Web Privacy Notice

Scope

The Big Ten Academic Alliance (“Consortium”) owns, controls, operates and/or maintains Web sites under a number of domains hosted by the University of Illinois (collectively, “Consortim Web”). This Web Privacy Notice applies to all domains within Consortium Web.

Purpose

As part of its commitment to maintain the privacy of users of Consortium Web sites, the Consortium has developed this privacy notice. The notice has three purposes:

1. To inform users and Web practitioners about specific privacy guidelines employed at the Consortium.
2. To notify users about the terms and conditions governing use of the Consortium Website.
3.  To notify users this notice applies generally to the provision of personal information by individuals in the European Economic Area. It explains how the Consortium meets its obligations under the European Union General Data Protection Regulation with respect to such information.

Rule on Sharing of Information

The Consortium uses the Consortium Web for business purposes and is committed to ensuring the privacy of personal information. Use of the Consortium Web is subject to all applicable state and federal laws, as well as our general policies. It is our usual practice not to share any personal information with those outside the Consortium. However, when circumstances arise for the need to share information gathered from its Consortium Web servers, the Consortium may share as:

• authorized by law,
• permitted under our policies,
• authorized by an approved Consortium contract,
• clearly stated at a Consortium Web site that such information will be shared and the user indicates consent by providing the information,
• consent is otherwise given,
• available, certain student and employee demographic information with the Consortium member institutions and other educational institutions with questions about students who have been admitted or earned a degree from a member institution, or
• authorized for good cause by the Provosts of the Consortium.

Exceptions to Rule

The Consortium Web consists of several Web servers. Some servers hosted by the Consortium may adopt different privacy notices as their specific needs require. If another Consortium Web server has a privacy notice that is different from this notice, then that notice must be approved by the Consortium Executive Director or equivalent administrator responsible for that domain, and it must be posted on the site that has adopted the different notice. However, those sites cannot adopt a privacy notice that in any way supersedes federal or state laws or regulations or our policies.

Online Surveys and Other Information Provided by the User

In the course of using Consortium Web sites, a user may choose to provide information to help the Consortium serve that user’s needs. At any time there are numerous online surveys being conducted on Consortium Web sites. Person(s) responsible for conducting online surveys that collect personally‑identifiable information should clearly state at the survey site the extent to which any information provided will be shared. Aggregate data from surveys may be shared with external third parties in ways that do not compromise privacy.

Public Forums

Some units of the Consortium provide mailing lists, forums, and message boards for their users. Any information that is disclosed in these areas may become public information and a user should therefore exercise caution when deciding to disclose one’s personal information in such places. Message board sessions and discussion forums may be logged.

E-Commerce

Several sites within the Consortium enable payment for products or services online with a credit card. These transactions are commercially secure and utilize a centralized process. The Consortium follows the policies set forth by the University of Illinois at Urbana‑Champaign. For additional details, see Section 21 of the University’s Business and Financial Policies and Procedures Manual (“Credit Card Sales Through Unit Web Sites”) at:

https://www.obfs.uillinois.edu/bfpp/section-21-merchant-card

Rules for Individuals under Thirteen Years of Age

The Consortium is committed to complying fully with the Children’s Online Privacy Protection Act. Accordingly, if a user of the Consortium Web is under the age of thirteen, such user is not authorized to provide the Consortium with personally identifying information, and the Consortium will not use any such information in its database or other data collection activities. The Consortium appreciates cooperation with this federally mandated requirement. Users under the age of thirteen and their parents or guardians are cautioned that the collection of personal information volunteered by unauthorized children online or by e‑mail will be treated the same as information given by an adult until the Consortium becomes aware that the user is under the age of thirteen and such information may be subject to public access.

Server Log Information the University Gathers

Consortium Web servers generate logs that may contain information about computers or devices used to access the Consortium Web, or about general activity on the Consortium Web, such as the following: 

• Internet address of computer or device
• Type of browser or other client application used
• The operating system of the computer or device
• Web pages requested
• Referring Web pages
• Time spent on the site

The Consortium Web server administrators may produce summary reports from these logs and share that information with Consortium Web content managers. Consortium Web content managers typically use this information in aggregate to understand what pages are popular, how users are navigating to and within their site, and when their sites are used most frequently. The Consortium strongly discourages the inclusion in server logs of information that could identify individuals. The above Rule on Sharing of Information and the Exceptions to Rule detail when such associations occur.

