Re: Sensitive Data Policies

[Valdis Kletnieks <Valdis.Kletnieks () VT EDU>]

On Tue, 23 May 2006 09:18:44 EDT, Harold Winshel said:
> I'm looking for examples of policies at universities - whether it's a
> policy that pertains to a large unit or a small unit - that states
> that written permission is required for users to store sensitive
> electronic data on their computers.

A can of worms, indeed.  The first few things that come to mind:

1) Does your site already have a sane definition of "sensitive" that
you can leverage?

2) In the "don't ask, don't tell" category - is there a desire to have
"store" cover temporary and incidental copies of data?  For instance, if
a user does an extract for printing - is it extracted and then printed
from the central server, or is the extract done, downloaded, and printed
from the desktop?  Note that even if erased, the latter method means there's
a copy on the hard drive. (Interestingly enough - this is *still* an open
question for copyright, as far as I know.  17 USC 117(a)(1) basically says
that the copy from disk to RAM to execute a program isn't an infringement, but
AFAIK, no court has ever officially ruled on whether the copy of an item
on a Web page made in the process of downloading to view is covered by fair
use or not. Another big "Don't ask, don't tell" :)

3) How large a quantity of "sensitive" matter do you want to "count"?
Obviously, you'd not want a copy of the entire student database to be allowed.
But what about a departmental secretary who's using Word to write a
disciplinary or academic warning note to a student?  That's probably covered by
FERPA, and "sensitive" - but if they aren't using Word on their desktop, what
*do* they use?  And what about in-between cases - say, a form letter to 50 or
100 students, customized with their own information?

Attachment: _bin
Description: