GDPR & CCPA

Intro to GDPR and CCPA

The General Data Protection Guidelines (GDPR) and California Consumer Privacy Act (CCPA) are laws concerning data privacy and security. These laws stipulate what types of information can be collected on individuals, how it needs to be protected while being stored, how long it can be stored for, and how individuals can request for their information to be deleted, among other regulations. Since Saint Michael’s College has student applicants and employees from countries and states where these laws are applicable, we are required to follow these regulations.

New Data Privacy Requirements

In an effort to ensure compliance with GDPR and CCPA, Saint Michael’s College has enacted new requirements for vendors to follow when collecting, processing, and/or storing information for the college. New contracts with any vendor that performs these functions should include the requirements as listed below in the “Vendor Contract Data Privacy Requirements” section. In addition, Saint Michael’s College has created a new mailbox, privacy@smcvt.edu, to field questions and requests concerning data privacy.

Vendor Contract Data Privacy Requirements

Saint Michael’s College considers the security and privacy of our sensitive data to be of paramount importance. Vendors who engage in collection, storage, analysis, or distribution of the college’s data shall adhere to the following requirements:

  1. Maintain reasonable security and privacy measures- the vendor shall at minimum follow the procedures set forth in NIST SP 800-53A Rev. 4 Assessing Security and Privacy Controls in Federal Information Systems to maintain the confidentiality, integrity, and availability of the college’s data. This includes strong encryption of sensitive data while in transit or at rest, adhering to the cryptographic recommendations of NIST SP 800-175B Guideline for Using Cryptographic Standards in the Federal Government.
  2. Data breach notification- the vendor shall notify Saint Michael’s College as soon as reasonably practical without undue delay and not later than 72 hours after becoming aware of unauthorized access to any of the college’s data. Should notification not be made within 72 hours, it shall be accompanied by reasons for the delay.
  3. Data controller/processor designation- where applicable under General Data Protection Regulation (GDPR) law, the vendor is designated as the “data controller” for any data provided to the vendor by the college and is designated as the “data processor” for all other personal data collected or otherwise stored, transferred, or processed by the vendor.
  4. Data usage – the vendor shall use personal data only as instructed by the college and not for any other purpose.
  5. Data retention- upon expiration of services provided, the vendor shall provide a digital copy of all data collected or processed that belongs to Saint Michael’s College. After confirmation of receipt, the vendor shall delete personal data belonging to Saint Michael’s College, unless otherwise requested by the college or required by law.