Cookies and Login Security

Cookies are small pieces of data stored by a Web browser on a user’s computer. Cookies are often used to retain information about preferences and pages a user has visited. For example, when a user visits some sites on the Web, one might see a “Welcome Back” message. The first time one visited the site a cookie was probably stored on the user’s computer; when the user returns, the cookie is read again. One can refuse to accept cookies, one can disable cookies, and one can remove cookies from one’s hard drive.

Some sites require the use of cookies in order to access the site, such as Consortium Web sites requiring Big Ten Academic Alliance credentialed authentication. Consortium Web servers sometimes use cookies with Web sites that require Consortium community members, such as students, staff and faculty, to log in with their own member university provided NetID and password. Consortium community members are normally required to enter their respective NetID and password when a member requests data about himself/herself or to ensure that the person is a member of the Consortium community. These cookies are used to avoid duplicate entry of user names and passwords to access various parts of the Consortium Web site. The Consortium Web administrators are expected to to handle the login process through a secure connection, so the user name and password are encrypted between the Consortium Web browser and the Consortium Web server.

Transactional Versus Permanent Cookies

Since it the Consortium is hosted by the University of Illinois, itis committed to fully complying with the State Agency Web Site Act (Public Act 093‑117) which becomes effective January 1, 2004. Consequently, Consortium Web sites may use transactional cookies that facilitate business transactions and may not use permanent cookies or any other invasive tracking programs that monitor and track Consortium Web site viewing habits unless:

1. the use of permanent cookies adds value to the user otherwise not available;
2. there is a comprehensive online statement at the particular Consortium Web site where such permanent cookies or other invasive monitoring and tracking programs are utilized that discloses:
   1. all types of information collected at that site;
   2. the Consortium's use of that information; and
   3. how the collection and use of this information adds value to the user; and
3. there is a link to this comprehensive Web Privacy Notice from that particular Big Ten Academic Alliance Web site where such permanent cookies or other invasive monitoring and tracking programs are utilized.

The Consortium follows the policy of the University of Illinois on Permanent Cookies. 

The University Policy on Permanent Cookies can be found at https://www.vpaa.uillinois.edu/resources/cookies.

Social Security Numbers

The Consortium follows the policies of the University of Illinois for Social Security Number. The policy for the proper procedures in collecting, maintaining and disseminating social security numbers of students, employees and individuals can be found online at the following locations:

http://www.ssn.uillinois.edu
http://www.obfs.uillinois.edu/bfpp/section-19

FERPA

The Consortium also complies with the Family Educational Rights and Privacy Act (FERPA), which generally prohibits the release of student education records without student permission. The Consortium follows the University of Illinois Urbana campus policy For more details on FERPA, see the explanation at:

Urbana: https://registrar.illinois.edu/ferpa

However, FERPA does permit the release of public or “directory” information about students. Information about suppressing the release of “directory” information can be obtained at:

Urbana: http://studentcode.illinois.edu/article3_part6_3-601.htm

Consortium Privacy Notice for certain persons in the European Economic Area (“EEA”).

1. Commitment to protecting privacy and transparency 

The Consortium is committed to respecting and protecting the privacy rights of persons in the EEA—comprised of the European Union (“EU”) and the countries of Iceland, Norway, and Lichtenstein—pursuant to the EU General Data Protection Regulation(“GDPR”). This Supplemental Notice describes our commitment to the privacy of persons in the EEA. 

2. Does this GDPR Notice apply to me?

 This GDPR Notice applies to you if: 

• You are a “Person” or “Data Subject”—meaning a natural person, not a corporation, partnership, or other legal entity—who is physically present in the EEA; 

• It is with respect to your “Personal Information”—meaning any information relating to an identified or identifiable person—that is provided while you are physically present in the EEA; 

• Such Personal Information is not earlier or later provided to the Consortium while you are outside the EEA; and 

• Such Personal Information is provided to the Consortium: 

• During the course of offering you goods or services; 

• While we are monitoring your behavior; or 

• While you are associated with any of the Big Ten Academic Alliance’s establishments in the EEA. 

3. What Personal Information does the Big Ten Academic Alliance process? 

General categories

The Consortium processes the following general categories of Personal Information: names; addresses; telephone numbers; email addresses; identification numbers including but not limited to social security numbers, University identification numbers, usernames; passwords; demographic information; transcripts; personal references; financial information such as credit and debit card numbers, and financial aid information; IP addresses; device information; metadata; education records such as coursework, correspondence, and other information to support the purposes set forth in Table 1, below. 

