Web Site Privacy Notices
Frequently Asked Questions
Who is responsible for developing, posting, and maintaining the privacy notice?
The policy stipulates that web site content owners and site managers have a shared responsibility for the privacy notice. This means that functional people or groups who own and/or direct the content for a site should work with the person or group that technically implements the site.
To what web sites does the policy apply? Does my web site need a privacy notice?
The policy applies to university web sites and web applications that are:
- created or maintained either by or for academic, administrative, or auxiliary units of Indiana University,
- and are accessible by individuals who are not university employees, students, or affiliates,
- regardless of whether or not the sites are hosted on university servers or external servers.
This includes the web sites of professional associations and publications that are formally hosted, maintained, or operated by faculty or staff of the university.
However, some web sites are not included in the scope such as personal home pages and student organizational web sites. Additionally, a web site is not included in scope if it requires authentication for access (i.e. a username and password) such that it cannot be accessed by someone who is not a university employee, student, or affiliate.
Although sites outside the scope of the policy are not required to have a privacy notice, they are encouraged to adhere to the terms of the policy.
Where do I put the notice on my site?
The policy requires that the privacy notice be accessible from at least the home page of the site, and on any page that actively solicits/collects visitor information, such as a page with a form on it. Some sites simply have a link to the notice in the footer of all pages.
When do I need to have this done?
The policy has a compliance date of January 28, 2012.
What's the difference between passively and actively collected visitor information?
Passively collected visitor information refers to information that is collected automatically when people visit the site. Web server log information is an example of passively collected information.
Actively collected visitor information refers to information that site visitors voluntarily provide, such as through a form, or creating a profile, or choosing account settings.
As a content owner, even if you don't actively collect visitor information, you should talk with your technical person (i.e. site manager) to see what information, if any, is collected automatically by the web server.
What should be in my privacy notice?
With respect to collected visitor information, the general principle is that you should, "say what you do and do what you say." Regardless of the actual language you use, the privacy notice should accurately reflect your practices regarding the collection and use of information from/about visitors to your site. We have developed a privacy notice generator tool to assist you in this process.
I have a web site that collects educational information about students that I don't want them changing later, and yet the policy talks about a visitor being able to, "modify, or delete" information they've provided. Is this a problem?
Often sites like this require visitors to login such that someone who isn't a university employee, student, or affiliate cannot access the site. In cases like this, the site does not fall within the scope of the policy.
For sites that do fall within the scope of the policy, note that the policy uses the language, "as appropriate," before the last two bulleted lists in the procedures section. These are lists of items you should address/consider, "as appropriate," within the context of the information involved and how your site is used. If, due to the circumstances, it's inappropriate for a visitor to change certain information, it's not required.
Let's say a student logs in to a web site/application to take a test. If the authentication mechanism prevents people from accessing the site who aren't part of the university community, then the site falls outside the scope of the policy.
Additionally, since it wouldn't be "appropriate" to allow a student to change test answers, it's not required to allow such changes.