External Acceptable Use Policy

You are accessing an Institute of International Education (hereafter IIE) Information System (IS) which is provided for IIE-authorized useYou are accessing an Institute of International Education (hereafter IIE) Information System which is provided for IIE-authorized use only. This Information System contains personal data and/or special categories of personal data. By using it, you consent to the following conditions.

You agree that the following activities are prohibited on IIE-owned and managed networks and systems:

• The unauthorized processing, storage, transmission and/or removal of personal data (e.g. corporate and program, IIE intellectual property, etc.) from the boundary of IIE-approved systems and resources.
• Accessing the personal data of users, applicants, grantees, alumni, donors, sponsors, business partners, employees, servers, systems or an account for any purpose other than to conduct relevant business, even if the individual has authorized access.
• Revealing system passwords or allowing use of IIE technology services to others.
• Disrupting the ability to access user accounts or restricting system and/or network access.
• Introducing malicious programs and/or performing unauthorized system-monitoring on IIE assets, networks or servers.
• Circumventing present and future security and/or privacy settings of any IIE asset, network or account.

You confirm that you will:

• Log out of the Information System when you are not actively working in it.
• Notify IIE immediately at privacy@iie.org in the event of a breach of the security of the confidential data in the Information System or any other system associated with IIE.

Data Protection

This agreement applies when you and/or your organization processes personal data on behalf of IIE, which may include data about IIE program applicants, participants, IIE employees, contractors or any other individuals with whom IIE does business (“Data Subjects”). This agreement stipulates how personal data will be processed as part of this business relationship to ensure that IIE’s high standard of data protection is maintained.

Please review the IIE Privacy Statement, which provides notice about how IIE processes personal data, including the types of data processed, the purpose of processing and with whom personal data might be shared.

You agree to the following:

• I will comply with all applicable data protection laws and regulations, including any relevant international, state or local laws, such as the General Data Protection Regulation.
• I will only process personal data that is necessary to carry out this specific purpose. I will not process any personal data that is unnecessary or falls outside the specified purpose. 
• I will retain data for only as long as necessary to carry out the specified purpose and/or to comply with any relevant laws and regulations surrounding record retention.
• I will assist IIE fully in carrying out Data Subject requests, including the right of access, erasure, portability, correction, restriction and objection. I will notify IIE within one business day if I receive any requests from Data Subjects directly.
• I will notify IIE within one business day if I receive any requests related to personal data, including the request to disclose personal data pursuant to a lawful order or requirement of a court, administrative agency, or other governmental body having jurisdiction over the specified purpose.
• I will not duplicate, use, or disclose personal data, in whole or in part, except to the extent necessary to carry out the specified purpose.
• I will not share or sell personal data or associated materials to any third parties unless explicitly granted permission by IIE to do so.

To further protect personal data, you agree to the following specific data protection actions. 

I will secure, or otherwise protect, any files which contain personal data.

All personal data at rest and in-transit must be handled with the utmost care to protect against theft and unauthorized access. I will utilize industry-standard encryption methods to store, process and transmit all personal data. 

I will not open any files which contain personal data on a public computer, such as in a library or internet café. 

If I download files which contain personal data to my personal computer (i.e., the C:\drive), I will delete them immediately following the conclusion of the specified purpose. I will not save files with personal data to any network drive or other location. 

If I print any files which contain personal data, I will destroy the hard copies immediately once the processing is completed for the specified purpose. 

I will not share any files with personal data outside of my personal computer or the Information System (e.g., emailing or otherwise disseminating application materials to myself or others).