´óÏó´«Ã½ Privacy Policy
Master Data Use Agreement
Effective Date: This policy and the policies shared herein are effective as of May 1, 2023.
Contents
Annex 1 – Organizational Data Use Policy
Annex 2 – Data Sensitivity Levels Chart
Introduction
´óÏó´«Ã½ is committed to providing quality business education and promoting positive societal impact. As a leading organization in business education, we understand that data plays a critical role in achieving these goals. Data enables us to make informed decisions, measure progress, and evaluate the effectiveness of our initiatives.
By leveraging data, we can better understand the needs and expectations of our membership. This, in turn, allows us to improve the quality of our products and services, including accreditation, our learning and development offerings, and more. Additionally, data can help us identify and address societal issues, such as sustainability and diversity, and measure the impact of our efforts to promote positive change.
Protecting and responsibly using data is essential for maintaining the trust and confidence of our membership. By adhering to our data policies and best practices, we can ensure that the data we collect and use is accurate, reliable, and protected from misuse or unauthorized access.
It is important to understand the distinction between data collected about natural persons and data reported about institutions. Here are the key terms we use in this Master Data Use Agreement:
“Personal Data” refers to any information that identifies or relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with an identified or identifiable individual.
“Sensitive Personal Data” refers to the subset of Personal Data subject to laws requiring special safeguards against misuse or access by unauthorized parties. Sensitive Personal Data includes government issued identification numbers such Social Security, national ID, driver’s license or passport, information that can be used to access a financial or online account, health-related, genetic, biometric information and, in some jurisdictions, information about race and ethnic origin, religious, political and philosophical beliefs, and sexual matters.
“Organizational Data” refers to confidential information that ´óÏó´«Ã½ receives about business schools, universities, and corporations, including our Business Members and institutions participating in the accreditation process. Although Organizational Data is not protected by law, ´óÏó´«Ã½ is committed to implementing appropriate measures to protect the confidentiality and authorized use of Organizational Data.
We use our Data Sensitivity Levels Chart (Annex 2) to guide us in determining what data can be shared and for what purposes and the appropriate security measures depending on the level of sensitivity. See Exhibit 1, below, for more information on the chart.
We update this Master Data Use Agreement and our policies and practices periodically to reflect changes in relevant laws, technology, and data collection practices. We invite you to provide us with feedback about our data usage practices and policies by completing or contacting us with your comments at:
[email protected]
+1 813 769 6500 USA
Organizational Data Use Policy
The Organizational Data Use Policy is provided in Annex 1, to this Master Data Use Agreement. Our Organizational Data Use Policy governs how we collect, use, share, and protect confidential information entrusted to us by business schools, universities, corporations, and other entities that participate in the accreditation process, are business members of ´óÏó´«Ã½, or partner with us in other ways.
Personal Data Privacy Policy
The ´óÏó´«Ã½ Privacy Policy as currently in effect is posted at a link on our websites and user portals. Our Privacy Policy is incorporated by reference into and part of this Master Data Use Policy and Agreement.
As a provider of accreditation services for clients in the global market, we are committed to the protecting the personal data of our members and meeting the data privacy standards expected in different countries. As we seek to achieve that objective, ´óÏó´«Ã½ is working to align its privacy program to align with the principles of the General Data Protection Regulation including:
- Updating our Privacy Policy to provide current information on the types of personal data collected, used, and disclosed to third parties;
- Reviewing and updating agreements with parties with whom we may share personal data, ensuring their commitment to data protection; and
- Creating new artifacts and documentation to support our alignment with the principles and standards of the GDPR.
Terms of Use for ´óÏó´«Ã½ Websites and the ´óÏó´«Ã½ Exchange
The Terms of Use for ´óÏó´«Ã½ websites and the ´óÏó´«Ã½ Exchange as currently in effect is posted at a link on our websites and user portals. The Terms of Use is incorporated by reference into and part of this Master Data Use Agreement.
Data Sensitivity Levels Chart
The ´óÏó´«Ã½ Data Sensitivity Chart is provided in Annex 2 to this Master Data Use Agreement.
