Consistent with the provisions of RISD policies, Rhode Island state law, the Family Educational Rights and Privacy Act (FERPA), the General Data Protection Regulation (GDPR), the Gramm Leach Bliley Act (GLBA), and other privacy-related laws of relevant jurisdiction, the following information addresses RISD’s protection of the data related to RISD website visitors and RISD community members, such as students, faculty, staff, alumni, parents, and prospective students.
The policies describe how RISD collects, uses, and discloses information from its website visitors, including its visitors’ control over certain information. RISD website visitors are entitled to certain rights under applicable laws, and RISD respects its visitors’ privacy.
Information We Collect & Use
When completing various transactions on our website, you may be asked to enter information that personally identifies you, or that will permit us to contact you, register you for a program, deliver digital or physical advertisements/marketing materials, or provide information needed by RISD to perform a contract or comply with a legal obligation. We also collect information from targeted internet searches and third-party sources, such as social media and search sites.
When visiting the RISD websites, accessing RISD services online, or purchasing from RISD, you may be asked to provide the following types of information:
- Identifying: name, address, email address, telephone number, social media contact, passport and visa information, authenticating information, citizenship, photographs/images, IP address
- Demographic: gender, birth date, photographs, ethnicity (solely if you voluntarily provide this information), veteran status
- RISD Records: degrees, majors, enrollment, affiliation with RISD organizations, awards, activities
- Employment: employer, titles, industry information, work history, references
- Familial: names of partners and children, birthdates, relationships
- Alumni: event attendance volunteer interests, organizational affiliations, committee participation, awards/honors, exhibitions, gallery affiliation
- Health: medical records, health information, medical history, disability and related accommodations, health insurance, dietary
- Donor: giving information, wealth assessment, indicators of your interest in giving
- Analytics: aggregated information related to website visitor activity or email marketing
- Financial: Credit cards, banking information, financial aid and associated applications, scholarships, other financial information. Your credit card information will be transmitted directly to a third-party company, via a secure connection, to process your credit card sale, in compliance with GLBA where applicable. RISD handles your financial information in accordance with the applicable requirements of GLBA.
Use of Your Personal Information
RISD uses your information for legitimate purposes in support of RISD’s mission and the services we provide to you under contract. Other legitimate interests may include conducting RISD business pursuant to our educational mission, including our legitimate interest in marketing, improving RISD services, and keeping accurate, complete records required for RISD operations or pursuant to law.
We use your information to process registration transactions and communicate with you based on your preferences and interests. Like many companies and services that accept payment by credit card, RISD may share personal information with our qualified third-party vendors in order to process your registration. RISD may keep you updated via email and physical mailings regarding RISD activities, conduct surveys, provide services, conduct research, perform administrative tasks, and analyze aggregate information about our visitors and community members.
It may be necessary to share your information with other RISD community members in order to perform RISD functions and deliver services to you. RISD employees are trained in the appropriate handling and security of your information.
RISD will disclose your personal information to third parties, without notice, only if required to do so by law or in the good faith belief that such action is necessary to: (a) conform to applicable law or comply with legal process served to RISD or this website or (b) protect or defend the rights, property or safety of RISD, its students and employees, and others.
RISD uses various email services and inquiry forms such as Constant Contact, Gmail and Mailchimp to manage email list subscriptions, disseminate promotional updates and send informational messages to our various audiences. All email services utilized by RISD contain an “unsubscribe” feature at the bottom of each email you receive, which you can use if you wish to discontinue receiving email communications.
There is no legal requirement for you to provide information when you visit our site. If you wish, cookies may be cleared or disabled through adjustment settings on your browser. If you choose to disable cookies, however, some site functions may not operate correctly.
RISD uses Google Analytics to collect information about the use of our various websites. Google Analytics is a free service that helps marketing professionals understand how people use websites and apps, so actions can be taken to improve the user experience. Google collects the IP address assigned to the user, rather than your actual name or other personal information. You can disable Google Analytics from capturing your data by disabling the cookies on your web browser.
RISD uses Facebook, LinkedIn, and Google Ads to remarket to users who visit our various websites. If you wish, cookies may be cleared or disabled through adjustment settings on your browser. If you choose to disable cookies, however, some site functions may not operate correctly. RISD is not responsible for the privacy practices of websites outside of the RISD domain.
Security of Your Personal Information
RISD uses commercially reasonable measures to protect the security of your personal information and to protect your data from loss, misuse, unauthorized access or disclosure, alteration or unnecessary destruction. No transmission over the internet is completely invulnerable from breach.
