Kirso Privacy Policy

Last update: May 5, 2023


The purpose of this policy is to protect the privacy of individuals who have sensitive information stored (either in electronic or paper form) on assets either owned or used by Kirklin Solutions, while at the same time providing the ability to share this information with authorized entities as required by legitimate business need or by law.

This Privacy Policy applies to all Kirklin Solutions employees, affiliates, and third-party service providers. This policy is not intended to replace or supersede other existing Kirklin Solutions policies and procedures relating to the use of maintenance of sensitive information such as those related to GDPR, HIPAA, or human subjects research compliance.


Limits on the Use of and Access to Sensitive Information

The responsible use of sensitive information requires that Kirklin Solutions respect individual privacy, protect against unauthorized access to or use of information, and comply fully with all laws and government regulations in the collection, use, storage, display, distribution, and disposal of such information. Authorized uses of sensitive information within Kirklin Solutions are limited to uses that

  1. are necessary to meet legal and regulatory requirements;
  2. facilitate access to services, transactions, facilities, and information; or
  3. support efficient academic and administrative processes.

Access to sensitive information is limited to:

  • The individual whose information is produced or displayed;
  • An official or agent with authorized access based upon a legitimate business interest and a need to know.
  • An organization or person authorized by the individual to receive the information.
  • A legally authorized government entity or representative.
  • Other circumstances in which Kirklin Solutions is legally compelled to provide access to information.
  • Other individuals or entities, as allowed by law, for purposes judged to be appropriate or necessary for the reasonable conduct of Kirklin Solutions business.

Online Collection of Information

Kirklin Solutions must post a link to the Privacy Policy on any website which collects data about website visitors.

California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act of 2018 (CCPA) gives consumers more control over the personal information that businesses collect about them and the CCPA regulations provide guidance on how to implement the law. This landmark law secures new privacy rights for California consumers, including:

European Union General Data Protection Regulation (EU GDPR) Privacy Notice

Lawful Basis for Collecting and Processing of Personal Data

Kirklin Solutions is involved in education, research, and community development. For Kirklin Solutions to educate, engage in world-class research, and provide community services, it is essential, and necessary, and Kirklin Solutions has lawful bases to collect, process, use, and maintain data of its employees, applicants, research subjects, and others involved in its educational, research, and community programs. The lawful bases include, without limitation, communications, research, development, program analysis for improvements, and records retention. Examples of data that Kirklin Solutions may need to collect in connection with the lawful bases are name, address, IP address, physical address or other location identifier, photos, as well as some sensitive personal data obtained with prior consent.

For more information regarding the EU GDPR, please review the European Union General Data Protection Regulation.

Most of the collection and processing of personal data will fall under the following categories:

  • Processing is necessary for the purposes of the legitimate interests pursued by Kirklin Solutions or third parties in providing education, research, and development, community programs.
  • Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. This lawful basis pertains primarily but not exclusively to research contracts.
  • Processing is necessary for compliance with a legal obligation to which Kirklin Solutions is subject. This lawful basis pertains primarily but not exclusively to compliance with state and federal laws.
  • The data subject has given consent to the processing of his or her personal data for one or more specific purposes. This lawful basis pertains primarily but not exclusively to the protection of research subjects, and providing medical services.
  • There will be some instances where the collection and processing of personal data will be pursuant to other lawful bases.

Types of Personal Data collected and why

Kirklin Solutions collects a variety of personal and sensitive data to meet one of its lawful bases, as referenced above. Most often the data is used for the provision of medical services, participation in research, development, and community outreach. Data may typically include name, address, research subject information, and medical and health information. If you have specific questions regarding the collection and use of your personal data, please contact the Office of Information Security.

If a data subject refuses to provide personal data that is required by Kirklin Solutions in connection with one of the lawful bases to collect such personal data, such refusal may make it impossible for Kirklin Solutions to provide research or other requested services.

Kirklin Solutions gets Personal and Sensitive Personal Data

Kirklin Solutions may receive personal and sensitive data from multiple sources. Most often, Kirklin Solutions gets this data directly from information entered by authorized external data entry entities which enter the data under the approval of the data subject who has provided it to a third party.

Individual Rights of the Data Subject under the EU GDPR

Individual data subjects whose information is collected under the Kirklin Solutions’ European Union General Data Protection Regulation Compliance Policy will be provided the following information at the time the information is collected from them:

  • Information about the controller collecting the personal data.
  • Contact details for the data protection officer (if assigned).
  • The purposes and lawful basis of the data collection/processing, including the legitimate interest for the processing (if applicable).
  • Who are the recipients or categories of recipients of the personal data
  • Whether Kirklin Solutions intends to transfer personal data to another country or international organization.
  • The period for which the personal data will be stored.
  • The existence of the right to access, make corrections or erase personal data, the right to restrict or object to processing, and the right to data portability.
  • The existence of the right to withdraw consent at any time (if applicable).
  • The right to lodge a complaint with a supervisory authority (established in the EU).
  • Justification for why the personal data are required, and possible consequences of the failure to provide the personal data.
  • The existence of automated decision-making, including profiling.
  • If the collected personal data are going to be further processed for a purpose other than that for which it was collected.

Individual data subjects whose information is collected under the GDPR will be provided the following rights (as applicable), provided that Kirklin Solutions determines that the exercise of the right is permitted and/or required by the GDPR:

  • The right to receive confirmation from Kirklin Solutions as to whether the data subject’s personal data is being processed by Kirklin Solutions, and if so, the right to access such personal data and the right to receive information regarding, among other things, the categories of personal data collected and how such personal data is being used.
  • The right to correct inaccurate personal data concerning the data subject.
  • The right to obtain the erasure of personal data concerning the data subject.
  • The right to restrict or object to the processing of the data subject’s personal data.
  • The right to request a copy of personal data concerning the data subject.

Any data subject who wishes to exercise any of the above-mentioned rights may do so by filling such request.


Cookies are files that many websites transfer to users’ web browsers to enable the site to deliver personalized services or to provide persistent authentication. The information contained in a cookie typically includes information collected automatically by the web server and/or information provided voluntarily by the user. Our website uses persistent cookies in conjunction with a third-party technology partner to analyze search engine usage and web traffic patterns. This information is used in the aggregate to monitor and enhance our web pages. It is not used to track the usage patterns of individual users.

Security of Personal Data subject to the EU GDPR

All personal data and sensitive data collected or processed by Kirklin Solutions under the scope of the European Union General Data Protection Regulation Compliance Policy must comply with the security controls and systems and process requirements and standards set forth in the University’s Data Classification and Protection Standard.

We will not share your information with third parties except:

  • Necessary to meet one of its lawful purposes, including but not limited to,
  • its legitimate interest,
  • contract compliance,
  • as required by law;
  • Necessary to protect Kirklin Solutions’ interests.
  • Service providers acting on our behalf who have agreed to protect the confidentiality of the data.

Data Retention

Kirklin Solutions keeps the data it collects for the time periods as needed or required by international, federal, and state laws.


CCPA - The California Consumer Privacy Act of 2018 (CCPA) gives consumers more control over the personal information that businesses collect about them and the CCPA regulations provide guidance on how to implement the law.

GDPR - The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information from individuals who live in the European Union (EU).


All employees are responsible for implementing, reviewing, and monitoring internal policies, practices, etc. to assure compliance with this policy.



Consequences and Sanctions

Violation of this policy may incur the same types of disciplinary measures and consequences as violations of other Kirklin Solutions policies, including up to and including termination of employment.