Annex 1 – Organizational Data Use Policy
Effective Date: May 1, 2023
Introduction
´óÏó´«Ã½ collects, uses and shares Organizational Data in a variety of ways: in the accreditation process; to support ´óÏó´«Ã½ member organization profiles; and to produce research and reporting on the business education landscape. We are committed to being a responsible data steward and recognize the importance of protecting the confidentiality and proper use of the Organizational Data reported to us by our members, accreditation volunteers, and partners (collectively, “Users”).
This Organizational Data Use Policy describes the purposes for which we collect, use, and share Organizational Data in ways that are identifiable with a specific business school or other organization and in anonymized form.
´óÏó´«Ã½ reserves the right to make changes to this Organizational Data Use Policy from time to time to reflect developments in our business and data collection needs and practices and changes in applicable laws and technology. We will post our updated Organizational Data Use Policy at links on our websites and identify substantive changes from the preceding version. We ask our members and volunteers to check regularly for these changes. Your continued use of ´óÏó´«Ã½'s products and services following the effective date of any updates or changes to this Organizational Data Use Policy indicates your acceptance of the current version of our Organizational Data Use Policy.
How We Use Organizational Data
Chief among our responsibilities to our Users is to use the data you report to us in a manner that is consistent with your expectations and to enhance the quality of our services to ´óÏó´«Ã½’s membership by advancing ´óÏó´«Ã½’s mission to foster engagement, accelerating innovation, and amplifying impact in business education. As such, we seek to collect, process, and transform the data you provide into valuable insights to better inform our services and operations and to develop new resources for our User communities.
Our general rule of thumb is to collect Organizational Data we believe we can use to develop useful insights from us. As such, we will endeavor to find ways to make the time you spend sharing information with us worth your while, by giving you access to insights which will help you in your role.
´óÏó´«Ã½’s Key Principles For Data Sharing
Cross-platform usage. Subject to the data sharing restrictions in our Data Sensitivity Levels Chart (Exhibit 1 hereto), data collected by ´óÏó´«Ã½ on any application or platform may be shared using other ´óÏó´«Ã½ applications and platforms and will not be limited to the source location where it is collected. This means that data shared with ´óÏó´«Ã½ via a survey may be shared in a report elsewhere, and other iterations. This data may be shared with partners, members, and other Users.
Access is key. We believe that sharing is critical to business education’s future success, including the sharing of information among schools. ´óÏó´«Ã½ will serve as an intermediary in the exchange of useful information. We ask ´óÏó´«Ã½’s members to contribute to our growing, collective understanding of business education, so that we may all benefit, and help chart the path forward appropriately.
Respect for Data Sensitivity. Access must be structured to meet our members’ and users’ expectations and legal requirements for confidentiality and data protection. We have adopted the Data Sensitivity Levels Chart in Exhibit I to this Policy to guide decision-making about appropriate data sharing.
Not data, insights. When you share data with us, we do not expect that you will also have to put in a lot of work to get value out of what we provide back to you. We take our responsibility as stewards of these resources carefully and will not just be responsible for using these data but will undertake to make the data useful. Wherever possible, we will publish tools and reports to reduce some of the burden for unlocking insights that can be derived from the data.
Focus on connections. We believe that business schools are better when connected, and ´óÏó´«Ã½ can provide a platform for business schools to connect with their peers. By providing ´óÏó´«Ã½ with your institution’s data, we will use it to help form these connections to further build out our educational community.
Our Responsibilities
As ´óÏó´«Ã½, we are committed to responsible handling of the data we collect, including by doing the following.
- Take reasonable steps to ensure that any data we collect is (i) accurate, up-to-date, necessary for the purposes for which it is to be used, and (ii) collected, used, and disclosed in accordance with legal obligations.
- Protect data from unauthorized access, use, or disclosure. We have implemented technical and organizational measures to protect data from unauthorized access, use or disclosure.
- Regularly review and update data protection and usage policies. We will review our data policies on a regular basis to ensure they are current and effective.
- ´óÏó´«Ã½ will presume that submission of Organizational Data by the organization’s authorized User has been duly approved as official data of the organization for transmission to ´óÏó´«Ã½.
Incident Response
When ´óÏó´«Ã½ becomes aware of an incident that implicates the organization’s information, we will notify the organization about the incident without undue delay and assist the organization to respond and take suitable further steps in respect of the incident. Further steps may include any legally required notification to data subjects and authorities, as well as other required legal obligations.
