Re: Faculty handling of student data

["Basgen, Brian" <bbasgen () PIMA EDU>]

 I have a few questions for institutions that require faculty to use
encryption and/or have additional mandates for faculty handling paper
data:

 

(1)    Did you provide encryption tools for your faculty & adjuncts to
use, or did you mandate certain standards and let them independently
meet those requirements? 

(2)    Do you audit your encryption controls to check for compliance? If
so, what compliance rates have you found through your audits? 

(3)    How much participation did your faculty have in creating your
institutional policy?  

(4)    What specific controls do you have in place for protecting paper
data such as tests, grades, etc? What methods did you use to ensure
implementation of these controls?

(5)    What kind of impact do your controls (digital and/or paper) have
on the ability of faculty and adjuncts to perform their job?

(6)    What is your institution risk threshold regarding student data
handled by faculty (e.g. data typically limited to 100 students); what
level of cost is acceptable for your risk level? 

 


 Thanks for all your help!  J

 

~~~~~~~~~~~~~~~~~~

Brian Basgen

Information Security

Pima Community College

 

 

 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Allison Dolan
Sent: Monday, July 07, 2008 6:20 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Faculty handling of student data

 

To add to the comment about paper data breaches:  a handful of states
(including Massachusetts) explicitly include paper in their data breach
laws.  So if a student application with SSN went astray, or if the test
papers had SNN and were stolen, those could technically constitute a
breach along with the various notification requirements. 

 

 Although FERPA covers more data elements, the various state data breach
laws may have more teeth, and result in more expense if there is a loss
- you may want to understand your state laws as part of deciding how to
address faculty handling of data. 

 

Also, if faculty are involved in any human subject research, there is
the risk of personal information loss, which may  get  into HIPAA
territory as well .

 

 

Allison F. Dolan

Program Director, PII

Massachusetts Institute of Technology

77 Massachusetts Ave  NE49-3021

Cambridge MA 02139-4307         

Phone: (617) 252-1461






 

On Jul 1, 2008, at 5:56 PM, Jim Dillon wrote:





To add a small bit of fuel to the fire - no one has mentioned yet the

analog protection that should accompany the "paper" product (which may

in fact still be electronically delivered depending on the ingenuity of

the faculty member) that may go home with the instructor.