The Consortium requires Personal Information only when necessary. Table 1 identifies the purposes for which the Consortium processes Personal Information and the legal basis for each purpose. 

Special categories

In order to fulfill certain of the purposes identified in Table 1, we may need to request special categories of Personal Information—information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; genetic data; biometric data for the purpose of uniquely identifying a natural person; data concerning health; or data concerning a natural person’s sex life or sexual orientation.  

Before we process your special category Personal Information or your criminal conviction Personal Information, if any, the Consortium will ask for your affirmative consent unless we have another legal basis for the processing, in which case we will inform you of that basis. 

Purposes for which the Consortium processes Personal Information 

4. How does the Consortium receive your Personal Information?

From you The Consortium may receive your Personal Information when you visit our websites, attend our programs, apply for or take online courses, work for the Consortium at a location in the EEA, attend events sponsored by the Consortium, or otherwise interact with the Consortium. From third parties The Consortium may also receive your Personal Information from third parties. Examples include online course registration information received from third parties that administer online courses (e.g., Coursera, Inc.).

5. Who receives/processes your Personal Information?

Consortium personnel

Your Personal Information may be processed by Consortium employees and others, as may be necessary to carry out the purposes for processing the information and the activities of the Consortium.

Consortium Related Organizations

The Consortium may share your Personal Information with Related Organizations, such as the Consortium Member Institutions

Third parties

The Consortium may share your Personal Information with third parties, such as: educational platform providers and course partners to further the purposes for processing the information and the activities of the Consortium; U.S. and foreign government entities to fulfill regulatory obligations (e.g., visa processing) and to facilitate access to funding sources (e.g., financial aid); partner institutions to facilitate study abroad activities; and vendors to provide services related to your affiliation with the Consortium (e.g., arrange housing).

Please note that the Consortium may provide anonymized data developed from Personal Information to third parties, such as government entities and research collaborators, and that such anonymized data is outside the scope of this Supplemental Notice.

6. How long does the Consortium keep your Personal Information?

The Consortium retains Personal Information in accordance with applicable law. The Consortium follows records retention schedules for the University of Illinois and these can be found on the Records and Information Management records management webpage: https://www.uillinois.edu/cio/services/rims/retention_and_disposal/records_retention/.

7. What are your rights as a Data Subject?

As a Data Subject pursuant to the GDPR, you have certain rights. This Supplemental Notice summarizes what these rights under the GDPR involve and how you can exercise these rights. More detail about each right, including exceptions and limitations, can be found in Articles 15-21 and 77 of the GDPR.

Please note: Nothing in this Notice is intended by the Consortium to waive sovereign immunity or any other defenses or immunities afforded by any or all U.S. federal law, Illinois state law, and EU law.

Right of access

You have the right to request that the Consortium confirm whether it is processing your Personal Information. If the Consortium is processing your Personal Information, you have the right to access that Personal Information, and the Consortium will provide you with a copy of that Personal Information unless prevented by applicable law.

Right to have inaccurate Personal Information corrected

You have the right to request that the Consortium correct any inaccurate Personal Information that it maintains about you. You also have the right to request that the University complete any incomplete Personal Information that it maintains about you, which could be accomplished by incorporating a supplementary statement that you submit. If the Consortium concurs that the Personal Information is incorrect or incomplete, the Consortium will promptly correct or complete it.

Right to erasure

You have the right to request the erasure of Personal Information that the Consortium maintains about you in certain circumstances. These circumstances are identified in Article 17 of the GDPR and include that the Personal Information is no longer necessary in relation to the purpose(s) for which it was collected.

Subject to applicable U.S., state, and EU law and our policies, including but not limited to its Web Privacy Notice, and provided that there are no overriding legitimate grounds for the Consortium to retain the Personal Information, the Consortium will comply with the request and will take reasonable steps to inform any third parties with whom the Personal Information was shared.

Right to restriction of processing

You have the right to request that the Consortium restrict the processing of your Personal Information where one of the reasons identified in Article 18 of the GDPR apply. These reasons include that the Personal Information is inaccurate, the processing is unlawful, or the Consortium no longer needs the Personal Information.

If the Consortium grants your request to restrict processing, the Consortium will only process that Personal Information with your consent, for the protection of the rights of another natural or legal person, for reasons of important public interest, for the establishment, exercise or defense of legal claims, or as otherwise required by applicable U.S., state, or EU law.

