Educause Security Discussion mailing list archives
Re: Sensitive Data Policies
From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Tue, 23 May 2006 19:11:56 -0400
On Tue, 23 May 2006 09:18:44 EDT, Harold Winshel said:
I'm looking for examples of policies at universities - whether it's a policy that pertains to a large unit or a small unit - that states that written permission is required for users to store sensitive electronic data on their computers.
A can of worms, indeed. The first few things that come to mind: 1) Does your site already have a sane definition of "sensitive" that you can leverage? 2) In the "don't ask, don't tell" category - is there a desire to have "store" cover temporary and incidental copies of data? For instance, if a user does an extract for printing - is it extracted and then printed from the central server, or is the extract done, downloaded, and printed from the desktop? Note that even if erased, the latter method means there's a copy on the hard drive. (Interestingly enough - this is *still* an open question for copyright, as far as I know. 17 USC 117(a)(1) basically says that the copy from disk to RAM to execute a program isn't an infringement, but AFAIK, no court has ever officially ruled on whether the copy of an item on a Web page made in the process of downloading to view is covered by fair use or not. Another big "Don't ask, don't tell" :) 3) How large a quantity of "sensitive" matter do you want to "count"? Obviously, you'd not want a copy of the entire student database to be allowed. But what about a departmental secretary who's using Word to write a disciplinary or academic warning note to a student? That's probably covered by FERPA, and "sensitive" - but if they aren't using Word on their desktop, what *do* they use? And what about in-between cases - say, a form letter to 50 or 100 students, customized with their own information?
Attachment:
_bin
Description:
Current thread:
- Sensitive Data Policies Harold Winshel (May 23)
- <Possible follow-ups>
- Re: Sensitive Data Policies Valdis Kletnieks (May 23)