User’s Responsibilities
As a user of ´óÏó´«Ã½’s assets, you will have access to a variety of products and services. Depending upon your organization’s membership status and relationship with ´óÏó´«Ã½, you may have access to additional products and services. In your use of these products and services (typically, anything found within an aacsb.edu domain)., you will be required to comply with:
- Master Data Use Agreement including applicable Annexes
- Terms of Use
- Statement of User Responsibilities for Organizational Data below
- Data Privacy Policy
We encourage you to review these documents regularly to stay informed of any updates or changes. ´óÏó´«Ã½ International will follow up with reporting members if data seem inconsistent with specified definitions.
Statement of User Responsibilities for Organizational Data
This Statement of User Responsibilities describes your responsibilities when using ´óÏó´«Ã½’s platforms, products, and services. We consider users to be anyone who utilizes ´óÏó´«Ã½ websites or services. By using ´óÏó´«Ã½'s products and services, you are agreeing to these Statement of User Responsibilities, our Terms of Use, and our Data Privacy Policy.
- As a registered user, you agree to:
- Comply with our Terms of Use, Data Privacy Policy, Organizational Data Usage Policy, and this Statement of User Responsibilities.
- Provide accurate and complete information when creating an account and using ´óÏó´«Ã½'s products and services including posting submissions on the ´óÏó´«Ã½ Exchange.
- Promptly notify ´óÏó´«Ã½ of any suspected or actual unauthorized access to or use of your account or unauthorized access to or use of data provided by ´óÏó´«Ã½.
- When accessing data provided by ´óÏó´«Ã½, you agree to use such data in accordance with the following responsibilities:
- Data provided by ´óÏó´«Ã½ must not be re-sold, transferred, re-published, or used for any other purpose without the prior written permission of ´óÏó´«Ã½ International.
- The export of the ´óÏó´«Ã½ data into shared systems or other redistribution of the data for broader access is also prohibited.
- Data access is non-transferable and is not approved for use by individuals other than the account owner.
- When accessing data within ´óÏó´«Ã½’s portals and platforms, data and access shall not be released to anyone outside of the authorized users within the organization.
- Data attributed or identifiable to individual schools is not permitted to be published or distributed outside of the organization who requested access to the data without the prior written consent of ´óÏó´«Ã½.
- Data derived from ´óÏó´«Ã½ may not be re-posted, republished, or externally distributed without the prior written consent of ´óÏó´«Ã½.
- Any data or derived data used, utilized, relied upon, referenced, or referred to for approved internal purposes shall cite ´óÏó´«Ã½ International as the source. Use ´óÏó´«Ã½ products and services by anyone other than the individual to which the account is assigned is prohibited.
- When submitting data to ´óÏó´«Ã½ on behalf of your organization, you agree to: Abide by the ´óÏó´«Ã½ condition of membership by educational institutions in the Business Education Alliance (in accordance with the ´óÏó´«Ã½ International Articles of Incorporation and Bylaws) to provide accurate descriptions of programs or degrees offered in relevant surveys
• Provide complete and accurate information in response to requests by ´óÏó´«Ã½.
- Abide by the ´óÏó´«Ã½ condition of membership by educational institutions in the Business Education Alliance (in accordance with the ´óÏó´«Ã½ International Articles of Incorporation and Bylaws) to provide accurate descriptions of programs or degrees offered in relevant surveys
- Provide complete and accurate information in response to requests by ´óÏó´«Ã½.
Uses of Organizational Data
We are committed to being a responsible data steward and will use Organizational Data for specific purposes that help us enhance our products and services, produce reports, support ´óÏó´«Ã½ member organization profiles, and support research and reporting on the business education landscape. ´óÏó´«Ã½ retains the right of providing access to the data for a nominal fee, always upholding the confidentiality and sensitivity stipulations outlined below. ´óÏó´«Ã½ further has the right to grant additional features related to the insights derived from our data for a paid fee to help support further development. That said, our end goal is to use the Organizational Data you provide to us to develop valuable insights that will help us better inform services and operations or provide you with new resources directly.