Right to data portability

Where the basis for processing is either consent or performance of a contract between you and the Consortium, and where the processing is carried out by automated means, you have the right to receive your Personal Information that you have provided to the Consortium. The Consortium will provide the Personal Information in a structured, commonly used, and machine-readable format. Where technically feasible and upon your request, the Consortium will transmit the Personal Information directly to another entity.

Right to withdraw consent

If the basis for processing your Personal Information is consent, you may revoke your consent at any time. Upon receipt of your notice withdrawing consent, and if there are no other legal grounds for the processing, the Consortium will stop processing the Personal Information unless the processing is necessary for the establishment, exercise, or defense of legal claims. Revoking consent does not affect the lawfulness of processing that occurred before the revocation.

Right to object to processing

In certain situations, you may have the right to object to processing of your Personal Information

Public Interest or Legitimate Interests.If the basis for processing your Personal Information is public interest or legitimate interests, you have the right to object to processing the Personal Information. The Consortium will cease processing unless the Consortium demonstrates overriding legitimate grounds for processing or the processing is necessary for the establishment, exercise, or defense of legal claims.

Right to file a complaint

You have the right to submit a complaint with an EU supervisory authority, in particular the one in the EU Member State of your habitual residence, place of work, or place of the alleged violation, if you believe that the Consortium’s processing of your Personal Information violates the GDPR.

For more information on the process for submitting a complaint, consult the relevant EU supervisory authority: http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm.

8. How to exercise your rights

In order to exercise any of these rights, except the right to file a complaint with an EU supervisory authority, you should submit your request to Consortium GDPR Compliance: 
Email: support@btaa.org

Address: 

Big Ten Academic Alliance
Attn: Coordinator of Operations
1819 S Neil Street, Suite D 
Champaign, IL 61820

Telephone: +1 217-333-8475 

At that time, you will be asked to: 1) identify yourself; 2) provide information to support that the GDPR applies to you (see Section 2, above); 3) identify the specific information or data that you are concerned about; and 4) state what right(s) you wish to exercise.

To expedite processing your request, please identify the data collection location (e.g., the website where your Personal Information was collected), if known.

9. How does the Consortium respond to requests for Personal Information?

In addition to the rights provided by the GDPR, you may also have rights with respect to your Personal Information pursuant to U.S. federal law, state law, or our policy. When you submit a request to the Consortium to exercise your rights, the Consortium will respond in accordance with existing Consortium policies and procedures that implement the relevant privacy law(s). These include, but are not limited to, policies pertaining to student education records and other policies maintained by the Consortium.

10. Transfer of Personal Information outside the EEA

The Consortium is based in the U.S. and is subject to U.S. and Illinois law. Personal Information that you provide to the Consortium will generally be hosted on U.S. servers. To the extent that the Consortium needs to transfer your information either (a) from the EEA to the U.S. or another country or (b) from the U.S. to another country, the Consortium will do so on the basis of either (i) an “adequacy decision” by the European Commission; (ii) EU-sanctioned “appropriate safeguards” for transfer such as model clauses, a copy of which you may request, if applicable, by contacting the Consortium as set forth in Section 12; (iii) your explicit and informed consent; or (iv) it being necessary for the performance of a contract or the implementation of pre-contractual measures with the Consortium, in which case the Consortium will inform you of the intent to transfer the Personal Information. Please note that the U.S. is not currently considered a safe harbor country under the GDPR.

11. How do I contact the data controller?

The Consortium is the data controller. If you have any questions about anything contained in this Supplemental Notice, please contact Big Ten Academic Alliance GDPR Compliance: 
Email: support@btaa.org
Telephone: +1 217-333-8475
Address: 
Big Ten Academic Alliance 1819 S Neil Street, Suite D 
Champaign, IL 61820 
Attn: Coordinator of Operations

12. GDPR

If you are interested in reviewing an English version of the GDPR, please see http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN.

13. Updates to Web Privacy Notice

The Consortium may update this Web Privacy Notice from time to time. Any changes will become effective upon posting of the revised Web Privacy Notice.

