Consistent with the provisions of RISD policies, Rhode Island state law, the Family Educational Rights and Privacy Act (FERPA), the General Data Protection Regulation (GDPR), the Gramm-Leach-Bliley Act (GLBA), and other privacy-related laws of relevant jurisdiction, the following information addresses RISD’s protection of the data related to RISD website visitors and RISD community members, such as students, faculty, staff, alumni, parents, and prospective students.
This policy describes how RISD collects, uses, and discloses information from its website visitors, including its visitors’ control over certain information. RISD website visitors are entitled to certain rights under applicable laws, and RISD respects its visitors’ privacy.
Information RISD Can Collect & Use
When completing various transactions on the website, an individual may be asked to enter personal identification information, or information that will permit RISD to contact them, register them for a program, deliver digital or physical advertisements/marketing materials, or provide information needed by RISD to perform a contract or comply with a legal obligation. The college may also collect information from targeted internet searches and third-party sources, such as social media and search sites.
When visiting the RISD websites, accessing RISD services online, or purchasing from RISD, individuals may be asked to provide the following types of information:
- Identifying: name, address, email address, telephone number, social media contact, passport and visa information, authenticating information, citizenship, photographs/images, IP address
- Demographic: gender, birth date, photographs, ethnicity (solely if you voluntarily provide this information), veteran status
- RISD Records: degrees, majors, enrollment, affiliation with RISD organizations, awards, activities
- Employment: employer, titles, industry information, work history, references
- Familial: names of partners and children, birth dates, relationships
- Alumni: event attendance volunteer interests, organizational affiliations, committee participation, awards/honors, exhibitions, gallery affiliation
- Health: medical records, health information, medical history, disability and related accommodations, health insurance, dietary
- Donor: giving information, wealth assessment, indicators of interest in giving
- Analytics: aggregated information related to website visitor activity or email marketing
- Financial: Credit cards, banking information, financial aid and associated applications, scholarships, other financial information. Credit card information will be transmitted directly to a third-party company, via a secure connection, to process a credit card sale, in compliance with GLBA where applicable. RISD handles financial information in accordance with the applicable requirements of GLBA.
Use of Personal Information
RISD uses personal information for legitimate purposes in support of RISD’s mission and the services we provide to you under contract. Other legitimate interests may include conducting RISD business pursuant to the college's educational mission, including legitimate interest in marketing, improving RISD services, and keeping accurate, complete records required for RISD operations or pursuant to law.
RISD uses personal information to process registration transactions and communicate with individuals based on preferences and interests. Like many companies and services that accept payment by credit card, RISD may share personal information with qualified third-party vendors in order to process registrations. RISD may send updates via email and physical mailings regarding RISD activities, conduct surveys, provide services, conduct research, perform administrative tasks, and analyze aggregate information about visitors and community members.
It may be necessary to share information with other RISD community members in order to perform RISD functions and deliver services. RISD employees are trained in the appropriate handling and security of personal information.
RISD will disclose personal information to third parties, without notice, only if required to do so by law or in the good faith belief that such action is necessary to: (a) conform to applicable law or comply with legal process served to RISD or this website or (b) protect or defend the rights, property or safety of RISD, its students and employees, and others.
RISD uses various email services and inquiry forms such as Constant Contact, Gmail and Mailchimp to manage email list subscriptions, disseminate promotional updates and send informational messages to various audiences. All email services utilized by RISD contain an “unsubscribe” feature at the bottom of each email which can be used to discontinue receiving email communications.
There is no legal requirement for you to provide information when visiting a RISD site. Cookies may be cleared or disabled through adjustment browser settings. If a user chooses to disable cookies, however, some site functions may not operate correctly.
RISD uses Google Analytics to collect information about the use of our various websites. Google Analytics is a free service that helps marketing professionals understand how people use websites and apps, so actions can be taken to improve the user experience. Google collects the IP address assigned to the user, rather than their actual name or other personal information. Google Analytics can be disabled from capturing individual data through adjustment settings on the web browser.
RISD uses Facebook, LinkedIn, and Google Ads to remarket to users who visit RISD websites. Cookies may be cleared or disabled through adjustment settings on the browser, which may cause, some site functions to operate incorrectly. RISD is not responsible for the privacy practices of websites outside of the RISD domain.
Security of Your Personal Information
RISD uses commercially reasonable measures to protect the security of your personal information and to protect your data from loss, misuse, unauthorized access or disclosure, alteration or unnecessary destruction. No transmission over the internet is completely invulnerable from breach.
