Supplemental Privacy Notice - PIPL

This University of Illinois Supplemental Privacy Notice - Personal Information Protection Law (“Supplemental Notice - PIPL”) supplements the University of Illinois System Privacy Statement for certain persons in the People's Republic of China ("PRC").

1. Commitment to protecting privacy and transparency

The Board of Trustees of the University of Illinois (the “University”), by and through its academic, research, and administrative units, is committed to respecting and protecting the privacy rights of persons in the PRC consistent with the PRC’s Personal Information Protection Law (“PIPL”). 

This Supplemental Notice - PIPL describes the University’s commitment to the privacy of persons in the PRC. 

2. Does this Supplemental Notice - PIPL apply to you?

This Supplemental Notice - PIPL applies to you if:

  • You are a Person or Data Subject meaning a natural person, not a corporation, partnership, or other legal entity:

AND

  •  The University handles your Personal Information inside the borders of the PRC.

OR

  • You are physically located in the PRC, and
  • The University handles your Personal Information outside the borders of the PRC in order to 1) provide you goods or services or 2) analyze or assess your activities.

"Personal Information” means any information relating to an identified or identifiable natural person. Information pertaining to current, former, or prospective employment with the University in the United States is not considered “Personal Information” and is excluded from this Supplemental Notice - PIPL.

If you are located outside the PRC and you provide your Personal Information to the University outside the PRC, this Supplemental Notice – PIPL does not apply to that information.

3. What Personal Information does the University process?

General categories

The University processes the following general categories of Personal Information: names; addresses; telephone numbers; email addresses; identification numbers including but not limited to social security numbers, Resident Identity Cards, driver’s license numbers, University identification numbers, and personal identification numbers (PINs); usernames; passwords; demographic information; education history and transcripts; entrance exam scores; background check information; personal references; financial information including but not limited to credit and debit card numbers, tax information, tax identification numbers (TINs), and financial aid information; transaction histories; business information; passport and visa information; work histories; medical histories; donation histories; insurance information; military service; IP addresses; location information; device information; metadata; education records including but not limited to coursework, correspondence, evaluations, disciplinary complaints, and other records, and files maintained by the University as part of the educational process; any requests for accommodations or leave; and other information to support the purposes set forth in Table 1, below.

The University requires Personal Information only when necessary. Table 1 identifies the purposes for which the University processes Personal Information and the legal basis for each purpose.

 

Sensitive Personal Information

In order to fulfill certain of the purposes identified in Table 1, the University may need to request Sensitive Personal Information. Sensitive Personal Information is information that, if leaked or used illegally, could cause harm to a person’s dignity or grave harm to personal or property security. Examples of Sensitive Personal Information include but are not limited to:

  • Biometric characteristics
  • Religious beliefs
  • Specially-designated status
  • Medical health-related information
  • Financial accounts
  • Individual location tracking
  • Information concerning minors under the age of 14  

Before the University processes your Sensitive Personal Information, the University will ask for your separate consent unless the University has another legal basis for the processing, in which case the University will inform you of that basis.

