Independent School Health Check

Applicability

This privacy notice applies only to the Independent School Health Check administered by the Center for Survey Research (CSR ) and explains our practices concerning the collection, use, and disclosure of visitor information. Visitor information collected by CSR will be used only as outlined in this privacy notice.

Other units at the university may collect and use visitor information in different ways. Therefore, visitors to other university websites should review the privacy notices for the particular sites they visit. The Center for Survey Research is not responsible for the content of other websites or for the privacy practices of websites outside the scope of this notice.

Changes

Because Internet technologies continue to evolve rapidly, the Center for Survey Research may make appropriate changes to this notice in the future. Any such changes will be consistent with our commitment to respecting visitor privacy, and will be clearly posted in a revised privacy notice.

Collection and Use

Passive/Automatic Collection

When you view pages on our site, the web server automatically collects certain technical information from your computer and about your connection including:

• Your IP address
• The domain name from which you visit our site
• User-specific information on which pages are visited
• Aggregate information on pages visited
• The date and time of visit
• The duration of visit
• Your browser type
• Your screen resolution

Continued use of our website indicates consent to the collection, use, and disclosure of this information as described in this notice.

Some technical information is retained in aggregate for up to 5 years.

Active/Manual/Voluntary Collection

Other than automatically collected technical information about your visit (described above, or cookies, described below), we may ask you to provide information voluntarily, such as through forms or other manual input—in order to make services available to you, including providing associated services or to better understand and serve your needs. Your providing this information is wholly voluntary. However, not providing the requested information (or subsequently asking that the data be removed) may affect our ability to deliver the products or service for which the information is needed. Providing the requested information indicates your consent to the collection, use, and disclosure of this information as described in this notice.

Information we may actively collect could include:

• Information volunteered by the survey participant as part of the survey instrument

Information Sharing

We do not share any aggregate, non-personally identifiable information with other entities or organizations other than the National Association of Independent Schools .

We do not collect or share any personally identifiable information with other entities or organizations, except when legally required to do so, at the request of governmental authorities conducting an investigation, to verify or enforce compliance with the policies governing our website and applicable laws, or to protect against misuse or unauthorized use of our website.

Except as described above, we will not share any information with any party for any reason.

Except as provided in the Disclosure of Information section below, we do not attempt to use the technical information discussed in this section to identify individual visitors.

Cookies

A cookie is a small data file that is written to your hard drive that contains information about your visit to a web page. If you prefer not to receive cookies, you may configure your browser not to accept them at all, or to notify and require approval before accepting new cookies. Some web pages/sites may not function properly if the cookies are turned off, or you may have to provide the same information each time you visit those pages.

In order to customize the information and services offered to you, our site uses cookies to:

• Record session information
• Record user-specific information on what pages users access or visit
• To record past activity at a site in order to provide better service when visitors return to our site

Use of Third Party Services

Our website does not utilize any types of services provided by third parties.

Security

Due to the rapidly evolving nature of information technologies, no transmission of information over the Internet can be guaranteed to be completely secure. While Indiana University is committed to protecting user privacy, IU cannot guarantee the security of any information users transmit to university sites, and users do so at their own risk.

• We have appropriate security measures in place in our physical facilities to protect against the loss, misuse, or alteration of information that we have collected from you at our site.
• Once we receive user information, we will use reasonable safeguards consistent with prevailing industry standards and commensurate with the sensitivity of the data being stored to maintain the security of that information on our systems.
• We will comply with all applicable federal, state and local laws regarding the privacy and security of user information.
• The computing environment at the CSR requires and maintains a high level of computer and data security per the policies governing IU information technology resources and data. The University Information Technology Services Policy Office (UIPO) at IU provides a baseline level of enforced security requirements including protocols to prevent unauthorized access to IU computers. The CSR computing staff uses industry standard best practices as our security procedures. Each CSR workstation is updated daily with virus protection software. CSR endpoints are scanned daily for needed security patches and hot-fixes. The centralized security server deploys all needed Microsoft security patches each night and machines are audited weekly to verify security patches are up to date.
• The CSR employs the Principle of Least Privilege when assigning access rights to staff. The systems administration staff has designed a number of processes for preventing intrusions or data loss on the CSR's servers. Remote access to the servers is tightly controlled by user IDs, passwords, and two-factor authentication through DUO. Physical access to servers is restricted per the security protocols of IU's data center. Access to directories on the file servers is restricted to only those employees who need access. Security processes similar to those run on the workstations are used to prevent, detect, and repair security problems on the servers. The servers are located on a range of private IP addresses restricting their access from the outside world. The servers sit behind a network firewall, and employ their own machine firewall. IU provides security scanning of our servers to look for possible problems and the computing staff carefully monitors server event logs for possible attempts at intrusion. Individual workstations are part of a Virtual Lan (VLAN) which allows even greater restriction of access. Any remote access requires remote authorization and a connection using an SSL VPN behind two-factor authentication.
• The files on the servers are backed up each night, and all project data is encrypted at-rest within the backup. The file and web servers are virtual systems employing RAID 5 technology to insure that a disk failure will not cause any loss of data. They are located in a modern class 4 data center designed to meet FEMA standards for surviving an F5 tornado among other natural disasters. The building is staffed 24x7 and employs all modern physical security measures.
• The CSR uses 2048-bit public key encryption with a 128-bit SSL connection to ensure the security of survey and other sensitive data that are transmitted acrossthe Internet. The digital certificates were issued by InCommon/COMODO and are used by the survey respondent's browser to verify that the user is connected to the website that matches the name in the URL. The browser and the server then encrypt and exchange keys that are used to encrypt the remainder of the session. Through the use of these keys, the data are transmitted using the SSL. The security procedures used by the CSR are equal to or surpass the requirements for transmitting confidential information.

Links to non-university sites

Indiana University is not responsible for the availability, content, or privacy practices of non-university sites. Non-university sites are not bound by this site privacy notice policy and may or may not have their own privacy policies.

Privacy Notice Changes

From time to time, we may use visitor information for new, unanticipated uses not previously disclosed in our privacy notice.

We will contact you before we use your data for these new purposes to notify you of the policy change and to provide you with the ability to opt out of these new uses.

Visitors may prevent their information from being used for purposes other than those for which it was originally collected by:

• Sending us email at the listed address
• Calling us at the listed telephone number

Contact Information

If you have questions or concerns about this policy, please contact us.

Center for Survey Research
ATTN: Research Technologies
1165 E Third St
Bloomington, Indiana 47405
csrtech@indiana.edu
812-856-0779

If you feel that this site is not following its stated policy and communicating with the owner of this site does not resolve the matter, or if you have general questions or concerns about privacy or information technology policy at Indiana University, please contact the chief privacy officer through the University Information Policy Office, 812-855-UIPO, privacy@iu.edu.