Executive Policy 2.219 Executive Policy 2.219

Student Online Data Protection Requirements for Third Party Vendors

Executive Policy Chapter 2, Administration
Executive Policy Section EP 2.219, Student Online Data Protection Requirements for Third Party Vendors
Effective Date:  December 2025
Prior Dates Amended:  July 2021
Responsible Office:  Office of the Vice President for Information Technology / Chief Information Officer
Governing Board of Regents Policy:  RP 2.202, Duties of the President
Review Date:  December 2027

The University recognizes the use of online instructional materials, such as e-textbooks and software tools and services, can enhance and provide better educational experiences for students. The use of these products and services, however, may require the disclosure of Student Data to Third Party Vendors, leading to potential concerns over privacy and the commercialization of Student Data.

This Policy sets forth the University’s expectations of how our Student Data shall be managed by external parties by: (1) establishing institutional requirements that limit the ways in which Third Party Vendors who enter into contracts with the University can use Student Data as part of the delivery of good and services; (2) making it easier for faculty and programs to determine whether a Third Party Vendor’s may be violating students’ privacy and using Student Data for financial gain.

This Policy is applicable to any formal or informal agreements, including free online subscriptions, made by faculty and programs that require students to use products directly from Third Party Vendors for School Purposes. This policy is not intended to prohibit students from entering into third party contracts independently for products they deem appropriate for their studies.

1. “Student Data” means personally identifiable information, or information that is linked or related to personally identifiable information, in any media or format that is not publicly available, and is:


1. Created by or provided to a Third Party Vendor by a student, or the student’s parent or legal guardian, in the course of the student’s, parent’s, or legal guardian’s use of the Third Party Vendor’s website, service, or application for School Purposes;


2. Created by or provided to a Third Party Vendor by an employee or agent of the University for School Purposes; or


3. Gathered by a Third Party Vendor through the operation of its website, service, or application for School Purposes and personally identifies a student, including, without limitation, information in the student’s educational record, email address, names, geographic information, phone number or other information that allows physical or electronic contact, discipline records, test results, grades, evaluations, social security number, socioeconomic information, political or religious affiliation, photos, voice recordings, or geolocation information.


2. “De-Identified Student Data” means Student Data that excludes all personal identifiers, including, without limitation, names, geographic information, phone numbers, email addresses, social security numbers, account numbers, license numbers, device IDs and serial numbers, URLs, IP addresses, biometric identifiers, full face photos and comparable images, and any other unique numbers, characteristics, or codes, such that the identity of any individual is not recognizable and that such Student Data cannot be reconstructed or re-identified, whether intentionally or inadvertently.


3. “Third Party Vendor” means a private, non-University, operator of a website, online service, online application, or mobile application that is providing goods or services to University students under any kind of agreement with the University, including contracts, invoices, memoranda of understanding, terms of service, and other similar arrangements.


4. “School Purposes” means purposes that are directed by or that customarily take place at the direction of the University; that aid in the administration of University activities, including, without limitation, classroom or online instruction, administrative activities, and/or communication between faculty, students, or other University officials, employees, or agents; or that are otherwise for the benefit of the University and/or University students.


5. “Targeted Advertising” means presenting advertisements to a student where the advertisement is selected based on information obtained or inferred from that student’s online behavior, usage of applications, or other information. “Targeted advertising” does not include advertising to a student at an online location based upon that student’s current visit to that location, or in response to that student’s request for information or feedback, without the retention of that student’s online activities or requests over time for the purpose of targeting subsequent advertisements.


6. “Cookies” are small pieces of data stored on a device by a website that a user visited. The purpose is to help the website remember certain information about the user.
   
   1. “Essential Cookies” are necessary for a website’s basic operation. Without them, certain features of the site may not work properly.
   
   
   2. “Functional Cookies” enhance the user’s browsing experience by remembering preferences and customizations.
   
   
   3. “Performance Cookies” collect and analyze data about how the user interacts with the website to improve its performance and functionality.
   
   
   4. “Advertising Cookies” track browsing habits across various websites, building a profile of the user’s interests to serve the user personalized ads.
   
   
   5. “Social Media Cookies” enable the user to share content or interact with social media features, track activity across different websites to personalize the social media experience, provide recommendations, and display personalized ads.

1. A Third Party Vendor shall not knowingly do any of the following:
   
   1. Engage in Targeted Advertising based upon Student Data that the Third Party Vendor has acquired for School Purposes;
   
   
   2. Engage in Targeted Advertising through Advertising Cookies and Social Media Cookies that the Third Party Vendor has acquired as a result of School Purposes, unless the Third Party Vendor offers a simple and visible method to opt out of targeted advertising. Since UH faculty and programs select which software or services to use in the classroom or for support services, they are expected to notify students where the opt out instructions reside in the Third Party Vendor’s privacy policy.
   
   
   3. Use Student Data to amass a profile about a student except in furtherance of School Purposes.  As used herein, “amass a profile” does not include the collection and retention of account information that remains under the control of the student, the student’s parent or guardian, or the University;
   
   
   4. Sell or rent access to Student Data at any time for any reason;
   
   
   5. Disclose Student Data, unless the disclosure is made for the following purposes:
   
   
   1. In furtherance of School Purposes, if the recipient of the Student Data is contractually bound not to disclose such information under terms and conditions consistent with those contained in this Policy;
   
   
   2. To ensure legal and regulatory compliance;
   
   
   3. To respond to or participate in the judicial process;
   
   
   4. To protect the safety or integrity of University students; or
   
   
   5. For an educational or employment purpose requested by the student or the student’s parent or guardian, provided that the Student Data is not further disclosed for any other purpose; or
   
   
   6. Update or alter the terms of any contract or agreement governing the collection and control of Student data without the prior written consent of the University.
   
   
2. To be eligible to sell through the University bookstore, Third Party Vendors are expected to meet and follow best practices for handling student data as outlined in Appendix A.


3. Nothing herein shall prohibit a Third Party Vendor from doing any of the following:


1. Using De-Identified Student Data to improve educational products;


2. Recommending to a student additional content relating to School Purposes as long as the recommendation is not based, in whole or in part, upon payment or other consideration by another third party;


3. Merging or otherwise being acquired by another entity provided that the successor entity is required by agreement to comply with all of the terms and conditions herein.


4. For products that prescribe the submission of Student Data, programs shall only authorize products that are compliant with this Policy. If the product terms are inconsistent with the Policy, programs will attempt to negotiate out those terms or choose another Third Party Vendor’s product with consistent terms.

There is no policy specific delegation of authority.

Data Governance Office
Sandra Furuto, 956-7487, yano@hawaii.edu

Executive Policy EP2.215, Institutional Data Governance, provides the overall structure for the University’s data governance program. It describes the fundamental principles and best practices governing the management and use of Institutional Data and stewardship roles and responsibilities. Executive Policy EP2.219 is a supporting policy focused on protecting student data from being used by online vendors for financial gain.

These and other University of Hawai‘i executive policies, State of Hawai‘i Revised Statutes, and external regulations that relate to data governance are available here.

No Exhibits and Appendices found

    President