Purposes for which the University processes Personal Information

Purpose Legal Basis
To help the University learn more about you and your interests Consent
To help you learn more about and/or apply for the University and its programs by giving you access to or sending you relevant information about university programs and events Consent
To respond to requests for information about admission to the University or about participating in online courses or other programs at the University Performance of statutory duties or statutory obligations
To recruit, evaluate, and manage persons who apply to the University for admission, take courses at the University, participate in programs offered by the University, or attend the University, either in person or online, and to perform related activities needed to foster and maintain these relationships Performance of statutory duties or statutory obligations
To operate and facilitate the registration and participation in online and in-person education programs, including those relating to professional licensing requirements Performance of statutory duties or statutory obligations
To evaluate applications for and administer financial aid, including reporting to relevant federal and state government agencies Performance of statutory duties or statutory obligations
To facilitate application for and sponsoring of visas to study, work and/or research at the University, including all functions necessary to comply with applicable immigration laws Performance of statutory duties or statutory obligations
To assign housing and facilitate housing requests for individuals studying or participating in programs at or through the University Necessary for the conclusion or performance of a contract
To conduct study abroad programs offered by or coordinated through the University Necessary for the conclusion or performance of a contract
To provide on-campus and distance learning information technology and other services to students, including network, authentication and help desk services Necessary for the conclusion or performance of a contract
To respond to an individual’s request for records relating to an individual’s time at the University, such as transcripts, tax documents, employment documents, etc. Necessary for the conclusion or performance of a contract
To engage the services of an independent contractor and all uses incident to that engagement Necessary for the conclusion or performance of a contract or conduct human resources management
To employ persons to work for the University and all uses incident to that engagement including but not limited to evaluation and management of employees and administration of employee benefits Necessary for the conclusion or performance of a contract or conduct human resources management
To conduct transactions and business with individuals, such as processing payments made by credit card to the University and payments made by the University to you Necessary for the conclusion or performance of a contract 
To host and allow individuals to attend and participate in University events, including educational, artistic, and sports camps and sporting events Necessary for the conclusion or performance of a contract
To facilitate review and evaluation of University programs, including academic, sports, and other programs, by the University, accrediting organizations, government entities, third-party ranking organizations, and other appropriate bodies Performance of statutory duties or statutory obligations
To evaluate usage of University websites and emails, improve website and email utility, enhance the website visitor experience, and improve University marketing efforts Performance of statutory duties or statutory obligations
To promote safety, integrity, and security of the University’s information technology systems Performance of statutory duties or statutory obligations
To protect the University community, including you, and to keep its members safe wherever they are located Performance of statutory duties or statutory obligations
To report salary data to social security or tax authorities and otherwise comply with applicable laws Performance of statutory duties or statutory obligations / human resources management
To allow individuals to visit University facilities Necessary for the conclusion or performance of a contract
To facilitate and administer the reservation and use by individuals of University facilities Necessary for the conclusion or performance of a contract
To facilitate the use of volunteers and to evaluate and manage individuals who volunteer to assist the University in any capacity, and to perform related activities required to foster and maintain these relationships Necessary for the conclusion or performance of a contract
To respond to subpoenas, court orders, agency requests, and other legal requests for records relating to an individual’s time at the University, such as transcripts, tax documents, employment documents, etc. Performance of statutory duties or statutory obligations
To engage third parties to collect sums owing to the University or to otherwise take action to collect outstanding debt from an individual Necessary for the conclusion or performance of a contract
To respond to proper requests for information as required by the Illinois Freedom of Information Act and the U.S. federal Freedom of Information Act Performance of statutory duties or statutory obligations
To stay connected with University alumni Consent
To allow and facilitate individuals to perform research at or with the University Necessary for the conclusion or performance of a contract
To comply with federal and state law Performance of statutory duties or statutory obligations
To utilize individuals as subjects of research performed at or through the University, and to perform related activities required to foster and maintain this relationship Consent
To facilitate the provision of medical treatment and the filing of claims for payment from insurance companies and/or government agencies Necessary for the protection of the life, health, and property safety of a natural person / protection of vital interests

To raise funds to support the University and its programs

Consent
To facilitate employee donations to charities through the State and University Employee Combined Appeal

Consent

To assist members of the University community with educational and professional placement opportunities Consent

 

4. How does the University receive your Personal Information

From you
The University may receive your Personal Information when you visit University websites, apply for or attend University classes or programs, apply for or take online courses with the University, apply for financial aid or University housing, complete surveys or forms sponsored by the University, participate in University research studies, participate in work for the University at a location in the PRC, seek assistance from the University to further your education or your professional career, attend events sponsored by the University, or otherwise interact with the University.


