This document informs the general public of the University’s policy regarding the collection, use, and disclosure of information sent to the Websites’ servers, both automatically and voluntarily, from visitors to these Websites.
Website access privacy
The University uses all reasonable efforts to maintain the privacy of users who access the Websites. As with all online services, however, the University cannot guarantee absolute privacy to users of the Websites. In some cases, website user information may be subject to lawful disclosure, as explained below.
Further, while the University has in place a variety of security measures to safeguard against illegal access of information obtained through its website, the University cannot provide complete assurance against illegal access. For more information regarding the protection against illegal access to personal information, please see the Electronic Communications Privacy Act (18 U.S.C. §2510) and the Computer Fraud and Abuse Act (18 U.S.C. §1030).
Additionally, information obtained through the University’s website may be disclosed in the course of a civil or criminal investigation or as the University is otherwise required by law.
This Policy informs the general public of the information that the University may collect from site visitors when using the Websites, including what the University does with that information, to whom it may be disseminated, and how it can be accessed. Based on this information, site visitors can make an informed decision about the choice of using the Websites. Site visitors can maximize privacy by making informed choices about whether to share personal data with the University through the Websites.
Massachusetts Fair Information Practices Act
The Massachusetts Fair Information Practices Act regulates the manner in which the University maintains non-public, personal data. The Act is found at Massachusetts General Laws, Chapter 66A.
Massachusetts Public Records Law
The University is bound by the Massachusetts Public Records Law, which regulates the maintenance and disclosure of public records in the possession, custody, or control of the Commonwealth of Massachusetts. The Law is found at Massachusetts General Laws, Chapter 6 and Chapter 4, Section 7(26). Public Record Access Requests can be submitted to the University.
Family Educational Rights and Privacy Act (FERPA)
As an institution that receives funds from the U.S. Department of Education, the University is bound by the Family Educational Rights and Privacy Act (20 U.S.C 1232(g), 34 C.F.R. 99). This law regulates the maintenance and distribution of student record information by the University.
Security & confidentiality of personal information
Massachusetts Executive Order No. 504 requires state agencies, of which the University is included, to implement and maintain written information security programs governing the collection, use, dissemination, storage, retention, and destruction of personal information. The Order requires that state agencies follow certain guidelines and standards when personal information is retained.
Personally Identifiable Information (PII)
Data that could be used to distinguish or trace an individual’s identity is referred to as personally identifiable information (“PII”). This information can include name, address, email, telephone, social security number, date and/or place of birth, mother’s maiden name, bank account number, credit card number, driver’s license number, or any combination of information that could be used to identify an individual.
An Internet Protocol Address, or “IP address,” is a series of numbers that identifies each computer and machine connected to the Internet. Each of the University’s Websites has an IP address associated with its hostname (defined below).
Anyone accessing the Internet is connecting to the network through an Internet Service Provider (ISP), which will assign an IP address to the network or computer being used for access, referred to as the “client.” The web servers upon which the Websites reside keep log files with information about the requests sent to them, and these log files include the client IP address associated with the origin of each request. Since IP addresses are machine specific, an IP address is not, in and of itself, personally identifiable information.
A hostname is an alias for an IP address in a format that is easy for a human to read, understand, and remember while conforming to the requirements of the structure of a Uniform Resource Locator or “URL.” In the case of the Websites covered in this policy, the hostnames associated with those URLs are “www” and “news” respectively.
A web server log file contains information about every request and response handled by that web server. A web page on the Internet might be constructed from numerous digital assets (e.g., the page itself, images, scripts, visual styling rules, fonts, videos, etc.). A request and response cycle is performed by the server for every one of the digital assets, and each cycle is individually logged on the server.
An entry in the log will typically consist of data such as:
- Date and time of the request
- Client IP address
- URL of the digital assets being requested
- The HTTP status code of the response
- The time taken to respond
- Information about the browser through which the request was made
- Information about what prior page may have “referred” (i.e., linked) the user to the requested digital asset
Since IP addresses are not linked to personal information, an individual will not be identified from these log files.
