Curry College General Data Protection Regulation (GDPR) Privacy Notice Last Edited: June 7, 2019 1.0 Background The General Data Protection Regulation (EU) 2016/679 (GDPR) is European Union (EU) law on data protection and privacy for all individuals within EU and the European Economic Area (EEA) Member States. The GDPR also addresses the export of Personal Data outside the EU /EEA. The GDPR gives control to individuals over their Personal Data. 2.0 Overview & Purpose This privacy notice describes how Curry College collects and processes Personal Data through Curry websites, systems and applications, how this information is protected, and the rights of a natural person (data subject) to control this information. Curry College is committed to respecting and protecting the privacy rights of persons in the EU and EEA and those EU/EEA residents/citizens that provide Personal Data to the College. The GDPR defines these as rights of: access, rectification, erasure, notification, restriction, data portability, and to reject automated decision making. 3.0 Scope The GDPR is a data protection regulation that applies broadly to the processing of Personal Data relating to an identified or identifiable natural person (data subject) within the EU and EEA (regardless of citizenship). Personal Data, as used in this notice, is defined in the College’s Written Information Security Program [WISP; posted at https://my.curry.edu/group/mycampus/policies/wisp]. Data Protection Principles In compliance with the GDPR requirements that data be collected, processed and maintained in compliance with articulated standards, Curry College has a policy of collecting only data germane to the support of its mission, and in service of maintaining the required operations of the College. Incidental data are not collected beyond those that are explicitly and implicitly collected in the service of College operations and functions. Curry retains Personal Data as required by law and as further defined by the Curry Records Retention and Destruction Policy [posted at https://my.curry.edu/group/mycampus/help/record-retention]. Accountability and Governance The Institutional Information Security Workgroup, chaired by the College’s Chief Information Officer (CIO), has overall responsibility for the College’s compliance with data security laws, regulations and policies, and through delegation and oversight is responsible for related implementation, oversight, training, auditing, and, in collaboration with the College Counsel, responding to requests from data subjects. Acknowledgement Residents and citizens of EU/EEA Member States who process Personal Data through the College as employees or students will be asked to sign an Acknowledgement of their rights under GDPR, as will faculty, staff and students that travel to EU/EEA Member States for study away or other employment- or academic-related purposes. Contact If you have questions or concerns regarding the way in which your Personal Data has been used or would like to exercise your data subject right(s), please contact the Data Privacy Officer, Deborah Gelch, at support@curry.edu. You will receive a response within 30 days

CURRY COLLEGE Chromebook – STUDENT USER AGREEMENT INTRODUCTION This User Agreement is intended to describe the terms under which Curry College (herein referred to as the “College”) will loan the use of a College-owned Chromebook (here referred to as “Chromebook”) at no cost to the student signing this agreement (herein referred to as “you” or the “student”) to support the delivery of educational programming. The Chromebook shall remain the property of the College throughout the term of this User Agreement and shall be provided for the student’s use during the term of the student’s enrollment at the College for the current Spring 2022 traditional academic semester only, or until such time as the College exercises its sole discretion to terminate this loan. This document is an agreement between a student of the College and the College. This agreement establishes use and maintenance expectations for the Chromebook issued to the student by the College in connection with the student’s active enrollment status at the College. By entering into this User Agreement (herein referred to as “Agreement”), the undersigned student agrees to the following terms and conditions for use and maintenance of the Chromebook (and related peripherals) issued to the student by the College. TERM OF USE At any time and for any reason, the College in its discretion may notify and require the student to return the Chromebook (and related peripherals). Notwithstanding, the following terms of use apply to all College-issued Chromebooks: Original Term of Use. The student shall be issued a Chromebook upon signature of this Agreement. A student’s initial term of use for the College-issued Chromebook shall be for the remainder of the student’s enrollment at the College during the Spring 2022 traditional academic semester, or until this Agreement is terminated by the College in its sole discretion. Students will be informed if their Chromebook is to be returned sooner. Students No Longer Enrolled at the College. A student that is dismissed, withdraws from, defers entry to, takes a leave of absence, or otherwise exits the College must return the College-issued Chromebook to the College’s Information Technology Services (herein referred to as “ITS”, and sometimes known as the “Tech Center”) within fifteen (15) calendar days following the date of such exit, or a replacement value fee will be assessed on the student’s account in accordance with Exhibit A. MATERIALS PROVIDED The College will provide the student with the following materials: One (1) Chromebook, including charger and USB cord Other peripherals as determined by the College GENERAL TERMS AND RESPONSIBILITIES At all times, the College retains ultimate control over and ownership of the Chromebook (and related peripherals) issued to the student. By taking possession of the Chromebook, the student assumes responsibility for complying with the terms and conditions of this Agreement. The College advises the student to take care that the Chromebook is: never left unattended; never exposed to excessive temperatures; and is never cleaned with anything other than materials described in the Chromebook’s owner’s manual. PRIMARY USE TERMS The primary use of the Chromebook is for educational programming. As part of this Agreement, the student agrees to the following: The student agrees to complete assignments, assessments, training and other program-related work on the Chromebook as part of the student’s registered College coursework for Spring 2022. The student may use the Chromebook for other purposes to the extent that such uses do not interfere with the primary use. The student may store documents or other files on the Chromebook, as needed and as possible provided storage capacity on the Chromebook, and the student is responsible for making backup copies of such documents or other files. The student may also utilize cloud storage through the student’s College-issued Google account. In the event of loss of such documents or other files, the College’s responsibility is limited to restoring the factory default configuration and applications. SECURITY RELATED TERMS By accepting the terms of this Agreement, the student agrees to the following security- related terms of use: to enable all recommended passcode security on the Chromebook, including two- step verification (if applicable); to not remove or alter any of the identification tags attached to or displayed on the Chromebook. Services and support are contingent on proper display of the identification tags; to back up the Chromebook using the student’s College-issued Google account storage utility; to accept the Terms & Conditions set forth by Google governing the use of the Chromebook; to enable automatic software updates from Google and to install any applicable Google software updates or Google Play Store application updates in a timely manner; to use the Chromebook in a responsible manner and in accordance with College policies, including the College’s computer use and related information technology policies, in effect now and in the future; to comply with all applicable State and Federal laws, including but not limited to copyright and intellectual property law pertaining to software and file content; to keep the Chromebook within the student’s possession at all time and restrict use to the student only; to take necessary and responsible care to keep the Chromebook secure, safe and in good working condition. to use the Chromebook in a careful and lawful manner, and not make any physical alterations, additions or hardware changes/improvements. to not remove any installed software or apps on the Chromebook that were provided by the College. to not engage in “jailbreaking.” Jailbreaking is generally defined as a process that removes any manufacturer’s limitations or other restrictions on Chromebook use. Jailbreaking can reduce Chromebook security and, by extension, the College’s network security, and is strictly prohibited. The student is further prohibited from installing any software applications that are not available from or authorized by the Google Play store (unless the student requests from and receives in writing permission from ITS). that, as provided in the College’s computer use and related information technology policies, the College is not responsible for the loss or theft of any personal information, confidential data, and/or other data that the student downloads to or saves on the Chromebook. SUPPORT AND SERVICE The student agrees to enroll in and maintain enrollment in the College’s mobile device management (herein referred to as “MDM”) system. Complete details on the MDM system are available from ITS upon request. The College may be able to repair most accidental damage to College-issued Chromebooks. Contact ITS at support@curry.edu or (617) 333-2911 for assistance. The College does not cover loss, theft or damage incurred by willful, wanton or reckless misuse of the Chromebook. In addition, the College may not extend coverage for damage incurred as a result of violations of this Agreement. By accepting the terms of this Agreement, the student: is prohibited from opening or making internal hardware modifications to the Chromebook; may only install applications with a valid and current license; will not attempt to repair the Chromebook independently; must report any damage to the Chromebook immediately to ITS. The College will work with the student to repair or replace the damaged Chromebook. agrees to enable the “Find my Device” service or equivalent on the Chromebook to assist with recovery efforts if the Chromebook is lost or stolen. In the event of loss or theft: You must immediately report loss or theft to the College’s Public Safety and ITS. You agree to cooperate with the College’s efforts to recover and/or disable the Chromebook. In the case of repairs or replacements that are necessary due to damages to the College-issued Chromebook that are caused by the student’s willful, wanton or reckless misuse of the Chromebook or by violation of this Agreement, the College will assess fees, as outlined in Appendix A, at its discretion for failing to comply with the terms of this Agreement. RELATED COLLEGE POLICIES At all times when the Chromebook is in the student’s possession and use, the student must comply with College policies and procedures, including but not limited to those policies on computer use and information technology. Please review the policies and procedures in the Student Handbook, at http://curry.edu/handbook, for more information. Failure to follow College policies and procedures may result in termination of this Agreement. TERMINATION OF THIS USE AGREEMENT This Chromebook program may be terminated at the sole discretion of the College, for any reason (including but not limited to those referenced in this Agreement) and at any time. Notice. The College may amend the terms of this Agreement (to include cancellation) and you may be asked to review and sign a new Agreement. If a new Chromebook is issued, you will be asked to sign a new Agreement. Returning the Chromebook to the College As provided under the Term of Use provisions of this Agreement, the student may be liable for fees and deposits according to those outlined in Appendix A as applicable. As further provided by this Agreement, the student must return the Chromebook to ITS within fifteen (15) calendar days of (a) the student’s enrollment status change at the College, or (b) receipt of notice from the College that this Agreement has been terminated (whichever occurs first). This Agreement may only be modified in writing with signatures from the student and an authorized representative of the College. This Agreement represents the full and final understanding between the student and the College on the subject herein (Spring 2022 Chromebook loan), unless modified in the manner described in the previous sentence. This is a binding contract and enforceable under the laws of the Commonwealth of Massachusetts in the courts located in Norfolk County. Chromebook – STUDENT USER AGREEMENT APPENDIX A FEE SCHEDULE Type Amount Description Repairs $50.00 Repairs are provided free of charge for up to one (1) incident of accidental damage. Each additional incident is subject to the fee listed. Replacement Market Value Upon second replacement request, student is responsible for full cost of Chromebook and peripherals. Also applies if student fails to return Chromebook upon exit from College or termination of Agreement.

