Global Privacy Principles
At the CES Privacy Center, we are dedicated to safeguarding the personal data of our students, employees, alumni, visitors, and other individuals. To honor their privacy rights, we adhere to six fundamental privacy principles. These principles guide our practices and ensure we maintain the highest standards of data protection. We invite all members of the CES community to embrace these principles, deepening their understanding and implementation of privacy practices.
1. Purpose Limitation
Purpose: Why exactly do I need to collect, use, or otherwise process Personal Data?
We start by clearly defining the purposes for which we process personal data. These purposes are explicit and legitimate, ensuring that data is not further processed in ways that are incompatible with these initial purposes. By being clear from the outset, we ensure that personal data is used appropriately and only for its intended purpose.
Self-Check:
- Have you defined the specific purpose for processing data?
2. Data Minimization
Minimization: What kind of Personal Data is actually strictly needed to achieve my goal/purpose?
We ensure that the personal data we process is adequate, relevant, and limited to what is necessary for our defined purposes. This means we only collect and maintain data that is sufficient to fulfill our purposes and has a rational link to those purposes. Over-collection and retention of unnecessary data are avoided to reduce risks and ensure compliance.
Self-Check:
- Have you determined what data elements are strictly necessary to accomplish your defined purpose?
3. Lawfulness
Lawfulness: Do I have the right to collect, use, or otherwise process that Personal Data?
The collection and use of personal data must be justified and legal. This includes processing data necessary for the performance of a contract, pursuing a legitimate interest, complying with a legal obligation, or based on consent. By ensuring our actions are lawful, we maintain trust and integrity in our data handling practices.
Self-Check:
- Have you determined your legal justification for collecting or using the personal data (often it is legitimate interest or performance of a contract)?
4. Transparency
Transparency: How do I inform the individuals about the collection and/or use of their Personal Data?
We are committed to being open and honest about who we are, and how and why we use personal data. Individuals are provided with clear and intelligible information through concise privacy notices or just-in-time statements, ensuring they are informed from the start about our data collection and usage practices.
Self-Check:
- Have you provided appropriate Privacy notices to individuals before collecting any personal data and cookie banners if using a front-end website?
5. Protection
Protection: How do I ensure the Personal Data I collect and/or use is safe?
We implement appropriate security measures to protect personal data against unauthorized or unlawful processing, and against accidental loss, destruction, or damage. This includes applying role-based access controls, ensuring data-sharing agreements are in place, and requiring vendors to complete a Vendor Contract Security and Privacy Addendum.
Self-Check:
- Have you applied role-based access controls to limit who has access to personal data to those with a legitimate business need?
- Have you ensured that a Data Sharing Agreement (DSA) is in place before personal data is shared with other departments or outside the organization?
- If using a vendor, have you made sure the vendor completed a Vendor Contract Security and Privacy Addendum?
6. Duration
Duration: For how long do I need to keep the Personal Data to achieve my goal/purpose?
We do not retain personal data for longer than necessary. Once the original purposes for which the data was collected are achieved, we securely destroy or de-identify the data in accordance with defined standards and policies. This ensures compliance with retention schedules and minimizes the risks associated with prolonged data storage.
Self-Check:
- Have you determined the appropriate retention schedule necessary to fulfill your defined purpose and still be in line with any published standards and policies
- Have you designed or planned a way to delete the data when legitimate business purposes have been met?
By adhering to these six basic privacy principles—Purpose Limitation, Data Minimization, Lawfulness, Transparency, Protection, and Duration—we enhance our data protection practices and honor the privacy rights of those we serve. These principles are not only a foundation for compliance but also a commitment to upholding the trust placed in us by our community.
For more information or assistance, please reach out to the CES Privacy Center.