PIPL Privacy Notice
1. Purpose
The University of Utah (the “University”) is committed to respecting and protected the privacy rights of natural persons within the borders of the People’s Republic of China, pursuant to the Personal Information Protection Law of the People’s Republic of China (the “PIPL”). This PIPL Privacy Notice describes the University’s commitment to the principles of openness and transparency and is the explicit, truthful, accurate and full notification pursuant to PIPL.
2. Does This PIPL Privacy Notice Apply to Me?
This PIPL Privacy Notice applies to you if:
- You are a natural person – meaning you are an individual, not a corporation – who is physically present in the People’s Republic of China;
- It is with respect to your “Personal Information” – meaning all kinds of information, recorded by electronic or other means, related to identified natural persons and provided or collected while you are in the People’s Republic of China; and
- Such Personal Information is provided to the University:
- During the course of the University offering you goods or services;
- While the University is monitoring your behavior or health;
- While you are associated with any of the University’s programs;
- While you are participating in clinical research programs; or
- While you are receiving health treatment.
3. What Personal Information Does the University Process?
We process your Personal Information, meaning we collect, record, organize, structure, store, adapt, alter, retrieve, consult, use, disclose by transmission, disseminate, make available, align, combine, restrict, erase, or destroy your Personal Information.
A. General Categories
Depending on the specific purpose for processing Personal Information, the University may process the following general categories of Personal Information:
-
- Names
- Addresses
- Telephone numbers
- Email addresses
- Identification numbers including but not limited to social security numbers and driver's license numbers
- University identification numbers
- Personal identification numbers
- Usernames
- Passwords
- Demographic information, including residential information
- Education history
- Entrance exam scores
- Background check information, including criminal records
- Personal references
- Emergency contact information
- Financial information and family financial information including credit and debit-card numbers, tax information, financial aid information, and insurance and benefits information
- Transaction history
- Business information
- Passport and visa information
- Work history
- Donation history
- Insurance information
- Military service
- IP addresses
- Location information
- Device information
- Metadata
- Education records including but not limited to coursework, correspondence, evaluations, disciplinary complaints, and other records, and files maintained by the University as part of the educational process
- Any requests for accommodations or leave
- Medical history and treatment information
- Family medical history information
- Disability information
- Biometric and genetic information
- Photographs
- Purchasing activity to secure food, lodging, and other services for you
B. Categories of Sensitive Personal Information
In order to fulfill certain of the purposes identified in the table below, the University may need to request categories of Sensitive Personal Information -information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, specific identity, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or treatment, or data concerning a natural person's sex life or sexual orientation.
Before the University processes your Sensitive Personal Information or your criminal conviction Personal Information, if any, the University will inform you of the necessity for processing your Sensitive Personal Information and ask for your separate affirmative consent.
4. Why the University Processes Your Personal Information
| Purpose of Processing | Legal Basis |
| As part of the admissions process, we collect applicant Personal Information to evaluate applications. We also may obtain Personal Information from third parties, such as other schools, references, family members, and education as part of an application package. |
Legitimate Interest: Personal Information collected and processed through the application is necessary to evaluate candidates for admissions and for our internal statistical and analytics purposes.Contract: Personal Information collected and processed through the University application is necessary for the performance of a contract to provide you education services or to take steps at your request prior to entering into a contract to provide you education services.Public task or public interest: Personal information or Sensitive Personal Information may be collected and processed in the exercise of our role as a provider of educational services. As part of admissions or financial aid applications, we may collect and process information related to race, ethnicity, or criminal history.Consent: Personal Information or Sensitive Personal Information may be collected if you have consented to the processing. |
| To support course registration | Legitimate Interest: Personal Information collected and processed for matriculated students, staff, faculty and members of the public, as appropriate for the course, to register in courses or classesContract: Personal Information collected and processed through course-registration sites is necessary for the performance of a contract to provide you education services.Public task or public interest: Personal information or Sensitive Personal Information may be collected and processed in the exercise of our role as a provider of educational services. As part of admissions or financial aid applications, we may collect and process information related to race, ethnicity, or criminal history.Consent: Personal Information or Sensitive Personal Information may be collected if you have consented to the processing. |
| To evaluate and determine whether financial aid opportunities are available to an applicant |
Legitimate Interest: Personal Information collected and processed through the financial aid application is necessary to evaluate whether the applicant is eligible to receive financial aid and for our internal statistical and analytics purposes.Contract: Personal Information collected and processed through the financial aid application is necessary for the performance of a contract to provide you financial aid or to take steps at your request prior to entering into a contract to provide you financial aid.Public task or public interest: Personal information or Sensitive Personal Information may be collected and processed in the exercise of our role as a provider of educational services. As part of admissions or financial aid applications, we may collect and process information related to race, ethnicity, or criminal history.Consent: Personal Information or Sensitive Personal Information may be collected if you have consented to the processing. |
| To facilitate housing for individuals studying or participating in programs at or through the University |
Legitimate Interest: Personal Information will be collected and processed to facilitate housing.