The data will used in accordance with the Data Sensitivity Levels, including but not limited to, improving ´óÏó´«Ã½’s products and services, producing reports, supporting ´óÏó´«Ã½ member organization profiles, and supporting research and reporting on the business education landscape.
We recognize the importance of protecting the confidentiality of the data reported to us by our clients and partners, and we are committed to using a sensitivity matrix to determine what data can be shared and for what purposes.
Confidentiality of Organizational Data
´óÏó´«Ã½ will responsibly steward the data such that confidentiality of any data that could identify a specific organization will be protected. When Organizational Data is to be used and shared for research, statistical purposes, or similar purposes, it will be aggregated and anonymized wherever possible.
Data may be reported to ´óÏó´«Ã½ in various formats, including electronic, paper, or verbal. Data reported to ´óÏó´«Ã½ may include, but is not limited to, information about an organization's financial performance, management practices, governance structure, enrollment, best practices, and operations. Data may be collected from various sources, including the organization itself, government agencies, independent research firms, volunteer accreditation reviewers, and other third parties.
Retention of Organizational Data
´óÏó´«Ã½ retains Organizational Data only for as long as necessary to fulfill the purposes for which it was collected or as required by applicable law. Once Organizational Data is no longer necessary or required, it will be securely deleted or anonymized to prevent identification of any individuals or organizations. ´óÏó´«Ã½ is committed to being a responsible data steward and will ensure that Organizational Data is disposed of in a secure and responsible manner.
Security of Organizational Data
´óÏó´«Ã½ will take appropriate measures to ensure the security of the Organizational Data and to protect against unauthorized access, use, or disclosure. ´óÏó´«Ã½ employs a variety of technical and organizational measures for protecting and safeguarding Organizational Data within its control, including using established minimum-security measures that protect the confidentiality and security of data held. ´óÏó´«Ã½ extends such standards to service providers it uses to process Organizational Data. Controls in place to protect Organizational Data include, for example: physical access controls to ´óÏó´«Ã½ premises and data, logical access controls to ensure only appropriate access to company systems and data from authorized individuals, transfer controls used to protect data during electronic transmission, and availability controls to ensure that stored data are protected against loss or destruction.
ANNEX 2 - Data Sensitivity Levels (Exhibit 1 to Organizational Data Use Policy)
We recognize that some data is more sensitive than others and requires additional safeguards to protect it. To ensure the appropriate level of protection is applied to data, we have established a system of four data sensitivity levels.
Data sensitivity levels range from Green (least sensitive) to Red (most sensitive). The level of sensitivity is determined by the potential impact on individuals or the organization if the data were to be disclosed, altered, or otherwise misused.
Level of Sensitivity | Definition | Access |
Green | Classes of data that are already publicly available. Examples: school names, mission statements, programs offered |
Public |
Yellow | Classes of data that are attributable to the reporting school but cannot be used to identify individuals. Examples: enrollments, admissions, operating budgets |
Controlled |
Orange | Classes of data that cannot be used alone to identify someone but could compromise a natural person if it was known that this data belonged to that person, or which is confidential and not attributable to a specific reporting school. Examples: individual salary data, aggregated ethnicity data, uses/sources of operating funds, accreditation reports |
Controlled Aggregations |
Red | Classes of data that are protected by law or can be used to personally identify a natural person (PII). Examples: email, name, bank and credit card information |
Restricted to ´óÏó´«Ã½ and Data Owners |
for more examples regarding ´óÏó´«Ã½ data sensitivity.
At ´óÏó´«Ã½, we use these levels to guide the sharing of Organizational Data and Personal Data. This helps us ensure that sensitive data is protected and that only authorized individuals or organizations have access to it.
We have established appropriate access controls and security measures to protect data at each sensitivity level. Only authorized individuals with a legitimate business need have access to data at higher sensitivity levels.
Of particular importance, please note that information submitted to ´óÏó´«Ã½ as part of the accreditation process, including school reports, is classified at an 'orange' level of sensitivity. Consequently, this data will only be shared in aggregated form, without attributing it to specific schools. Exceptions to this rule can be made only when the official representative of the reporting school provides explicit consent for individualized attribution.
We regularly review our Data Sensitivity Levels to ensure that they are accurate and up to date. If you have any questions or concerns about the sensitivity level of data at ´óÏó´«Ã½, please contact us.