA), HHS.gov, https://www.hhs.gov/hipaa/index.html
- Family Educational Rights and Privacy Act (FERPA), United States Department of Education, https://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html
- USG Records Retention Schedules, University System of Georgia, https://www.usg.edu/records_management/schedules/
- McCallister, Grance, et al. Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), National Institute of Standards and Technology Computer Security Resource Center, https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-122.pdf (2010)