Introduction:
The purpose of this policy is to address privacy concerns related to the overall www.cmu.edu domain, which includes all of the pages with names that start with www.cmu.edu or www.andrew.cmu.edu. This policy excludes those pages which already have authentication based on either IP address or password. This policy is to be used in conjunction with existing privacy policies, which have been listed at the end of this document.
Data Collection
Carnegie Mellon University does not collect any data on its main (www.cmu.edu) page, with the exception of information stored in server logs. Server logs store IP address information. Most of the web sites in the cmu domain which collect personally identifiable information, other than server logs, are password protected. However, the sites that are not password protected are limited to collecting personal information ONLY if there is consent from the user- for example an organization may collect email address information only if it is willingly provided by the user.
Data Sharing
In general, Carnegie Mellon Unversity abides by the policy that no personally identifiable data can be posted in the cmu domain about a user prior to a receiving consent from that said user. Thus, information posted in internet bulletin boards is allowable, since it is posted for the public to see with the consent of the user. The only exception to this opt-in policy is in the case of course web sites- faculty are allowed to post the name of a student in conjunction with his/her work. However, students are allowed to opt-out of this posting if they choose.
There is no third party (non-CMU affiliated) data sharing.
Access
Users are encouraged to contact the web master of any cmu domain site in which they see incorrect information about themselves posted. If the web masters are unresponsive, the user is encouraged to contact the Carnegie Mellon Privacy committee.
Cookie and Web Beacon policy
There are no cookies or web beacons on any site within the domain, unless they are there for authentication reasons, such as when one is accessing blackboard or the web portal, and such sites are out of the jurisdiction of this policy.
Security
The security of each web site within the cmu domain is the responsibility of the web master of that site.Further Recommendations
All other CMU divisions, which are not covered by this policy, are encouraged to create privacy policies for themselves. They are welcome to use this policy as a reference tool. When determining privacy regulation, divisions should examine a few specific points: what type of data is collected, for what purpose it is used, how long it is retained, whether users are allowed to access their respective data, and the level security kept during data transmission. Two good privacy guidelines to look at for reference are the Fair Information Practice principles as well as the European Union Directive.
Existing privacy-related policies: