Re: Do students hold universities accountable for protecting their information?

[Brad Judy <brad.judy () CU EDU>]

To summarize some of the points made here (as well as my own thoughts), I think you can pull this together as a 
can/should/do form:


  *   Can (rights) individuals hold institutions accountable (are there supporting laws/policies/etc that set that 
right or expectation?) – Yes, we have some laws in that space (FERPA, HIPAA) and many schools have related policies. 
What individuals “can” do is also evolving with privacy law changes.
  *   Can (capability) individuals hold institutions accountable? – This is much harder to answer and the honest 
response is probably “the vast majority of individuals do not have the capability themselves.” They need assistance to 
understand the laws, gather information, interface with organizations, etc.
  *   Should individuals hold institutions accountable for data security/privacy – Yes, I think it’s good for anyone to 
hold any organization accountable for meeting privacy/security requirements/expectations.
     *   Should all of the responsibility of accountability oversight be on the individual? No, I don’t think so.  One 
of the reasons we have accountability offices and watchdog groups is the challenge of the capability issue.  Even if we 
lower the bar on those challenges, it will likely still remain out of reach for many individuals.
  *   Do individuals hold institutions accountable?  - Sometimes, but it seems pretty infrequent.  I would guess this 
is due to a mix of lack of personal priority/interest and the capability challenge.

At the moment, pushing accountability on privacy often requires assistance from third-parties (non-profits, 
governments, etc.). Some of the movement we see in data privacy and security is putting options/tools into the hands of 
individuals to ask questions not just about “What data do you have about me?” but also “How do you use that data?” and 
“Who have you given that data to?”  Perhaps someday it will be easier for an individual to understand how organizations 
handle your personal data, but for now, this issue is still in a very messy adolescent phase.

Brad Judy

Information Security Officer
Office of Information Security
University of Colorado
1800 Grant Street, Suite 300
Denver, CO  80203
Office: (303) 860-4293
Fax: (303) 860-4302
www.cu.edu<http://www.cu.edu/>

[cu-logo_fl]



From: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Paige Francis <paige () UARK EDU>
Reply-To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Date: Monday, June 11, 2018 at 2:10 PM
To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Do students hold universities accountable for protecting their information?

I’m not sure if they hold us accountable but I do believe they absolutely have that expectation. In addition, with 
FERPA and HIPAA we’re bound to safeguard protected data.

--
Paige Francis
Associate CIO, University of Arkansas
Fayetteville, AR #UARK #GoHogs

Need IT Help?<https://its.uark.edu/> | Twitter<https://twitter.com/CIOPaige> | 
LinkedIn<https://www.linkedin.com/in/paigefrancis/> | Blog<https://www.linkedin.com/in/paigefrancis/>

From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of "McIntosh, 
Keith" <kmcintosh () RICHMOND EDU>
Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Date: Monday, June 11, 2018 at 9:07 AM
To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Do students hold universities accountable for protecting their information?

Colleagues,

Someone recently asked me the following question and I wondered what you would say.   I believe students and parents 
have reasonable expectations that we are both protecting their information and ensuring privacy.

  Do students hold universities accountable for protecting their information?


Keith W. "Mac" McIntosh
he/his/him<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.mypronouns.org_&d=DwMFAg&c=7ypwAowFJ8v-mw8AB-SdSueVQgSDL4HiiSaLK01W8HA&r=MiccpEVSKT3DA5jws6edeA&m=xE9EjWmvszeA_LQHaZyOAO9TheSRXZP5Z1nRtLKN22E&s=9ZKxtGifiJT_omfG3l59i0uii-6HEcp-4bOI_XeNt58&e=>
Vice President and Chief Information Officer
Information Services

Jepson Hall G-12
28 Westhampton Way
University of Richmond, VA 23173
Office: 804.289.8771
Fax: 804.289.8988
http://is.richmond.edu<https://urldefense.proofpoint.com/v2/url?u=http-3A__is.richmond.edu_&d=DwMFAg&c=7ypwAowFJ8v-mw8AB-SdSueVQgSDL4HiiSaLK01W8HA&r=MiccpEVSKT3DA5jws6edeA&m=xE9EjWmvszeA_LQHaZyOAO9TheSRXZP5Z1nRtLKN22E&s=90YlN-N0Ju2PBK4xgYEsTM3k3lRUUnkwKAc-OBTeK-I&e=>

Email: kmcintosh () richmond edu
Twitter: 
@<https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_Keith-5FMcIntosh&d=DwMFAg&c=7ypwAowFJ8v-mw8AB-SdSueVQgSDL4HiiSaLK01W8HA&r=MiccpEVSKT3DA5jws6edeA&m=xE9EjWmvszeA_LQHaZyOAO9TheSRXZP5Z1nRtLKN22E&s=i_IyoJXiAP-3SUHk3zFgcVFLCwKMzDYy-9FVM8y16mQ&e=>Keith_McIntosh<https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_Keith-5FMcIntosh&d=DwMFAg&c=7ypwAowFJ8v-mw8AB-SdSueVQgSDL4HiiSaLK01W8HA&r=MiccpEVSKT3DA5jws6edeA&m=xE9EjWmvszeA_LQHaZyOAO9TheSRXZP5Z1nRtLKN22E&s=i_IyoJXiAP-3SUHk3zFgcVFLCwKMzDYy-9FVM8y16mQ&e=>