This institutional guide provides an overview of the steps each USG institution should process through when achieving the new USG Data Privacy requirements within BPM Section 12.6.

Requirements:

DUE DECEMBER 31, 2021

1. Institutional consent forms collecting PII must require a human action.
2. Website privacy disclaimers with access to privacy notice, a point of contact and that offer a human action are present on the following institutional webpages: (1) home page; (2) human resources page; (3) admissions pages (undergraduate and graduate); and, (4) foundation home page (if any).
3. Institution’s privacy notice/policy is online with a point of contact.

DUE JUNE 30, 2022

1. Institution has supplier management processes in place to identify any data security requirements and embed, when appropriate, those data security requirements in any contracts/agreements.

DUE DECEMBER 31, 2022

1. Institution has implemented a formal process for data subjects to submit a request, which also tracks the processing of the data subject request (DSR)from open to close.

DUE DECEMBER 31, 2023

1. Institution has:

   a. identified and documented all instances of personal data within the scope of the institution’s business activities, processes and supporting systems, developing an institutional record of processing activities (RoPA);and,

   b. developed and implemented a plan to execute and maintain the RoPA.

Institutional Steps

Step One: Establish contact with the USG Office of Ethics and Compliance for institutional reporting.

Step Two: Review the BPM Section 12.6 Data Privacy requirements, utilizing the Privacy Checklist (and GDPR Checklist, if applicable to your institution).

Step Three: Determine institutional compliance with BPM Section 12.6 Data Privacy requirements due December 31, 2021 and communicate compliance status to the USG Office of Ethics and Compliance. If institution is not in compliance, work towards compliance by December 31, 2021.

Step Four: Review the Data Subject Request (DSR) Process Guide.

Step Five: Determine institutional compliance with BPM Section 12.6 Data Privacy requirement of a formal DSR Process being implemented within the institution by December 31, 2022 and communicate compliance status to the USG Office of Ethics and Compliance. If institution is not in compliance, work towards compliance by December 31, 2022, using the steps in the DSR Process Guide.

Step Six: Review the Record of Processing Activity (RoPA) Process Guide.

Step Seven: Determine institutional compliance with BPM Section 12.6 Data Privacy requirement of RoPA being completed and maintained within the institution by December 31, 2023 and communicate compliance status to the USG Office of Ethics and Compliance. If institution is not in compliance, work towards compliance by December 31, 2023, using the steps in the RoPA Process Guide.

Requirements Overview Webinar:

April 2, 2021 Introduction to BPM Section 12.6 Data Privacy Webinar