Re: Faculty handling of student data

[Jim Dillon <Jim.Dillon () COLORADO EDU>]

Brian,

The difficulty with the "Privacy" rules is the essential concept -
maintaining as secret something that must be shared among many persons
(instructors, administrators, assistants, potential employers,
regulatory concerns, ...) Additionally, the party with privacy
aspirations is very likely to share their information with little
restraint to potential employers, friends, through Linked-In, Face Book,
Second Life, a mounted diploma, or whatever.  In that case they have
control, but it does seem to make the effort a bit overblown.  Our
primary product for most of our customers is a public assertion of the
results of private interactions!

I don't believe it is realistic to prohibit the movement of paper
materials either, but if you read the regs with "purpose" in mind, then
in the classroom no "paper" record would have publicly identifiable
information on it - the class would be asked to "sign" with some
campus-context identifier that could not be tied to identity outside the
context of valid university operations.  What I suspect is that many
blindly trudge through doing exactly what they've always done on the
paper end not making the connection that the core concept applies
throughout their interaction with persons not only in their official
role but in society in general at the moment.

Best wishes in compiling your own policy considerations.  If you have
not found enough sources let me know and I'll steer you to ours, but be
forewarned, ours are reasonably useful for electronic data, but like
many I don't believe we've got a complete "information" policy, mostly
"electronic information."

Best regards,

Jim

-----------University of Colorado--------------
Jim Dillon, CISA, CISSP
Program Manager
Administrative Systems and Data Services
jim.dillon () colorado edu        303-735-5682
-------------------Boulder------------------------

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Basgen, Brian
Sent: Tuesday, July 01, 2008 4:41 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Faculty handling of student data

Jim,

> To add a small bit of fuel to the fire - no one has mentioned yet the
> analog protection that should accompany the "paper" product (which may
> in fact still be electronically delivered depending on the ingenuity
of
> the faculty member) that may go home with the instructor.  The loss of
> a paper gradebook that had identifying info on it would be reported no
> less quickly or vigorously by the local press than the electronic
> records in question.

 Thanks for your response. This is the kind of all-encompassing approach
we are trying to grapple with. 

 We aren't sure it is a reasonable/realistic expectation to bar faculty
from having graded exams at home, or any other kind of student data
pertaining to their class. I suppose it would be possible to mandate
they do everything digitally, and then mandate they use encryption. We
are not sure if this would be a reasonable expectation, e.g. if it would
truly be implemented, but I'd like to hear how folks have worked with
faculty to address their needs.  

~~~~~~~~~~~~~~~~~~
Brian Basgen
Information Security
Pima Community College