Contract: Personal Information will be collected and processed to perform on a contract or Public task or public interest: Personal information or Sensitive Personal Information may be collected and processed |
| To provide training and educational programs | Legitimate Interest: To facilitate provision of on-line education courses to matriculated students, staff, faculty and members of the public, as appropriate for the courseContract: Personal Information collected and processed through the application is necessary for the performance of a contract to provide you education services or to take steps at your request prior to entering into a contract to provide you education services.Public task or public interest: Personal information or Sensitive Personal Information may be collected and processed in the exercise of our role as a provider of educational services. As part of admissions or financial aid applications, we may collect and process information related to race, ethnicity, or criminal history.Consent: Personal Information or Sensitive Personal Information may be collected if you have consented to the processing. |
| To facilitate application for and sponsoring of visas to study, work, and/or research at the University, including all functions necessary to comply with applicable immigration laws |
Legitimate Interest: To facilitate employment, research, and study opportunities and comply with relevant lawsContract: Personal Information will be collected and processed to perform on a contract or to take steps at your request. |
| To process employment applications and independent-contractor information | Legitimate Interest: For individuals interested in employment opportunities, processing applications
Contract: Personal Information or Sensitive Personal Information will be collected and processed |
| To receive donations | Legitimate Interest: To collect and process donations/gifts and donor information
Legal obligation: Personal Information may be collected in order to process and record donations and |
| To purchase tickets to events | Contract: To process ticket payment for a variety of events |
| For event registration | Legitimate Interest: To process registration for sports, cultural, educational and other events
Public task: Personal information may be collected and processed in the exercise of our role |
| To purchase parking passes and permits | Contract: To facilitate payments for parking passes and permits |
| To submit requests for services (e.g., IT, help desk, help line, etc.) | Legitimate Interest: To process service requests from students, staff and faculty
Contract: If there is a contract that governs your use of such services, Personal Information |
| Travel arrangements | Legitimate Interest: To facilitate travel arrangements and coordination for students and affiliated travelers through University programsContract: If there is a contract that governs your use of travel sites, Personal Information is collected and processed pursuant to that contract. |
| Emergency situations | Vital Interest: Our collection and processing of your Personal Information to protect an interest that is essential to your life or the life of someone else |
| To stay connected with University alumni | Legitimate interest: To maintain strong relationships with University alumni and for communicating unsolicited non-commercial messages.Contract: Personal Information may be collected in order to process transactions, offer services, or process your requests. |
| To provide treatment and health services | Legitimate interest: Our collection and processing of your Personal Information for the purposes of preventative or occupational medicine, for assessing the working capacity of an employee, for medical diagnosis, for providing health or social care or treatment, or for managing health or social care systems and services on the basis of United States and state lawsContract: If there is a contract that governs the terms of treatment, Personal Information is collected and processed pursuant to that contract.Medical Treatment or Public Health: Personal Information or Sensitive Personal Information may be collected and processed in order to provide medical treatment or in the interest of public interest in the area of public health. We may collect and process information related to race or ethnicity in order to provide care.Consent: Personal Information or Sensitive Personal Information may be collected if you have consented to the processing. |
| To protect vital interests when the subject is incapable of providing consent | Legitimate interest: Our collection and processing Personal Information, such as health related personal information, when necessary to protect the vital interests of a data subject who is physically or legally incapable of giving consent.Vital Interests: Personal Information or Sensitive Personal Information may be collected and processed in order to protect your interests in the event you are unable to consent, such as in emergency or health care situations |