Cookies are files that a website can place on a site visitor’s computer when visiting a website. Some cookies expire immediately after the browser is closed (also known as a “session” cookie), while others might expire after a number of hours, days, months, years, or, in some cases, never. The lifespan of a cookie is dictated by the codebase of a website. Cookies can, however, be manually deleted at any time or even blocked from being created in the first place through a browser’s configuration options. A cookie file can contain unique information that a website can use to track such things as a list of web pages previously visited and the date when a site visitor last looked at a specific web page or to identify a site visitor’s session at a particular website. A cookie file can allow the website to recognize a site visitor while clicking through pages on the site and when later revisiting the site.
The term “Third-Party Services” refers to features or capabilities of the Websites that are facilitated by an entity or agent other than the University on behalf of the University.
The Websites may contain links to other websites from Third-Party Services, as defined above, or from other websites within the “worcester.edu” domain name. However, this Policy does not apply to these links. Therefore, the University encourages visitors to the Websites to be aware when they leave the Websites and to read any privacy statements of each and every other website that collects PII.
How the University collects information
Information voluntarily provided by site visitors
The Websites may collect PII voluntarily provided in different ways:
- through surveys and emails
- an authentication feature
- the use of electronic payment functionality
Surveys & email
Surveys may collect PII. Any email messages sent to or from the Websites may contain PII such as email address, and any other information a site visitor chooses to give the University to help answer an inquiry.
In some instances, content on the Websites is deemed protected and requires the use of a University student, faculty, or staff user account to gain access. The user account data submitted by a site visitor is parsed by an authentication mechanism within the University Information Technology infrastructure and access is authorized or rejected.
The Websites may provide access to various electronic payment options for fees and tuition expenses. In order to use these features, site visitors will have to provide certain information necessary to process payments. This information may include PII such as name, address, and credit card number.
Electronic payment options are also offered through the use of a third-party vendor. In this case, payment options are offered through non-University website(s). Users are encouraged to read any and all privacy policies from third-party vendors. This Policy does not apply to any website for a third-party vendor.
The Websites use forms to collect information from site visitors for various purposes. Data submitted through such forms might be handled in different ways upon arrival at the server. In some instances the data is held in the server’s database for later retrieval by a designated site administrator. In some instances the data is collated and transmitted to a designated recipient via email. In some instances the data is submitted directly to a third-party service for storage and/or processing. In some instances data is handled via a combination of these methods.
For URLs with the “HTTPS” prefix, transmission of data between the client and server is encrypted and therefore not prone to any man-in-the-middle attack vulnerabilities during transit. If HTTPS is not enforced by default, a URL can be manually changed to include the HTTPS prefix.
Some features available on the Websites offer the ability to subscribe or opt in to some kind of ongoing communication schedule from the University or one of its agents (such as an email newsletter, RSS feed, or iCal feed). Any such communication opt-in is voluntary and offers a method to opt out if applicable.
Information automatically collected
The University uses online digital advertising to promote various programs and initiatives at the institution through planned campaigns. The University engages with select third-party vendors to help facilitate those campaigns and use technologies that serve and re-serve the University advertising elsewhere on the Internet based on prior visits to the Websites, using a technique called “remarketing.”
The University uses a number of select third-party vendors to provide anonymous statistical data about site usage, content consumption, and sources of traffic to the Websites. Such data allows the institution to quantify the popularity of content and the effectiveness of digital and non-digital advertising campaigns and to identify patterns that could assist in optimizing paths to key features on the Websites or eliminate problem areas.
The servers housing the Websites are configured to maintain anonymous logs that enumerate all HTTP requests sent to them. The University or select third-party vendors can use these logs to assist in troubleshooting problems that arise on the Websites or for insight into specific, although anonymous, usage of the Websites should the need arise. Log files are periodically purged.
There are a number of ways in which a site visitor can opt out or unsubscribe from elected communication subscriptions depending on the platform managing that communication and the medium (e.g., RSS, email, iCal, etc.).
Sharing of information
The University has the authority to use its discretion to grant access to data collected through the Websites to select institutional and/or third-party designees. However, the University will never sell, share, or rent this information for financial gain.
Acceptable use policy
The use of the Websites is governed by the University’s Network Acceptable Use Policy.
Changes to this policy
For further information contact: