| Effective Date | October 1, 2025 | Policy Owner | Information Technology Services (ITS) |
|---|---|---|---|
| Last Reviewed Date | October 1, 2025 | Approved By | CIO, General Counsel |
| Review Cycle | Annual | Policy Contact | Information Security & Compliance Analyst |
Purpose
This policy establishes guidelines for the use of wearable devices in research, studies, or other educational projects, that have been approved by New York Tech. Wearable Devices can provide valuable data to advance research; however, they also raise concerns about privacy, data security, and ethical use. This policy ensures compliance with applicable laws, institutional standards, and research ethics requirements.
Policy Scope
This policy applies to all faculty, staff, students, and external collaborators who use Wearable Devices for New York Tech approved use cases, whether owned by the institution, the researcher, or study participants.
Definitions
- Wearable Device
- Any electronic device worn on the body that collects, transmits, or stores data (e.g., fitness trackers, smartwatches, biosensors, smart glasses).
- Research Data
- Any information collected through Wearable Devices for research purposes, including physiological, behavioral, geolocation, or personal data.
Policy Statement
New York Tech is committed to advancing the educational experience through the ethical and responsible use of Wearable Devices. Wearable Devices, including but not limited to fitness trackers, smartwatches, biometric sensors, and augmented reality devices, may be utilized in approved use cases where their use aligns with institutional values, federal and state regulations, and applicable ethical standards. All use cases involving Wearable Devices must undergo appropriate review and approval processes, which may include review by Information Technology Services (ITS), the Office of the General Counsel, Institutional Review Board (IRB), and/or the sponsoring administrative unit. This is required to ensure the protection of participants' rights, privacy, and data security. The administering unit is responsible for safeguarding personal and sensitive information collected through Wearable Devices, and for ensuring compliance with institutional policies, data governance requirements, and relevant laws such as HIPAA and FERPA where applicable. Unauthorized or non-approved use of Wearable Devices is prohibited. This policy establishes the framework to promote innovation while upholding the highest standards of academic integrity, ethical conduct, and participant protection.
Ethical Approval
- All projects using Wearable Devices must be reviewed and approved by the Institutional Review Board (IRB) or equivalent ethics committee before data collection begins.
- All proposals must specify the type of device, data collected, data storage methods, and participant consent process.
Informed Consent
- Participants must be fully informed about the nature of the data being collected, how it will be stored, who will have access, and how long it will be retained.
- Consent forms must use clear, accessible language and include the option to withdraw at any time.
Data Privacy and Security
- Personally Identifiable Information (PII) and Protected Health Information (PHI) must be handled in compliance with New York Tech data handling standards and applicable laws/regulations (e.g., FERPA, HIPAA, GDPR as relevant).
- All data must be stored on ITS approved, secure systems. Use of personal cloud accounts or unsecured devices is prohibited.
Device Management
- Only ITS-approved Wearable Devices may be used for projects involving New York Tech-defined Confidential or Restricted Data.
- Wearable Devices must be updated regularly with the latest security patches and firmware.
- Lost or stolen Wearable Devices must be reported immediately to an administrator of the project and the ITS Security Team.
Data Retention and Disposal
- Data collected from a Wearable Device must be retained only as long as the approved use case is active. Once the study, project, or any other use case is complete, all data collected must be securely deleted.
Related Internal Policies
- Acceptable Use Policy
- Record Retention and Destruction Policy
- Data Security and Access Management Policy
Regulatory References
- Federal Legislation
- HIPAA (Health Insurance Portability and Accountability Act)
- FERPA (Family Educational Rights and Privacy Act)
- State Regulations
- SHIELD Act (New York's Stop Hacks and Improve Electronic Data Security Act)
- International Regulations
- GDPR (European Union's General Data Protection Regulation)
- PIPEDA (Canadian Personal Information Protection and Electronic Documents Act)
- PIPA (British Columbia's Personal Information Protection Act)
Violations
Violations of the policy may result in disciplinary action, including dismissal from employment, expulsion from further study, and termination, or suspension of IT and network privileges. In addition, if a user's conduct violates federal or state laws, the user may be subject to prosecution under such laws. The university reserves the right to investigate suspected violations using all means available.