Privacy Policy

  • Medforth Global Healthcare Education (Medforth) and all included entities, needs to gather and use certain information about individuals in pursuit of its goal to support student’s educational goals. These individuals can include students, vendors, staff, faculty, and other people the organization develops contacts with. 


    This policy is to define the processes for how personal data must be collected, handled, stored, and used to meet the organization’s data protection standards and comply with privacy laws.

  • The purpose of this policy is to ensure that Medforth protects data that it collects that may be of a personal, identifiable, or sensitive nature. This will further ensure that:

    • Data is used for the explicit purpose for which it was collected, with appropriate and explicit consent from the individual(s) it was collected from.
    • Data is stored with appropriate security in line with industry best practices, retained only as long as necessary based on operational need and regulatory guidance, and disposed of responsible and completely.
    • Data is, where possible and when necessary, pseudo-anonymized to separate useful data from what makes that data identifiable to the individual.
    • Medforth is compliant with state, national, and international laws concerning privacy and data protection.

  • Terms found in this policy are defined as follows:

     Data – A collected set of values or items of information. A unit of information.

     Data Aggregation – Taking Individual data sets and combining them to statistically analyze data trends while protecting individual privacy by using groups of individuals with similar characteristics rather than isolating one individual at a time. To effectively aggregate data so that it cannot be re-identified (or at least make it difficult to do so) the data set should: (1) have a large population of individuals, (2) Categorized to create broad sets of individuals, and; (3) not include data that would be unique to a single individual in a data set.

     Data Breach – The unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a data collector. Breaches do not include good faith acquisitions of personal information by an employee or agent of the data collector for a legitimate purpose of the data collector—provided the personal information is not used for a purpose unrelated to the data collector’s business or subject to further unauthorized disclosure.

     Data Collection – The act of collecting or consuming data through active or passive means.

     Data Disposition – The act of disposing of or destroying data.

    Data Misuse – Using or processing data outside the bounds of the purpose for which it was collected.

     Data Processing – Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

     Data Retention – Within the information life cycle, the concept that organizations should retain personal information only as long as necessary to fulfill the stated purpose. Based on a Retention Schedule.

     Data Subject – An identified or identifiable natural person. In most cases a student, member of staff, or member of faculty.

     GDPR – General Data Protection Regulation. The data privacy laws governing the protection of Personal Data of residents of the European Union.

     Personal Data – The predominant term for Personal Information in the European Union, defined broadly in the General Data Protection Regulation as any information relating to an identified or identifiable natural person.

     Personally Identifiable Information – Any information about an individual, including any

    information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records; and any other information that is linkable to an individual, such as medical, educational, financial, and employment information.

     Pseudo-Anonymization – The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

     Responsible Person – the person responsible for data protection within the organization.

     

    Register of Systems – a list of all systems or contexts in which Personal Data is processed by the organization.

     

    Retention Schedule – Documentation providing how long specific data should be kept based on organizational need, industry best practice, and regulatory requirements.

     

    Sensitive Information – Data which is more significantly related to the notion of a reasonable expectation of privacy, such as medical or financial information. However, data may be considered more or less sensitive depending on context or jurisdiction.

     

    Special Category Personal Data – As defined in Article 9 of the General Data Protection Regulation, personal information that reveals, for example, racial origin, political opinions or religious or other beliefs, as well as personal data that concerns health or sexual life or criminal convictions is considered to be in a special category and cannot be processed except under specific circumstances.

    1. Data Collection

    For the organization to operate we need to obtain information, which may include any offline or online data that makes a person identifiable such as names, addresses, usernames and passwords, digital footprints, photographs, social security numbers, financial data etc.

    Data collected will be done so in a way that is transparent to the data subject, with their full cooperation and consent, for a specific purpose and to as minimal a degree as possible. Collection will be fair and lawful.

     

    1. Data Processing and Use
      • Data collected will be used only for the purpose for which its was collected. Changes to its use will only occur with the consent of the data subject.
      • Processing of data will be within the legal and moral boundaries of the organization.
      • Data will be kept accurate and up-to-date.

     

    1. Mandatory Disclosure of Information
      • Medforth entities often receive subpoenas requiring the timely production of records or information pertaining to specific individuals or entities involved in potential or ongoing litigation.
      • All court orders, subpoenas, warrants, or other legal instruments must be immediately forwarded to the Office of the General Counsel. All other external requests for such information must be made in writing and referred to the Compliance Office.

     

    1. Information Security, Data Retention, and Disposition

    Data must be protected from unauthorized or illegal access by internal or external parties.

    1. Access Control
    • Access to sensitive data will be monitored and restricted.
    • Networks will be built to industry information security best practices to protect data from cyberattacks.
      1. Data Transfer
    • Data will only be transferred through secure means and only to organizations or individuals that have adequate data protection policies and capabilities.
    • Data will not be distributed to external parties other than those agreed upon by the data subject.
    • Data will only be transferred to vendors where there is an existing contract or Memorandum of Understanding (MoU) that contains clauses or schedules with language regarding the protection of data and compliance with privacy regulations.
      1. Pseudo-Anonymization

    Data will be pseudo-anonymized, when possible, in cases where it is necessary to aggregate information where personal identifiers are not necessary. Steps will be taken to ensure that the pseudo-anonymization is of sufficient complexity, and in alignment with best practice, to ensure that it cannot be de-anonymized.

    1. Storage

    Data will be stored securely, using commercially available technology, reasonably, and commensurate with industry best practices. The level of security for stored data will be proportionate to its level of sensitivity or to the specific legal, contractual, or regulatory specification. Sensitive PII and Special Category Personal Data shall be encrypted.

    1. Retention

    Data will only be stored for a specific time, and no longer than necessary for organization operations, or to comply with regulatory requirements.

    1. Disposition

    Data will be disposed of in a timely and secure fashion once the retention period of that data has expired. Electronic data will be destroyed in sufficient fashion based on best practices. Physical records containing personal data or PII shall be shredded.

    1. Data Breaches

    Procedures will be put in place for the prevention, detection, reporting, and remediation of data breaches or data misuse

    1. Additional Information
      1. Educational Records

    Medforth adheres to the Family Education Rights and Privacy Act (FERPA), which provides guidance for what constitutes a Student Record.

    • Student Records are composed of the following:
      • Admissions Records:
        • Application
        • Transcripts
        • Letter of Recommendation/Reference
        • Acceptance Letter
        • Other Admission Records
      • Registrar Records:
        • Registration Forms/Change of Grade (if applicable)
        • Academic Letters
        • Disciplinary Letters
        • Clinical Evaluations
        • Standardized Exam Scores
        • Licensing Paperwork
        • Regulatory Paperwork
      • Financial Aid:
        • Eligibility Documentation
        • Financial Aid Correspondence
    1. Rights of the Data Subject
    • Data subjects have the right to know:
      • Which of their data is being collected
      • How it will be processed
      • Who has access to their data
    • Data subjects have the right to request:
      • Access to the data we collect on them
      • The data be modified in cases where it may be incorrect
      • That data be destroyed or that they be forgotten, in cases where it does not contradict other regulatory requirements for the preservation of data.
    1. Disciplinary Action

    All principles described in this policy must be strictly followed. A breach of data protection guidelines will invoke disciplinary and possibly legal action.

  • Relevant dates of this policy are as follows:

    • Approval Date – TBD
    • Effective Date – TBD
    • Last Reviewed Date – TBD
    • Review Cycle – Yearly