| Information made public by you | Legitimate interest: Our collection and processing of data made public by you for purposes of processing admissions, sponsoring of visas, processing applications for employment, responding to emergency situations, providing treatment and health services, protecting vital interests when the subject is incapable of consent, as necessary for judicial proceedings, as necessary for public health, or for other reasons that are described when you are asked to provide the data. |
| Judicial proceeding | Legitimate interest: Our collection and processing that is necessary for the establishment, exercise, or defense of legal claims or where courts are acting in their judicial capacityLegal obligations: Personal Information or Sensitive Personal Information may be collected and processed if necessary for compliance with a legal obligation or as related to a legal claim. |
| Public interest such as for taxation; reporting crimes; humanitarian purposes; preventive or occupational medicine; public health; social care; or quality and safety of products, devices and services; and as required by law or for legal reporting requirements |
Legitimate interest: Our collection and processing Personal Information necessary for reasons of substantial public interest on the basis of United States or state laws that is proportionate to the aim pursued and which contains appropriate safeguarding measuresLegal obligations: Personal Information or Sensitive Personal Information may be collected and processed if necessary for compliance with a legal obligation.Public task: Personal information or Sensitive Personal Information may be collected or processed in the exercise of our role as a provider of educational services. |
| Public health and safety reporting requirements | Legitimate interest: Our collection and processing Personal Information that is necessary for public interest reasons in the area of public health, including protection against threats to health or ensuring high standard of quality and safety of health care, medicinal products, or medical devicesLegal obligations: Personal Information or Sensitive Personal Information may be collected and processed if necessary for compliance with a legal obligation.Public task: Personal information or Sensitive Personal Information may be collected and processed in the exercise of our role as a provider of educational services.Public Health: Personal Information or Sensitive Personal Information may be collected and processed as necessary for the public interest in the area of public health. |
| Research | Legitimate interest: Our collection and processing Personal Information for scientific and historical research purposes or statistical purposesContract: If there is a contract that governs, Personal Information is collected and processed pursuant to that contract.Public interest or public health: Personal Information or Sensitive Personal Information may be collected and processed as it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.Consent: Personal Information or Sensitive Personal Information may be collected and processed if you have consented to the processing. |
5. How Does the University Protect Your Personal Information
The University adopts necessary measures to safeguard the security of the personal information it handles. University Policy 4-004 ensures compliance with all applicable federal, state, and local laws, regulations and statutes and ensures the protection of Information Assets, Information Systems, and IT Resources. The University regularly engages in audits personal information handling compliance with laws and regulations.
6. How Does the University Receive Your Personal Information?
A. From Third Parties:
The University may also receive your Personal Information from third parties. Examples include college entrance exam scores received from testing agencies, and online course registration information received from third parties that administer online courses. The University also may receive information from other individuals or institutions who provide treatment and services, from public health services, from law enforcement, and from other clinical researchers, as well as from those who process the information provided on behalf of these entities.
B. From You, the Data Subject.
The University may receive your Personal Information when you visit the University's websites, apply for or attend classes or programs, apply for or take online courses, travel with the University to a location in the People’s Republic of China, attend events sponsored by the University in the People’s Republic of China, participate in clinical research, voluntarily or involuntarily receive medical treatment or services, or otherwise interact with the University in the People’s Republic of China.