From third parties
The University may receive your Personal Information from third parties. Examples include college entrance exam scores received from testing agencies; college applications received from organizations that provide university admissions applications (e.g., the Common Application, Inc.); online course registration information received from third parties that administer online courses (e.g., Coursera, Inc.); financial aid information from government agencies or commercial financial institutions; background information received from companies conducting export control screening or checks to support working with minors or employment with the University; and companies or partner institutions abroad to facilitate study or work at the University by international students and scholars.

5. Who receives/processes your Personal Information?

University personnel

Your Personal Information may be processed by University trustees and employees, including faculty, researchers, medical professionals, financial aid counselors, human resources professionals, law enforcement officers, and others, as may be necessary to carry out the purposes for processing the information and the activities of the University.

University Related Organizations

The University may share your Personal Information with University Related Organizations, such as the University of Illinois Foundation and the University of Illinois Alumni Association.

Third parties

The University may share your Personal Information with third parties, such as: educational platform providers and course partners to further the purposes for processing the information and the activities of the University; U.S. and foreign government entities to fulfill regulatory obligations (e.g., visa processing, tax and social security payments) and to facilitate access to funding sources (e.g., financial aid); partner institutions to facilitate study abroad and research activities; service providers to facilitate the full range of University functions (e.g., cloud storage, software); potential employers to assist with job placement; and vendors to provide services related to your affiliation with the University (e.g., print diplomas, arrange housing) and to improve University outreach efforts.   

Please note that the University may provide anonymized data developed from Personal Information to third parties, such as government entities and research collaborators, and that such anonymized data is outside the scope of this Supplemental Notice - PIPL.

6. How long does the University keep your Personal Information?

The University retains Personal Information in accordance with applicable law. Records retention schedules for many types of University records can be found on the Records and Information Management records management webpage.

7. What are your rights as a Data Subject?

As a Data Subject pursuant to the PIPL, you have certain rights. This section of the Supplemental Notice - PIPL summarizes these rights and how you can exercise them. More detail about each right, including exceptions and limitations, can be found in Articles 15 and 44 through 50 of the PIPL.

Please note: Nothing in this Supplemental Notice - PIPL is intended by the University to waive sovereign immunity or any other defenses or immunities afforded by any or all U.S. federal laws, Illinois state laws, PRC law, or international law.

Right to know and make decisions

You have the right to know and make decisions about the processing of your Personal Information, and the right to limit or refuse the handling of your Personal Information by others, unless otherwise provided for by law

Right to consult or copy

You have the right to consult or copy your Personal Information, except when it is necessary for the University to maintain confidentiality or when otherwise provided for by applicable law. The University will respond to your requests to consult or copy your Personal Information in a timely manner.

Right to request transfer

You may request that the University transfer your Personal Information to another personal information handler. If the University is permitted to make the transfer under applicable law, the University will facilitate the transfer. 

Right to have inaccurate Personal Information corrected or supplemented

You have the right to request that the University correct any inaccurate Personal Information that it maintains about you. You also have the right to request that the University complete any incomplete Personal Information that it maintains about you, which could be accomplished by incorporating a supplementary statement that you submit. If the University concurs that the Personal Information is incorrect or incomplete, the University will correct or complete it in a timely manner. 

Right to request deletion

You have the right to request the deletion of Personal Information that the University maintains about you in certain circumstances. These circumstances are identified in Article 47 of the PIPL and include that the Personal Information is no longer necessary in relation to the purpose(s) for which it was collected.

Subject to applicable U.S. federal and state law and University policies, including but not limited to the University of Illinois System Privacy Statement and University records retention schedules, and provided that there are no overriding legitimate grounds for the University to retain the Personal Information, the University will comply with deletion requests meeting the requirements of applicable law. For the avoidance of doubt, where deletion has been requested but is technically hard to realize, the University shall cease processing the Personal Information other than for storage and taking necessary security protective measures.

