Date Established: 3/19/2003
Date Last Revised: 7/22/2024
Category: Information Technology
Responsible Office: Vice President and Chief Information Officer
Responsible Executive: Vice President and Chief Information Officer
This policy explains the university’s operational practices with respect to visitor information collected from official University at Buffalo websites and associated third-party web applications.
The University at Buffalo (UB, university) is committed to protecting visitors’ privacy when navigating through official University at Buffalo websites and associated third-party web applications. Visitors navigate through a majority of official UB websites and associated third-party web applications without providing personal information. However, the university implements operational practices to enhance the ease and efficiency with which visitors interact with official UB websites and associated third-party web applications.
UB collects information for various purposes including, but not limited to providing requested services and analyzing web traffic. Some information is collected automatically as website visitors navigate through and interact with UB websites. Other information is voluntarily provided by website visitors as they interact with UB websites. This may involve the website visitor providing information, including personal information, through various means including, but not limited to sending emails; filling out webforms, surveys, and applications; or completing financial transactions.
As visitors navigate through and interact with official UB websites and associated third-party web applications, the university automatically collects and stores information about visitors’ equipment, browsing actions, and patterns including:
None of the forgoing information is deemed to constitute personal information.
Additionally, the university may automatically collect the following personal information:
The university installs tracking codes or beacons on official UB websites and associated third-party web applications.
The university uses session and persistent cookie technology on official UB websites and associated third-party web applications. Refusing or deleting cookies may limit features of official UB websites and associated third-party web applications.
In some cases, third-party advertising and marketing providers capture visitor information on behalf of the university. Examples of information captured by third-party service providers include:
Automatically collected visitor information is used to:
The university is not authorized to sell or otherwise disclose the information collected from the website for non-university commercial marketing purposes.
When interacting with the university’s website, visitors may be asked to provide information for certain articulated purposes, such as when responding to a survey, registering for a program, or completing other similar transactions. A visitor may choose not to complete such actions. Not completing these actions may prohibit the ability to receive specific services or products through official UB websites or associated third-party web applications. The choice to not complete these actions does not adversely affect a visitor’s ability to take advantage of other features of a website, including some browsing and downloading, or from accessing requested information by other means.
Website transactions include visitor-initiated actions such as filling out and submitting:
Visitor email addresses may be used to send information, respond to inquiries and/or other requests or authorizations. UB will not share, sell, or otherwise authorize any third party to use a visitor’s email address for commercial purposes without prior permission.
While navigating through official UB websites and third-party web applications associated with the university, a visitor may send an email to UB. The visitor’s email address and message content (including attachments) are collected. This information is used to:
Visitor email addresses are not collected for non-university commercial purposes.
Voluntarily provided information, including personal information, is used for operational and business functions. Functions include the provision of goods, services, and information. UB retains the right to disclose voluntarily provided information to third parties for purposes reasonably ascertained from the nature and terms of the transaction in which the information was submitted. Additionally, visitor provided information may be used for analytical and statistical purposes, including improving the quality of the website.
The university is not authorized to sell or otherwise disclose the information collected from the website for non-university commercial marketing purposes. Visitor collected information is retained only for as long as required by university policy or as required by law.
UB only collects and discloses personal information collected through official UB websites or associated third-party web applications if the visitor consents to the collection or disclosure of this information. A visitor’s voluntary disclosure of personal information, whether solicited or unsolicited, constitutes consent to UB’s collection and disclosure of the information for the purposes for which the visitor disclosed the information to UB.
UB retains the right to collect or disclose personal information without consent if the collection or disclosure meets one of the following criteria:
Disclosure of information, including personal information, collected through UB websites, or associated third-party applications is subject to the provisions of the New York State Freedom of Information Law and the New York State Personal Privacy Protection Law.
UB internet service logs are automatically produced electronic files which monitor access and use of the university’s website services. UB retains automated log data collected in accordance with university policy. Log data is retained only for as long as required by university policy or as required by law. Access to automated log data is restricted.
Visitors to official UB websites or associated third-party web applications may submit a request to the university’s privacy compliance officer to determine if personal information was collected while navigating UB websites. Requests must be made in writing to the Privacy Compliance Officer and must be accompanied by reasonable proof of identity of the user. Reasonable proof of identity may include verification of a signature, inclusion of an identifier generally known only to the user, or similar appropriate identification.
Within five business days of receipt of a proper request, the privacy compliance officer will:
UB is committed to protecting personal and private information against unauthorized access, use, or disclosure. UB monitors system traffic to identify unauthorized attempts to upload or change information or attempts to damage official UB websites and associated third-party web applications for website security purposes. UB limits employee access to personal and private information collected through its websites to employees who need access to perform their official duties. Employees with access to such information follow appropriate university procedures and adhere to applicable university and State information security policies.
The university has implemented reasonable security measures to safeguard the integrity of its information technology assets, including, but not limited to, authenticating, monitoring, auditing, and encrypting. Security procedures have been integrated into the design, implementation, and day-to-day operations of UB websites and associated third-party applications as part of the university’s continuing commitment to the security of electronic content as well as the electronic transmission of information under UB control. However, no method of transmission over the internet or method of electronic storage is one-hundred percent secure.