7. Who Processes Your Personal Information?
A. University Personnel:
Your Personal Information may be processed by University trustees and employees, including faculty, researchers, medical professionals, financial-aid counselors, human resources professionals, law-enforcement officers, and others, as may be necessary to carry out the purposes for processing the information and University activities.
B. University Related Organizations:
The University may share your Personal Information with the University's related organizations.
C. Third Parties:
The University may share your Personal Information with third parties, such as: educational-platform providers and course partners to further the purposes for processing the information and University activities; U.S. and foreign government entities to fulfill regulatory obligations (e.g., visa processing or public health or legal processing) and to facilitate access to funding sources (e.g., financial aid); partner institutions to facilitate study abroad activities; and vendors to provide services related to your affiliation with the University (e.g., print diplomas, arrange housing) and to improve the University's outreach efforts.
The University may disclose your Personal Information to legal or governmental regulatory authorities as required by applicable law. We may also disclose your Personal Information to third parties as required by applicable law in connection with claims, disputes, or litigation, when otherwise required by applicable law, if we determine disclosure is necessary to protect the health and safety of you or us, to enforce our legal rights, or to enforce contractual commitments that you have made.
The University may share your Personal Information with third parties who complete transactions or perform services on our behalf or for your benefit, including functions related to payment and operation, legal processes, benefits assistance, and for quality control purposes. The University also may share your information with other entities or individuals as described in the University of Utah Health's Notice of Privacy Practices: http://uofuheaIth.utah.edu/privacy-office/docs/notice-of-privacy-practices-english.pdf
Please note that the University may provide anonymized data developed from Personal Information to third parties, such as government entities and research collaborators, and that such anonymized data is outside the scope of this PIPL Privacy Notice.
8. How Long Does the University Keep Your Personal Information?
The University keeps your Personal Information as required by law or our policies to perform our legitimate interests, contracts, and substantial public interests. The University keeps your Personal Information for the shortest period necessary to realize the purpose of the personal information handling. Many of our record retention schedules can be found at the Utah Division of Archives and Record Services' website.
Here is a direct link to the retention schedules for the State of Utah which apply if we do not have a retention schedule for the type of records in our retention schedules https://axaemarchives.utah.gov/solr/axaem/GRSItem.
9. What Are Your Rights as a Data Subject?
As a Data Subject, you have certain rights. This PIPL Privacy Notice summarizes what these rights under the PIPL and how you can exercise these rights. More detail about each right, including exceptions and limitations, can be found in Articles 15-17, 24, and 44-47 of the PIPL.
Please note: Nothing in this PIPL Privacy Notice is intended by the University to waive sovereign immunity or any other defenses or immunities afforded by any or all U.S. federal law, Utah state law, other applicable state law in the United States, and Chinese law.
The Right to Withdraw Consent
If the basis for processing your Personal Information is consent, you may revoke your consent at any time. Upon receipt of your notice withdrawing consent, and if there are no other legal grounds for the processing, the University will stop processing the Personal Information unless the processing is necessary for the establishment, exercise, or defense of legal claims. Revoking consent does not affect the lawfulness of processing that occurred before the revocation.
The Right to Non-Discrimination
The University will not discriminate against you for exercising your right to withdraw consent. Unless the University needs your Personal Information to perform a contract or provide a service, the University will not withhold services from you because you do not consent to use of your Personal Information.
The Right to Be Informed
Before the University processes your Personal Information, you have the right to know: Why the University will collect your data; How long the University will retain your data; How you can exercise your data privacy rights; and How you can contact the University’s Personal Information Handler. This is the purpose of this PIPL Privacy Notice.
The Right to Refuse Automatic Decision Making
You have the right to opt out of automated decision making based on your personal data.