Right to have the rules of processing explained

You have the right to request that the University explain to you the Personal Information handling rules.

Right to withdraw consent

If the basis for processing your Personal Information is consent, you may revoke your consent at any time. Upon receipt of your notice withdrawing consent, and if there are no other legal grounds for the processing, the University will stop processing the Personal Information unless the processing is necessary for the establishment, exercise, or defense of legal claims or is otherwise permitted by applicable law. Revoking consent does not affect the lawfulness of processing that occurred before the revocation.

Right to file a lawsuit

If the University rejects your request to exercise your rights, you may file a lawsuit in a court of competent jurisdiction according to the law.

8. How to exercise your rights

In order to exercise any of your rights with the University, except the right to file a lawsuit in a court of competent jurisdiction, you should submit your request to the University of Illinois Ethics and Compliance Office:

Email: EthicsLine@uillinois.edu

Telephone:     +1 866-758-2146

Address:      University Ethics and Compliance Office
Human Resources Building, Room  20
One University Plaza, HRB  20
Springfield, IL 62703-5407
Attn: Privacy Compliance

At that time, you will be asked to: 1) identify yourself; 2) provide information to support that the PIPL applies to you (see Section 2, above); 3) identify the specific information or data that you are concerned about; and 4) state what right(s) you wish to exercise.

To expedite processing your request, please identify the data collection location (e.g., the website where your Personal Information was collected), if known.

If your request to exercise your rights under PIPL is rejected, the University will explain the reason.

9. How does the University respond to requests for Personal Information?

In addition to the rights provided by the PIPL, you may also have rights with respect to your Personal Information pursuant to U.S. federal law, state law, and University policy.  When you submit a request to the University to exercise your rights, the University will respond in accordance with existing University policies and procedures that implement the relevant privacy law(s). These include, but are not limited to, policies pertaining to student education records and policies pertaining to certain health records maintained by the University. 

10. Existence of automated individual decision-making

The University, in conjunction with University Related Organizations such as the University of Illinois Foundation, uses automated decision-making, including profiling, to help identify prospective supporters of the University and its activities. The logic takes an all-factor approach to assessing a possible donor’s propensity to support the University and may result in a prospective donor being contacted to explore support opportunities.

You will not be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, unless the decision is necessary for entering into or performing a contract or unless you explicitly consent.

11. Transfer of Personal Information outside the PRC

Except for the University of Illinois Shanghai Office, the University is based in the U.S. and is subject to U.S. and Illinois law. Personal Information that you provide to the University will generally be hosted on U.S. servers. To the extent that the University needs to transfer your information either (a) from the PRC to the U.S. or another country or (b) from the U.S. to another country other than the PRC, the University will do so consistent with applicable law governing such transfers. To support such transfers, the University will generally enter into a contract containing certain standard terms to clearly establish the rights and responsibilities of the parties to the transfer.

In addition, to the extent the following information is not included in this Supplemental Notice – PIPL, the University will notify you of the of the name and contact information of the overseas recipient, the purpose of the transfer and method of processing, the type of Personal Information involved, and how you can exercise your rights. The University will also obtain your separate consent to the transfer unless such separate consent is not required by applicable law.

12. How do I contact the personal information handler?

The University is the personal information handler.  If you have any questions about anything contained in this Supplemental Notice - PIPL, please contact the University of Illinois Ethics and Compliance Office:

Email: EthicsLine@uillinois.edu

Telephone:     +1 866-758-2146

Address: University Ethics and Compliance Office
Human Resources Building, Room 20
One University Plaza, HRB 20
Springfield, IL 62703-5407
Attn: Privacy Compliance

13. Updates to Supplemental Notice - PIPL

The University may update this Supplemental Notice - PIPL from time to time.  Any changes will become effective upon posting of the revised Supplemental Notice - PIPL.

 

Issued: 11/1/2021

Effective:  11/1/2021

Last revised: 11/1/2021