Re: google docs google services

[Steve Terry <terrys () DENISON EDU>]

Where is a good lawyer when you need one!  Fortunately, Tracey Mitrano
(Cornell) and Steve McDonald (RISD) did a terrific series on FERPA a couple
of years ago:

http://edu.safegov.org/steve-mcdonald-interview-re-ferpa/

I have used these videos in the past to help to explain FERPA to other
campus administrators.

Cheers!

Steve

*Steve Terry*
Director of Enterprise Applications
ITS
*Denison University*
Fellows Hall - 102B
Granville, OH 43023
740-587-8685 | *www.denison.edu <http://www.denison.edu/>*

On Tue, Feb 23, 2016 at 1:57 PM, Judith L. Tabron <
Judith.L.Tabron () hofstra edu> wrote:

> And I'm sure folks are aware of the FTC complaint the Electronic Frontier
> Foundation has lodged against Google for what it claims are deceptive
> practices, i.e., that Google claims not to "use" student data but in fact
> tracks and does use it, just not in direct ads in their mail feeds.
>
>
> https://www.eff.org/press/releases/google-deceptively-tracks-students-internet-browsing-eff-says-complaint-federal-trade
>
> <https://www.eff.org/press/releases/google-deceptively-tracks-students-internet-browsing-eff-says-complaint-federal-trade>
> Google Deceptively Tracks Students’ Internet Browsing, EFF ...
> <https://www.eff.org/press/releases/google-deceptively-tracks-students-internet-browsing-eff-says-complaint-federal-trade>
> www.eff.org
> San Francisco—The Electronic Frontier Foundation (EFF) filed a complaint
> today with the Federal Trade Commission (FTC) against Google for collecting
> and data mining ...
> Which is just to say that we may satisfy FERPA requirements but the
> question is still on the table of how ethically Google handles student
> data. (I know privacy != security, but your campus community may not make
> the distinction right away.)
>
>
> Judith
>
> ------
> Judith Tabron, Ph.D., Director, Faculty and Student Computing Services
> Hofstra University
> judith.tabron () hofstra edu | 516-463-6316
> State Chair, New York State ACE Women's Network
>
>
>
> ------------------------------
> *From:* The EDUCAUSE Security Constituent Group Listserv <
> SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Ruth Ginzberg <
> rginzberg () UWSA EDU>
> *Sent:* Tuesday, February 23, 2016 1:50 PM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* Re: [SECURITY] google docs google services
>
>
> The thing that makes this so challenging is that “FERPA compliance” isn’t
> defined anywhere w.r.t. computer security.
>
>
>
> There is nothing whatsoever in 20 U.S.C. § 1232g; 34 CFR Part 99 a.k.a.
> “FERPA” that says anything at all about what kind of security measures 3rd
> party providers are obligated to take.  So (technically) a 3rd party
> provider could do nothing at all with respect to FERPA and claim that it is
> “FERPA compliant.”
>
>
>
> As it stands right now, there is the law, and there are about a
> gad-zillion letters (
> http://www2.ed.gov/policy/gen/guid/fpco/ferpa/library/index.html ) saying
> what the Dept of Ed thinks FERPA says.  But it is up to each individual
> institution to interpret those and figure out what IT is willing to argue
> constitutes “compliance” with FERPA when it comes to electronic records.
> The law itself was written in (I think…) 1973 (?) when most educational
> records were still paper items in manila file folders in drawers in
> cabinets in rooms filled with such filing cabinets.
> <http://www2.ed.gov/policy/gen/guid/fpco/ferpa/library/index.html>
> FERPA Online Library - US Department of Education
> <http://www2.ed.gov/policy/gen/guid/fpco/ferpa/library/index.html>
> www2.ed.gov
> Listing of important letters of technical assistance and other
> communications regarding FERPA decisions made by the Department of
> Education.
>
>
>
> It is always, always, always  up to the INSTITUTION (not the 3rd party)
> to ensure FERPA compliance (i.e., you can’t outsource responsibility for
> regulatory compliance).
>
>
>
> So different institutions are going to make different judgment calls
> regarding whether something is “compliant” with FERPA *as that
> institution understands it*.
>
>
>
> What matters most is whether the institution in question believes (and is
> willing to defend, if called on the carpet for it) that the 3rd party’s
> security practices are “FERPA compliant.”
>
>
>
>
>
> Ruth Ginzberg, CISSP, CTPS
>
> Sr. I.T. Procurement Specialist
>
> University of Wisconsin System
>
> 608-890-3961
>
>
>
> *From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
> SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Jones, Mark B
> *Sent:* Tuesday, February 23, 2016 12:29 PM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* Re: [SECURITY] google docs google services
>
>
>
> We use GAE and our legal department was satisfied with regard to FERPA.
>
> I don’t know if the standard Google agreement was sufficient or if Google
> signed an addendum.
>
> Either way, FERPA Compliance is doable.
>
>
>
> *From:* The EDUCAUSE Security Constituent Group Listserv [
> mailto:SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>] *On
> Behalf Of *Jay Fowler
> *Sent:* Tuesday, February 23, 2016 10:14 AM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* Re: [SECURITY] google docs google services
>
>
>
> Perhaps this would be helpful. Google mentions this with regard to FERPA:
>
>
>
>
> https://www.google.com/edu/trust/#does-google-apps-for-education-comply-with-ferpa
>
>
> ------------------------------
>
> *From: *"Mark Reboli" <mreboli () MISERICORDIA EDU>
> *To: *SECURITY () LISTSERV EDUCAUSE EDU
> *Sent: *Tuesday, February 23, 2016 8:00:56 AM
> *Subject: *[SECURITY] google docs google services
>
>
>
> Is anyone utilizing Google Docs or Google Services?  If so how have you
> dealt with the FERPA compliance component.  I know this has been discussed
> in the past and the issue according to our FERPA person on campus has also
> indicated in his discussion with other registrars etc. is the potential for
> the mining  of FERPA information store by Google.  We have likewise tried
> for several months to find a good source at google that we can discuss
> information about this but have never been responded in all of the requests
> we have made, so If you have a contact that you can share I would be most
> appreciative.
>
>
>
> m
>
>
>
> [image: Description: MU Arches]
>
> Mark Reboli
>
> Network/Telecom Manager
>
> Misericordia University
>
> (570) 674-6753