Acceptable Use Policy Modified on: Wednesday, November 20, 2024 This policy replaces the previous Network Usage Policy: https://currycollege.freshservice.com/support/solutions/articles/19000062618-Network-Usage-Policy Purpose and Scope Curry College’s data and information systems are valuable assets that must be protected. Proper and acceptable use of information technology (IT) assets and data will mitigate risks associated with malware attacks, network and system compromises, and data breaches. This Acceptable Use Policy (AUP) applies to the use of Curry College’s IT assets, including applications, networks, devices, and business systems, whether owned or leased by Curry, the user, or a third party. All faculty, staff, contractors, consultants, temporary employees, undergraduate and graduate students, and guests (“users”) of Curry’s devices, networks, and systems must act in a responsible and ethical manner to protect Curry’s systems, information, and reputation. It is expected that all users be familiar with and stay current with this policy. General Requirements Curry College has critical technology and data dependencies for day-to-day operations and strategic goals. General obligations related to the acceptable use of IT assets are as follows: At all times, users must protect Curry IT assets and data (regardless of where it is stored or how it is accessed) consistent with the requirements set forth in Curry College policies and procedures. Users must always protect their credentials (username/password); see the password section below for more details. Users must not download College data to unauthorized locations (e.g., non-Curry cloud or non- Curry laptop/desktop, USB devices or portable media) or disclose to unauthorized individuals, systems, or entities (e.g., highly confidential, financial, personally identifiable information, personal health information). See a supervisor if you have questions. Independent businesses may not be developed or run using College computing/networking resources unless it is a sanctioned campus organization and/or part of academic programs (e.g., service-learning, scholarship fund raising). Curry College reserves the right to remove, without warning, unapproved commercial activities. Faculty, staff, and students are expected to maintain accurate data (e.g., date of birth, address, Social Security number) when updating personal information on any of Curry's administrative and instructional databases. Users are expected to report potential information security incidents to the Help Desk support@Curry.edu. The following are examples of activities that are strictly prohibited while utilizing Curry information assets and technology, which list includes but is not limited to: Promoting and/or facilitating illegal activities; including but not limited to identity theft, hacking, fraud, child pornography, and/or copyright violation. Unauthorized access, duplication, alteration, modification, or destruction of Curry data, systems, configurations, and resources. Devices may not be used at any time to harass, retaliate towards others, or discriminate based on race, national origin, sex, sexual orientation, gender identity, gender expression, age, disability, religious beliefs, or any other characteristic protected by law. This includes any behaviors that violate the College’s Code of Ethics, Online Misconduct policy, Code of Conduct, and/or other harassment policies. Tampering with or changing anti-virus, firewall, or other security-related computer settings. Installing prohibited software. Deliberate introduction of malicious programs onto Curry systems (e.g., virus; worm; keystroke logger). Causing or contributing to security breaches or disruptions of network communication. Examples include excessive use of systems or network capacity for personal gain/benefit, accessing data without authorization, and logging into a server or account without authorization. Interfering with or denying service to any other user, host, or Curry system. Using a program, script, or command, or sending messages with the intent to interfere with or disable a user’s session locally or via the Curry College network. Violations of academic integrity and/or the rights of the College or any person. This includes, but is not limited to selling papers, unauthorized copying of copyrighted material, use of Artificial Intelligence/Large Language Model generated content without prior approval, and installation or distribution of pirated and/or software products that are not properly licensed for use by the user and/or Curry College. Use of technology resources (e.g., a smartphone) to record conversations, lectures, or classroom interactions without the express consent of those individuals being recorded. Making fraudulent offers of products, items, or services originating from any Curry College account and/or making statements about warranty, express or implied. Exporting software, technical information, encryption software, or technology that may violate International or regional export control laws. (Consult legal counsel if you have questions on this topic.) Note: The above list is not comprehensive, but rather a means to provide a framework for activities in the category of unacceptable use. Certain users may be exempted from specific restrictions during legitimate job responsibilities (e.g., systems administration staff may be required to disable the network access of a host). Phishing and Email Use All users must be cautious when opening email. A valid-looking email may be a phish. A phish is a fake email that looks real. Users