The Gramm Leach Bliley Act (GLBA) requires privacy and data security protections for certain consumer data. RISD’s Chief Information Officer is designated as the Program Officer pursuant to GLBA, who is responsible for coordinating the data security program. This program is designed to safeguard Non-Public Financial Information (NPI), as defined by GLBA, including NPI provided by you to RISD, or otherwise obtained by RISD, for the purposes of obtaining a financial product or service from RISD. RISD is considered to be in compliance with the privacy requirements of GLBA, as it is in compliance with FERPA.
To the extent that RISD is considered a financial institution pursuant to GLBA, RISD takes the following steps to secure, safeguard, and maintain confidentiality regarding the NPI it holds:
- A risk-based information security program, which includes a risk identification and assessment related to RISD information security systems, a system for securely storing, transmitting, and disposing of NPI contained in RISD systems, and a process for detecting, preventing, and responding to threats presented to the data security system.
- Selection of third-party service providers, where relevant, who provide appropriate safeguards pursuant to GLBA requirements, including contractual provisions regarding data security and confidentiality.
- Training of employees who handle NPI in appropriate methods of safeguarding and transmitting NPI. Employees who access NPI must have a legitimate purpose for doing so.
- Periodic review and assessment of RISD data security systems and practices at least annually, updating protections, with updates to the RISD community regarding safe data practices.
Personal Information Regarding Minors
RISD websites do not knowingly solicit or accept data from minors without parental consent. RISD assumes that personal information submitted through its websites is provided by adults, unless explicitly indicated otherwise.
Rights for Individuals in the European Economic Area
RISD is considered the data controller for the information indicated in this policy for the purposes of GDPR, as applied to persons physically located in the European Economic Area (EEA), unless otherwise indicated on a site. RISD collects Personal Data about you, as described under GDPR laws. RISD collects “Sensitive Personal Information”, solely on a voluntary basis and subject to your consent, including race, ethnicity, health information, genetic data, religious beliefs, political beliefs, sexual orientation, and trade union membership.
RISD’s legal basis for this collection is a legitimate interest in this information in order to process the following functions of an educational institution receiving data from the EEA, and receives consent from you to do so:
- Educational programs and other online training
- Admissions applications
- Financial aid and scholarship opportunities
- Program registration
- Management of residential life services, including health and wellness services and organizational affiliations
- Research opportunities
- Employment applications, including the receipt of benefits pursuant to employment and legal requirements associated with employment
- Visa applications
- Deliver advertising or marketing materials about RISD services targeted to your interests
- Purchasing RISD products or access to RISD events
- Delivery of RISD technical services such as information technology assistance
- Creation of student, employee, attendee, or donor accounts for RISD websites
You have the right in certain circumstances to:
- Access your personal information
- Correct or erase/forget information
- Restrict processing; and
- Object to communications, direct marketing, or profiling.
To the extent applicable, the EU’s GDPR provides further information about your rights. You also have the right to lodge complaints with your national or regional data protection authority, and to make requests regarding these rights with our designated representative at email@example.com. To protect the personal information we hold, we may also request further information to verify your identity when exercising these rights. To the extent that this information is transferred to other countries, reasonable steps are taken to protect your privacy in accordance with applicable GDPR laws.
You have the right to withdraw consent, subject to the applicability of GDPR. Even if your consent is withdrawn, RISD may still be required or permitted by law to process certain information subject to its legitimate interest. Upon receipt of a legitimate request to erase information, we will maintain a core set of personal data to ensure we do not contact you inadvertently in the future, as well as any information necessary for RISD archival purposes. We may also need to retain some financial information for legal purposes, including but not limited to US IRS compliance. In the event of an actual or threatened legal claim, we may retain your information for purposes of establishing, defending against or exercising our rights with respect to such claim.
If you provide information directly to RISD from the European Economic Area (EEA), you consent to the transfer of your personal information outside of the EEA to the United States. You understand that the current laws and regulations of the United States may not provide the same level of protection as the data and privacy laws and regulations of the EEA. Subject to GDPR, you have the right to file a complaint with the appropriate supervisory authority or to file a legal claim if you are not satisfied with RISD’s response.
You are under no statutory or contractual obligation to provide any personal data to us, other than personal data provided in connection with your status as an RISD student or as necessary to obtain information from a RISD website. RISD will retain this data for as long as necessary for the purposes of delivering the services of the relationship, and then will retain the data thereafter for the period required under applicable law or as otherwise required to comply with legal obligations.
While RISD exercises care and implements security measures to protect your personal information, it cannot guarantee against, and does not accept liability for, persons and entities who access information from this site through unlawful or unethical means. We reserve the right to change this page at our discretion from time to time.