Re: FERPA and E-mailing grades

["Mclaughlin, Kevin (mclaugkl)" <mclaugkl () UCMAIL UC EDU>]

Hi All:
We had a similar discussion yesterday and our FERPA compliance officer came to the following conclusion:

So Google staff have unfettered access to these transmissions?   If that actually is the case, then yes.  UC has not 
oversight over Google, no contractual relationship.  Google thus is not obliged to safeguard or in any way protect the 
privacy of the grade information.  It can use the info for whatever reason, and without UC ever knowing.  So that would 
be unacceptable, and also a FERPA violation.


So our going forward approach is that we will not encourage this type of use (we encourage Blackboard and other systems 
like the ones already mentioned in this thread).  When we find out about faculty who are sending emails through and to 
a non-Institution system (and I know some of you find this surprising but this does happen  :)  ) we will remind them 
that they are violating FERPA if they continue to circumvent the official systems and process.

- Kevin


Kevin L. McLaughlin,  CISM, CISSP, GIAC-GSLC, CRISC, PMP, ITIL Master Certified
Assistant Vice President, Information Security & Special Projects
University of Cincinnati
513-556-9177

The University of Cincinnati is one of America's top public research institutions and the region's largest employer, 
with a student population of more than 41,000.

[cid:image001.gif@01CCCC54.051C6D50]

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Semmens, 
Theresa
Sent: Thursday, January 05, 2012 3:51 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] FERPA and E-mailing grades

Our students can refer to our course management system, Blackboard; or they can access the University ERP system, 
PeopleSoft to check their grades.   We do not send out grades via email.

Theresa Semmens, CISA
NDSU Chief Information Technology Security Officer
NDSU Dept. 4510
210D IACC, PO Box 6050
Fargo, ND 58108-6050
Office: 701-231-5870
Cell: 701-+212-2064
Theresa.Semmens () ndsu edu<mailto:Theresa.Semmens () ndsu edu>
www.ndsu.edu/its/security<http://www.ndsu.edu/its/security>

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Nathan 
Zierfuss
Sent: Thursday, January 05, 2012 2:48 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] FERPA and E-mailing grades

Our institution offers a course management system (Blackboard) for assignment based electronic grade delivery to 
students and UAOnline (frontend to Banner) as the portal for historical final grades. With this there should be no need 
to email grades.

Nathan

On Thu, Jan 5, 2012 at 11:26 AM, Randall C Grimshaw <rgrimsha () syr edu<mailto:rgrimsha () syr edu>> wrote:
I would contribute that there are three issues: 1.) the basic insecurity of email transmission. (imagine grades with 
gmails targeted advertising engines) because most schools likely permit email forwarding even if it does begin in 
house. 2.) the basic insecurity of email archiving. (What if a student grows up to be president but didn't do so well 
on an economics course). 3.) The inability to repudiate email. (The student who's dog ate their email... or the 'I 
never got it' excuses). All of these seem to point to a secure, authenticated, repudiated web service.

Randall Grimshaw rgrimsha () syr edu<mailto:rgrimsha () syr edu>

________________________________
From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>] on behalf of Myers, Julie [julie.myers () ROCHESTER EDU<mailto:julie.myers () ROCHESTER EDU>]
Sent: Thursday, January 05, 2012 12:14 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] FERPA and E-mailing grades
This question is very timely for us as well and I would appreciate being copied on any reply.
Thank you,
Julie Myers
Chief Information Security Officer
University of  Rochester - University IT
julie.myers () rochester edu<mailto:julie.myers () rochester edu>
p: 585.273.1804<tel:585.273.1804>  c: 585.208.0939<tel:585.208.0939>
P Think twice before you print
 CONFIDENTIALITY: This email (including any attachments) may contain confidential, proprietary and privileged 
information, and unauthorized disclosure or use is prohibited. If you received this email in error, please notify the 
sender and delete this email from your system. Thank you.

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () 
LISTSERV EDUCAUSE EDU>] On Behalf Of Robert Meyers
Sent: Thursday, January 05, 2012 11:31 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] FERPA and E-mailing grades

After a lot of time googling this topic, I'd appreciate comments from the group regarding faculty using e-mail to send 
grades to individual students. While it may be obvious that sending grades to a public account like gMail isn't a good 
idea, what about internal mail systems? Do you have specific policies or communications from the US Dept of Ed on this 
topic?

Thanks

Bob




Robert E. Meyers,  Ms.Ed.
Educational Program Manager
  Office of Information Security
West Virginia University
office: (304) 293-8502<tel:%28304%29%20293-8502>
remeyers () mail wvu edu<mailto:remeyers () mail wvu edu>



--
Nathan Zierfuss, CISSP, Information Security Officer
-
Technology Oversight Services, University of Alaska
910 Yukon Dr. Suite 105, PO Box 755320
Fairbanks, Alaska 99775-5320
-
Phone: 907-450-8112  Fax: 907-450-8381