should beware of emails that engender feelings of urgency, fear, strong curiosity, and exceptional opportunity. Users should report suspicious phishing emails by forwarding the email to support@curry.edu Note: Curry will never ask users for their Curry credentials. The following are requirements related to emails and phishing which users should follow: When conducting College business, users are to use College-provided email accounts, rather than personal email accounts. Incidental/personal use of email should not interfere with Curry’s email system. Email distribution lists are College property. Distribution lists may only be provided to external third parties in conjunction with legitimate academic or administrative initiatives and only after obtaining approval from a division head. Under no circumstances may College distribution lists be sold to an external party, nor may the lists be used for individual gain (e.g., marketing a product or service). Employee use of distribution lists for surveys is allowed for legitimate academic or administrative purpose. Internet Use Users accessing the internet through Curry’s network and/or on a Curry device should do so in a manner that supports business operations and does not interfere with Curry’s business or infringe on the rights of others. The following are examples of inappropriate internet use: Any illegal activities, including illegal gambling, or viewing of illegal content. Copyright infringement when downloading or file-sharing/swapping. Hacking or unauthorized access. Accessing pornographic/adult services sites. Running a sideline internet business without an approved exception to this policy (conflict of interest) Access and Privacy The College has the legal right to access, preserve and review all information stored on or transmitted through its electronic services, equipment, and systems (collectively, “IT Systems"). The College endeavors to afford reasonable privacy for individual users and does not access information created and/or stored by individual users on its IT Systems except when it determines that it has a legitimate operational need to do so. Enforcement Curry information technology and assets may be audited and/or monitored for unauthorized activity and usage. Certain kinds of data and IT fraud are illegal and punishable by civil sanctions, criminal fines, and/or imprisonment. The College is obligated to report instances of illegal activities to the authorities and will cooperate with authorities in the investigation of illegal activities. Curry reserves the right to require the registration of all technology-related devices used on campus, regardless of whether the device is owned by the institution or an individual. Curry may identify and quarantine, block, and or disable accounts and or devices suspected of adversely affecting the network; violating this acceptable use policy, employ tools to monitor network-related activity; and may restrict or eliminate bandwidth allocation to specific devices. Curry also reserves the right to block access to internet websites and protocols that are deemed malicious or contrary to the mission of the College. Employee violations will be handled by the employee's supervisor, in conjunction with Human Resources. Student violations will be referred to the Student Affairs judicial process or Curry’s academic integrity process, or both. Curry College reserves the right to change provisions of this and other College policies periodically. Curry College may take disciplinary action up to and including termination of access, ending of contracts, legal action and/or dismissal of individuals not in compliance with this policy. Related Policies and Procedures The Acceptable Use Policy is one of several College policies and procedures. Curry’s Chief Information Officer (CIO) maintains authority over, and enforcement of, the AUP and related policies. Related policies include the Curry College Password Policy and Written Information Security Program. A full list of ITS Policies can be found at: https://www.curry.edu/ITSPolicies Policy Compliance All members of the Curry College community are expected to review and understand this policy. By using the Curry College network, users acknowledge their agreement to comply with this policy. The college reserves the right to amend this policy as necessary. No Warranties or Assurances Curry College makes no warranties of any kind, whether express or implied, with respect to the Network Resources it provides. Curry College is not responsible for any damage resulting from use of Network Resources, including service interruptions, loss of data or damage to hardware or software on your personal systems at home, in the residence halls or public access computer labs on campus. Computer and network availability is subject to periodic system updates, security patches, ISP maintenance, system protocol improvements and changes. Contact Information For questions or concerns regarding network usage or this policy, please contact the Curry College IT Help Desk by calling 617-333-2911 during business hours or by emailing Support@curry.edu. For status on open tickets, submission of new tickets, and to browse our knowledge articles, please visit https://support.curry.edu (https://support.curry.edu/). This policy is designed to create a safe, secure, and productive digital environment for all members of the Curry College community. Your cooperation and adherence to these guidelines contribute to a positive network experience for everyone. https://support.curry.edu/support/solutions/articles/19000062618 2/2