The University endeavors to facilitate use of its computing resources, including for research, teaching, and work purposes, while protecting the University’s data resources and protecting the privacy of members of the University community. This document is intended to define the main principles and responsibilities regarding data security and privacy protection at the University. Data security rules apply to all the University’s employees and students, as well as to all users of the University’s systems and facilities, including guests, suppliers, and all kinds of contractors, whether they are present on University grounds or access the University’s data resources remotely.

The full document can be found here

Data Security Reporting Form

 

Introduction and Purpose

  1. The purpose of this document is to present the main points of the privacy protection policy applied at the Hebrew University and the rights of individuals about whom data is held. In certain cases, several policies or rules may apply. For example, a person surfing the University website will also be subject to the privacy policy of that website. 

  1. The Hebrew University (hereinafter “the University”) is committed to protecting the privacy of students, University employees, service providers, visitors, and others whose data it holds, and to managing the data it holds in accordance with all legal requirements, and in particular with the Privacy Protection Law (1981) and the regulations based on it, as well as the conditions of this policy document and other related polices. 

  1. The University will endeavor to promote principles of transparency and cooperation within the University and with other bodies in relation to its actions and the activities of its employees in the field of privacy protection. 

  1. The University will act in accordance with other statutory requirements from abroad and with international privacy protection regulation, such as the European Union’s General Data Protection Regulation (GDPR), under circumstances in which such statutes and/or regulations apply. 

Definitions

  1. “Data security” refers to the entirety of actions and means employed by the University with the aim of protecting the confidentiality, integrity, and accessibility of its data resources and protecting the privacy of users of its data resources. 

  1. “Data resources” refers to the University’s data resources as defined in the University’s Data Security Policy. 

  1. “Data security director” refers to the person responsible for and charged with protecting the University’s data resources. 

  1. “Privacy Protection Law” refers to the Privacy Protection Law (1981) and all regulations based on it. 

  1. “Data” or “personal data” refer to data concerning an individual’s personal characteristics, personal status, health status, financial status, professional training, opinions, and beliefs. 

  1. “Data subjects” refers to individuals about whom data is held. 

Privacy Protection Officer

For the purposes of privacy protection, the University has appointed a Privacy Protection Officer (hereinafter “the Officer”) who is responsible, among other things, for implementing privacy protection regulations at the University in accordance with relevant statutes. Similarly, the Officer serves as the main organizational address for queries regarding privacy protection issues, and reports to the relevant privacy protection authorities as necessary. On all issues with legal aspects, the Officer acts in coordination with the University’s Office of the General Counsel.  

The Privacy Protection Officer may be contacted via email at: privacy@huji.ac.il.  

Personal Data

The University receives, processes, and maintains data that includes, among others: personal details, place of work, socioeconomic data, health or medical data, data relating to studies, financial and economic data, employment and salary data, and other data, in accordance with data collection goals, circumstances, and legislation. 

Purposes of Data Use

data that is collected and processed by the University is used for carrying out the University’s tasks, activities, functions, and purposes. Without prejudice to the generality of the previous statement, those purposes include, among others: 

  1. Managing admissions procedures for accepting candidates to study programs 

  1. Managing teaching and studies 

  1. Managing systems for assistance, scholarships, and dormitories 

  1. Providing information and maintaining contact with candidates, students, and alumni 

  1. Managing human resources, including salary payments, pension and other rights, health, employee welfare, safety, and hygiene 

  1. Managing admissions procedures for hiring employees, and managing promotion procedures for faculty members 

  1. Managing financial and purchasing systems 

  1. Implementing safety laws, regulations, and policies, and maintaining public security and public order 

  1. Conducting research 

For these purposes, the The University is entitled to use any communication means, including electronic mail, text messages, automated dialing systems, and social media networks. 

Security and Monitoring Tools

The University makes use of a range of security and monitoring tools, both technological and others, for the purposes listed in the University’s policies and procedures, including its Data Protection Policy and Proper Use of Data Resources Policy. These security and monitoring tools will be operated in such a way as to protect the privacy of data subjects and to comply with legal requirements. 

Cookies and Other Technologies

The University uses cookies and other technologies on its internal and external websites for purposes of efficient service provision, data security, routine operations, and adaptation of services to individual users. Users may cancel or change their browser settings for saving cookies. 

Security

Installation, use, and operation of security cameras will be performed in accordance with legal requirements. 

Transferring Data

The University is entitled to transfer data to any third parties in Israel or abroad, in each of the following cases: 

  1. The transfer of data is in accordance with the purposes for which the data was provided. 

  1. The data subject has agreed to the transfer of data. 

  1. The transfer of data is conducted in accordance with a judicial warrant, or in response to an obligatory demand from an authority with the relevant powers, subject to legal requirements. 

  1. The transfer of data is conducted in accordance with the legal requirements relating to the transfer of data between public institutions. 

  1. When transferring data to a public institution, the University will abide by the relevant legal requirements. 

For the sake of clarity: The University will not transfer any data to any third party except in accordance with the provisions of this Privacy Policy. 

Confidentiality

All University employees and service providers who have access to data will be required to sign a confidentiality agreement relating to the protection of data confidentiality and to the restrictions on using such data only in the context of their work. 

Data Protection and Responsibility

  1. The University operates technological data security tools that are reasonable and accepted within the field of data security, in order to protect the data resources it holds, in accordance with the type of data and with legal requirements.  

  1. Every employee and user of the University’s data resources is fully responsible for acting in accordance with the law, with the rules of this policy, and with data security rules instituted by the University’s data security experts, including proper usage rules.  

Rights of Data Subjects

  1. Data subjects are entitled to ask to view their personal data or to amend this data. Data subjects are also entitled to demand that data about them which is used for direct mailing is deleted from the system or is not transferred to third parties. Such requests will be handled in accordance with and subject to the conditions and restrictions laid down in law. 

  1. Inquiries or requests relating to the rights of data subjects can be submitted via email to: privacy@huji.ac.il

Revisions

The University is entitled to alter the content of this policy from time to time. Substantive changes will only be made following consultation with representatives of the University’s faculty members. In all cases in which changes are made to this policy, the University will announce such changes by publishing the updated policy on its website, and will also notify all users via personal communication or some other means.