General Data Protection Regulation (GDPR) Statement
The University of Arkansas System Division of Agriculture (UADA) is committed to safeguarding the privacy of all personal data provided by employees, constituents, as well as contractors (collectively “data subjects”).
Effective May 25, 2018, the European Union (“EU”) General Data Protection Regulation (“GDPR”) places additional obligations on organizations that control or process personally identifiable information about persons in Europe. The GDPR is designed to protect the privacy of data concerning a natural person that is collected or processed in or transferred out of the EU, and to regulate the data privacy practices of entities that offer goods or services in the EU. In its capacity as a data controller, UADA collects, uses, and discloses data subjects’ information according to the following policy.
The GDPR applies to entities both inside and outside the EU. In addition, the regulations apply to data about anyone present in the EU, regardless of whether they are a citizen or permanent resident of an EU country; for example, GDPR includes U.S. persons when their personal data is collected, stored and used in the EU or transferred from the EU.
The GDPR defines “personal data” as follows:
“…any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (including information that is manually or automatically read, such as an IP address) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
This policy describes the University’s measures to manage and protect personal data that may be subject to the GDPR.
Categories of Data
To provide services to employees and public, administer its programs, and perform contractual obligations, UADA may collect, process, and transfer various types of personal data, including but not limited to: name; application information; employment records; contact information, including phone numbers, email addresses, and mailing addresses; and date of birth.
The GDPR requires personal data to be processed lawfully, fairly and in a transparent manner, limited only to the data which is necessary, maintained for accuracy, stored only for the length of time required or needed, and safeguarded for unauthorized disclosure. Processing includes performing a task with the personal data such as collection, recording, storage, alteration, retrieval, disclosure by transmission, dissemination, or otherwise making the data available.
The legal bases under the GDPR which permit UADA to collect and process personal data include, but are not limited to, the following: (1) the data subject has given consent to the processing for a specific purpose; (2) the processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract; (3) the processing is necessary for compliance with a legal obligation to which UADA, as controller of the data, is subject; (4) the processing is necessary in order to protect the vital interests of the data subject or another natural person, (5) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in UADA; or (6) processing is necessary for the legitimate interests pursued by UADA or by a third party, except where such interests are overridden by the interest of the fundamental rights and freedoms of the data subject which require protection of the personal data.
Special Categories of Data
Personal data revealing ethnic origin, health, criminal convictions and offenses, and certain other sensitive matters (collectively “Sensitive Data” as defined by the GDPR) may be requested by UADA. With the exception of criminal convictions, data subjects are not obligated to provide Sensitive Data and do so on a voluntary basis. UADA makes every effort to process Sensitive Data only with data subjects’ consent. In some circumstances, health information may be required under state or federal law in order for UADA to provide services, or in the interest of public health and safety. Subject to the above limitations, data subjects may revoke their consent regarding Sensitive Data at any time.
Data Subject Rights
Subject to limitations established by legal requirements, UADA Policies, and regulatory guidelines, data subjects have the right to:
- Access their personal data that we process;
- To rectify inaccuracies in personal data that we hold about them;
- To have their details removed from systems that we use to process their personal data;
- To restrict the processing of their personal data in certain ways;
- To obtain a copy of their personal data in a commonly used electronic form;
- To object to certain processing of their personal data by us; and
- To request that we stop sending them direct marketing communications.
UADA will act to fulfill such rights as promptly and as fully as possible.
Data Security Measures
UADA maintains and implements policies designed to protect confidentiality and security
of personal data and addressing records retention. Relevant policies include but are
not limited to:
UA Board of Trustees Policies
- 540.1—Student Education Records and the Family Educational Rights and Privacy Act (FERPA)
Retention of Personal Data
Personal data will be retained by UADA in accordance with applicable federal and state laws, regulations, and accreditation guidelines, as well as UADA policies. Personal data will be destroyed when no longer required for UADA services and programs, upon request or after the expiration of any applicable retention period, whichever is later. The manner of destruction shall be appropriate to preserve and ensure the confidentiality of information given the level of sensitivity, value and critical importance to UADA.
In the event that there is a data breach involving covered personal data employees, constituents, or vendors, UADA will notify the appropriate supervisory authorities within 72 hours, where feasible, after becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of data subjects. Furthermore, UADA will also notify individual data subjects of a data breach regarding their personal data if the breach is likely to result in a high risk to their rights and freedoms. The notification to data subjects will include the nature of the breach and recommended steps the data subject should take in order to mitigate potential adverse effects. Initial notification may be general in nature and supplemented as additional information becomes known.
For more information regarding this statement, please contact:
Chief Operating Officer
2301 S University Ave.
Little Rock AR 72204-4940