The Gramm Leach Bliley Act (GLBA) requires privacy and data security protections for certain consumer data. RISD’s Chief Information Officer is designated as the Program Officer pursuant to GLBA, and is responsible for coordinating the data security program. This program is designed to safeguard Non-Public Financial Information (NPI), as defined by GLBA, including NPI provided by individuals to RISD, or otherwise obtained by RISD, for the purposes of obtaining a financial product or service from RISD. RISD is considered to be in compliance with the privacy requirements of GLBA, as it is in compliance with FERPA.
To the extent that RISD is considered a financial institution pursuant to GLBA, RISD takes the following steps to secure, safeguard, and maintain confidentiality regarding the NPI it holds:
- A risk-based information security program, which includes a risk identification and assessment related to RISD information security systems, a system for securely storing, transmitting, and disposing of NPI contained in RISD systems, and a process for detecting, preventing, and responding to threats presented to the data security system.
- Selection of third-party service providers, where relevant, who provide appropriate safeguards pursuant to GLBA requirements, including contractual provisions regarding data security and confidentiality.
- Training of employees who handle NPI in appropriate methods of safeguarding and transmitting NPI. Employees who access NPI must have a legitimate purpose for doing so.
- Periodic review and assessment of RISD data security systems and practices at least annually, updating protections, with updates to the RISD community regarding safe data practices.
Personal Information Regarding Minors
RISD websites do not knowingly solicit or accept data from minors without parental consent. RISD assumes that personal information submitted through its websites is provided by adults, unless explicitly indicated otherwise.
Rights for Individuals in the European Economic Area
RISD is considered the data controller for the information indicated in this policy for the purposes of GDPR, as applied to persons physically located in the European Economic Area (EEA), unless otherwise indicated on a site. RISD collects Personal Data about individuals, as described under GDPR laws. RISD collects “Sensitive Personal Information”, solely on a voluntary basis and subject to individual consent, including race, ethnicity, health information, genetic data, religious beliefs, political beliefs, sexual orientation, and trade union membership.
RISD’s legal basis for this collection is a legitimate interest in this information in order to process the following functions of an educational institution receiving data from the EEA, and receives consent from individuals to do so:
- Educational programs and other online training
- Admissions applications
- Financial aid and scholarship opportunities
- Program registration
- Management of residential life services, including health and wellness services and organizational affiliations
- Research opportunities
- Employment applications, including the receipt of benefits pursuant to employment and legal requirements associated with employment
- Visa applications
- Deliver advertising or marketing materials about RISD services targeted to individual interests
- Purchasing RISD products or access to RISD events
- Delivery of RISD technical services such as information technology assistance
- Creation of student, employee, attendee, or donor accounts for RISD websites
Individuals have the right in certain circumstances to:
- Access personal information
- Correct or erase/forget information
- Restrict processing; and
- Object to communications, direct marketing, or profiling.
To the extent applicable, the EU’s GDPR provides further information about individual rights. Individuals also have the right to lodge complaints with a national or regional data protection authority, and to make requests regarding these rights with RISD's designated representative at firstname.lastname@example.org. To protect the personal information held, RISD may also request further information to verify identity when exercising these rights. To the extent that this information is transferred to other countries, reasonable steps are taken to protect individual privacy in accordance with applicable GDPR laws.
Users have the right to withdraw consent, subject to the applicability of GDPR. Even if consent is withdrawn, RISD may still be required or permitted by law to process certain information subject to its legitimate interest. Upon receipt of a legitimate request to erase information, RISD will maintain a core set of personal data to ensure the user is not contacted inadvertently in the future, as well as any information necessary for RISD archival purposes. RISD may also need to retain some financial information for legal purposes, including but not limited to US IRS compliance. In the event of an actual or threatened legal claim, RISD may retain information for purposes of establishing, defending against or exercising its rights with respect to such claim.
If an individual provides information directly to RISD from the European Economic Area (EEA), they consent to the transfer of such personal information outside of the EEA to the United States. Understand that the current laws and regulations of the United States may not provide the same level of protection as the data and privacy laws and regulations of the EEA. Subject to GDPR, individuals have the right to file a complaint with the appropriate supervisory authority or to file a legal claim if not satisfied with RISD’s response.
Individuals are under no statutory or contractual obligation to provide any personal data to RISD, other than personal data provided in connection with status as an RISD student or as necessary to obtain information from a RISD website. RISD will retain this data for as long as necessary for the purposes of delivering the services of the relationship, and then will retain the data thereafter for the period required under applicable law or as otherwise required to comply with legal obligations.
While RISD exercises care and implements security measures to protect your personal information, it cannot guarantee against, and does not accept liability for, persons and entities who access information from this site through unlawful or unethical means. RISD reserves the right to change this page at its discretion from time to time.
This policy was created on: June 2020
Next scheduled review will be on the following date or as needed: every two years on June 15th, beginning in 2022
Information Technology Services
Chief Information Officer
Individuals/offices required for review and changes
Senior Vice President, Finance and Administration
Office of the General Counsel