The Right to Amend
You have the right to request that the University correct any inaccurate Personal Information that it maintains about you. You also have the right to request that the University complete any incomplete Personal Information that it maintains about you, which could be accomplished by incorporating a supplementary statement that you submit. If the University concurs that the Personal Information is incorrect or incomplete, the University will promptly correct or complete it.
The Right to Request Deletion
You have the right to request the deletion of Personal Information that the University maintains about you in certain circumstances. These circumstances are identified in Article 47 of the PIPL and include that the Personal Information is no longer necessary in relation to the purpose(s) for which it was collected.
Subject to applicable U.S., state, and Chinese law, and University policies, including but not limited to its Privacy Statement, and provided that there are no overriding legitimate grounds for the University to retain the Personal Information, the University will comply with the request and will take reasonable steps to inform any third parties with whom the Personal Information was shared.
The Right to Make Decisions Regarding Personal Information
You have the right to have control over your personal data. You can decide who accesses and/or handles your data.
The Right to Data Portability
You have the right to receive a copy of your Personal Information in a University will provide the Personal Information in a portable format, such as by email or PDF. The University will provide your Personal Information in a timely manner.
10. How to Exercise Your Rights
In order to exercise any of these rights, except the right to file a complaint with a department under the State Council, you should submit your request to the University's Information Security Office:
Email: iso-grc@utah.edu
Telephone: 801-587-1925
Address: UIT Information Security Office
The University of Utah
102 S 200 E, Suite 110
Salt Lake City, UT 84111
At that time, you will be asked to:
- Identify yourself
- Provide information to support that the PIPL applies to you
- Identify the specific information or data that you are concerned about
- State what right(s) you wish to exercise
To expedite processing your request, please identify the data-collection location (e.g., the website where your Personal Information was collected), if known.
11. How Does the University Respond to Requests for Personal Information?
In addition to the rights provided by the PIPL, you may also have rights with respect to your Personal Information pursuant to U.S. federal law, state law, or University policy. When you submit a request to the University to exercise your rights, it will respond in accordance with existing University policies and procedures that implement the relevant privacy law(s). These include, but are not limited to, policies pertaining to student education records and policies pertaining to certain health records that the University maintains.
12. Existence of Automated Individual Decision-Making
The University may use automated decision-making, including profiling, to help identify prospective University supporters and its activities. The logic would take an all-factor approach to assessing a possible donor's propensity to support the University and may result in a prospective donor being contacted to explore support opportunities.
You will not be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, unless the decision is necessary for entering into or performing a contract or unless you explicitly consent.
13. Transfer of Personal Information outside the People’s Republic of China
The University is based in the U.S. and is subject to U.S. Federal and Utah State law. Personal Information that you provide to the University will generally be hosted on U.S. servers. To the extent that the University needs to transfer your information either (a) from the People’s Republic of China to the U.S. or another country or (b) from the U.S. to another country, the University will do so only on a lawful basis and upon receipt of the Data Subject’s separate, informed consent to the transfer.
Before any data is transferred overseas, the University will ensure that: There is sufficient security measures in place to protect the data before, during, and after the transfer, including by passing a security assessment organized by the State cybersecurity and informatization department; the University will keep a clear record of any overseas data transfers that are made; and the University will conduct an impact assessment before the transfer.
14. How Do I Contact the University, the Personal Information Handler?
The University is the Personal Information Handler. If you have any questions about anything contained in this PIPL Privacy Notice, please contact the University's Information Security Office:
Email: iso-grc@utah.edu
Telephone: 801-587-1925
Address: UIT Information Security Office
The University of Utah
102 S 200 E, Suite 110
Salt Lake City, UT 84111
15. PIPL
If you are interested in reviewing an English version of the PIPL please see Translation: Personal Information Protection Law of the People’s Republic of China – Effective Nov. 1, 2021 (stanford.edu).
16. Updates to PIPL Privacy Notice
The University may update this PIPL Privacy Notice from time to time. Any changes will become effective upon posting of the revised PIPL Privacy Notice.