LEGAL NOTICES OF TERMS AND CONDITIONS

Access to the Consortium Web is provided subject to the following terms and conditions. Please read these terms carefully as use of the Consortium Web constitutes acceptance of all of the following terms and conditions:

Disclaimer of Liability

Neither the Consortium, nor any of its units, programs, employees, agents or individual trustees, shall be held liable for any improper or incorrect use of the information described and/or contained in the Consortium Web and assumes no responsibility for anyone’s use of the information. In no event shall the Consortium Web, the Consortium or its units, programs, employees, agents or individual trustees be liable for any direct, indirect, incidental, special, exemplary, or consequential damages (including, but not limited to, procurement or substitute goods or services; loss of use, data, or profits; or business interruption) however caused and on any theory of liability, whether in contract, strict liability, or tort (including negligence or otherwise) arising in any way out of the use of this system, even if advised of the possibility of such damage. This disclaimer of liability applies to any damages or injury, including but not limited to those caused by any failure of performance, error, omission, interruption, deletion, defect, delay in operation or transmission, computer virus, communication line failure, theft or destruction or unauthorized access to, alteration of, or use of record, whether for breach of contract, tortious behavior, negligence or under any other cause of action.

Disclaimer of Warranties and Accuracy of Data

Although the data found using the Consortium’s access systems have been produced and processed from sources believed to be reliable, no warranty, express or implied, is made regarding accuracy, adequacy, completeness, legality, reliability or usefulness of any information. This disclaimer applies to both isolated and aggregate uses of the information. The Consortium provides this information on an “as is” basis. All warranties of any kind, express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, freedom from contamination by computer viruses and non-infringement of proprietary rights are disclaimed. Changes may be periodically made to the information herein; these changes may or may not be incorporated in any new version of the publication. If a user has obtained information from any of the Consortium Web pages via a source other than the Consortium pages, be aware that electronic data can be altered subsequent to original distribution. Data can also quickly become out of date. It is recommended that careful attention be paid to the contents of any data associated with a file, and that the originator of the data or information be contacted with any questions regarding appropriate use. If a user finds any errors or omissions, please report them to:

Consortium:  support@btaa.org

Disclaimer of Endorsement

The Consortium is a distributor of content sometimes supplied by third parties and users. Any opinions, advice, statements, services, offers, or other information or content expressed or made available by third parties, including information providers, users, or others, are those of the respective author(s) or distributor(s) and do not necessarily state or reflect those of the Consortium and shall not be used for advertising or product endorsement purposes. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the Consortium.

Disclaimer for External Links

The Consortium Web has links to other Web sites. These include links to Web sites operated by Illinois agencies and officials, other government agencies, nonprofit organizations and private businesses. When a user leaves the Consortium Web and visits another site, the user is subject to the privacy policy of that new site. The Consortium is not responsible for the contents of any off-site pages referenced. The user specifically acknowledges that the Consortium is not liable for the defamatory, negligent, inaccurate, offensive, or illegal conduct of other users, links, or third parties and that the risk of injury from the foregoing rests entirely with the user. Links from Consortium Web pages on the World Wide Web to other sites do not constitute an endorsement from the Consortium. These links are provided as an information service only. It is the responsibility of the user to evaluate the content and usefulness of information obtained from other sites. The Consortium Web contains links to other related World Wide Web sites and resources. Since the Consortium and its Web site is not responsible for the availability of these outside resources or their contents, the user should direct any concerns regarding any external link to its site administrator or webmaster.

Disclaimer of Duty to Continue Provision of Data

Due to the dynamic nature of the Internet, resources that are free and publicly available one day may require a fee or restricted access the next, and the location of items may change as menus, pages, and files are reorganized. The user expressly agrees that use of the Consortium Web is at the user’s sole risk. The Consortium does not warrant that the service will be uninterrupted or error free. The documents and related graphics published on this Web or server could contain technical inaccuracies or typographical errors. Changes are periodically added to the information herein. The Consortium and/or its respective units and programs may make improvements and/or changes in the information and/or programs described herein at any time.

Security

The technology management teams of the Consortium have taken several steps to safeguard the integrity of its communications and computing infrastructure, including but not limited to authentication, monitoring, auditing, and encryption. Security measures have been integrated into the design, implementation and day-to-day practices of the entire BConsortium operating environment as part of its continuing commitment to risk management.

This information should not be construed in any way as giving business, legal, or other advice, or warranting as fail proof, the security of information provided via Consortium supported Web sites.

Choice of Law

Construction of the disclaimers above and resolution of disputes thereof are governed by the laws of the State of Illinois. The laws of the State of Illinois, U.S.A., shall apply to all uses of this data and this system. By use of this system and any data contained therein, the user agrees that use shall conform to all applicable laws and regulations and user shall not violate the rights of any third parties.

Questions

If a user has questions about this privacy notice or believes that the user’s personal information has been released without consent, then send e-mail to:

Consortium: support@btaa.org