Educause Security Discussion mailing list archives
Re: Faculty handling of student data
From: "Basgen, Brian" <bbasgen () PIMA EDU>
Date: Mon, 7 Jul 2008 10:12:09 -0700
I have a few questions for institutions that require faculty to use encryption and/or have additional mandates for faculty handling paper data: (1) Did you provide encryption tools for your faculty & adjuncts to use, or did you mandate certain standards and let them independently meet those requirements? (2) Do you audit your encryption controls to check for compliance? If so, what compliance rates have you found through your audits? (3) How much participation did your faculty have in creating your institutional policy? (4) What specific controls do you have in place for protecting paper data such as tests, grades, etc? What methods did you use to ensure implementation of these controls? (5) What kind of impact do your controls (digital and/or paper) have on the ability of faculty and adjuncts to perform their job? (6) What is your institution risk threshold regarding student data handled by faculty (e.g. data typically limited to 100 students); what level of cost is acceptable for your risk level? Thanks for all your help! J ~~~~~~~~~~~~~~~~~~ Brian Basgen Information Security Pima Community College From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Allison Dolan Sent: Monday, July 07, 2008 6:20 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Faculty handling of student data To add to the comment about paper data breaches: a handful of states (including Massachusetts) explicitly include paper in their data breach laws. So if a student application with SSN went astray, or if the test papers had SNN and were stolen, those could technically constitute a breach along with the various notification requirements. Although FERPA covers more data elements, the various state data breach laws may have more teeth, and result in more expense if there is a loss - you may want to understand your state laws as part of deciding how to address faculty handling of data. Also, if faculty are involved in any human subject research, there is the risk of personal information loss, which may get into HIPAA territory as well . Allison F. Dolan Program Director, PII Massachusetts Institute of Technology 77 Massachusetts Ave NE49-3021 Cambridge MA 02139-4307 Phone: (617) 252-1461 On Jul 1, 2008, at 5:56 PM, Jim Dillon wrote: To add a small bit of fuel to the fire - no one has mentioned yet the analog protection that should accompany the "paper" product (which may in fact still be electronically delivered depending on the ingenuity of the faculty member) that may go home with the instructor.
Current thread:
- Re: Faculty handling of student data Jim Dillon (Jul 01)
- <Possible follow-ups>
- Re: Faculty handling of student data Basgen, Brian (Jul 01)
- Re: Faculty handling of student data Mclaughlin, Kevin (mclaugkl) (Jul 01)
- Re: Faculty handling of student data Jim Dillon (Jul 02)
- Re: Faculty handling of student data Allison Dolan (Jul 07)
- Re: Faculty handling of student data Basgen, Brian (Jul 07)