UB does not knowingly collect personal information from minors or create profiles of minors through official UB websites or associated third-party web applications. Visitors are cautioned that the collection of personal information will be treated as though it was submitted by an adult, and may, unless exempted from access by federal or state law, be subject to public access. UB strongly encourages parents, guardians, educators, and teachers to be involved in a child’s internet activities and to provide guidance whenever children are asked to provide personal information online.
This policy informs visitors to official UB websites and associated third-party web applications about the technical information collected during their session. This policy also identifies and describes how personal information may or may not be collected while navigating on official UB websites and associated third-party websites.
Growth of privacy-related regulations and personal interest among visitors drive the increased demand for such policies, particularly on free consumer-oriented websites where visitors may not be aware their information is collected and used or sold for profit. Some examples include free web search portals, social media platforms, and personal email services. However, university websites typically do not engage in such behavior because individuals are not visiting for consumer-aimed free services.
This policy is focused on technical or mechanical aspects of information being exchanged to render website content. Other types of website privacy notices may include pop-ups about cookies, personal privacy policies, and notices of other privacy practices. These notices may detail additional information sharing or disclosure.
This policy applies to:
This policy is to be observed in conjunction with any future or previously existing departmental privacy policies.
Cookies
A small file stored on a visitor’s device, either temporarily for that session (session cookie) or permanently on the hard disk (persistent cookie). Cookies provide a way for the website to recognize visitors and keep track of the visitor’s preferences.
Official University at Buffalo (UB) Websites
Online content, both publicly accessible as well as material behind an authentication layer, owned or controlled by the university's formal academic and administrative units. These sites typically reside in, or resolve to, the buffalo.edu domain (though some may not, examples of such websites include but are not limited to, ubbulls.com, ubcfa.org, myubcard.com) and may serve any (or all) of the university's stakeholders.
Personal Information
Personal information means any information concerning a natural person which, because of name, number, symbol, mark, or other identifier, can be used to identify that natural person.
Third-Party Web Applications
Vendor-created, -provided, or -hosted technology solution that conducts official business for, or provides official service(s) to, the university or its constituents through an explicit contractual relationship.
Tracking Codes or Beacons
An often-transparent graphic image, usually no larger than 1-pixel x 1 pixel, placed on a website or in an email that is used to monitor the behavior of the user visiting the website or sending the email. Tracking codes or beacons do not contain personally identifiable information. Tracking codes collect traffic data and click information. This information is used to prioritize tasks, record visitor-specific web traffic, and associate web traffic history with unique visitors. A tracking code is a snippet of JavaScript code that tracks the activity of a website user by collecting data and sending it to Google Analytics to inform effectiveness of website performance. A beacon is another form of tracking that confirms content has been accessed by a user.
Visitor
Natural person who uses the internet to access official UB websites and third-party websites associated with the university.
Contact | Phone | |
---|---|---|
Information Security Office - Privacy Contact | 716-645-6997 | privacy@buffalo.edu |
Privacy Compliance Officer | ubfoil@buffalo.edu | |
Vice President and Chief Information Officer | 716-645-7979 | cio@buffalo.edu |
July 2024 | Full review. Updated the policy to: ● Revise the following sections: ▫ Automatically Collected Visitor Information - update the list of automatically collected visitor information and clarify that this is not personal information ▫ Tracking Codes or Beacons - add examples of information captured by third-party service providers ▫ Records Retention - specify that log data is retained in accordance with university policy and law ▫ Information Protection - specify that UB limits employee access to personal and private information and requires employees to follow appropriate security procedures ● Add the following sections: ▫ Use of Automatically Collected Visitor Information ▫ Visitor Provided Information ● Specify the process for submiting a request to determine if personal information was collected while navigating UB websites (Access To and Correction of Personal Information Collected Through UB Websites section) ● Revise the Applicability section to provide additional details about the information this policy applies to and remove the reference to mobile applications ● Revise the definition of Cookies to include details about session cookies and persistent cookies |
January 2020 | Full review. Updated the policy to: ● Change the policy name from Privacy Policy to Website Privacy Policy ● Revise the policy statement to confirm the university's commitment to protecting visitor privacy when navigating through official UB websites and associated third-party web applications ● Add information about tracking codes or beacons ● Revise the retention period of automated log data from 180 days to a minimum of 92 days ● Add the Background section ● Revise the Applicability section to specify that the policy: ▫ Applies to visitors navigating official UB websites and associated third-party applications ▫ Excludes mobile applications ● Add definitions for Cookies, Official University at Buffalo Websites, Third-Party Web Applications, Tracking Codes or Beacons, and Visitor ● Delete the definition of User ● Add the Responsibility section and specify responsibilities for Enrollment Management, Privacy Compliance Officer, University Communications, Procurement, Visitors, and the Vice President and Chief Information Officer |
7/22/2024