Re: Faculty handling of student data

["Payne, Shirley (scp8b)" <scp8b () VIRGINIA EDU>]

We use a "follow the institutional data" approach, i.e. if someone stores the institution's sensitive data on an 
electronic device or media, he/she must comply with the institution's data protection requirements. It doesn't matter 
if that individual is a faculty member, staff, student worker, contractor, etc. or if the device/media on which the 
data are stored is owned by the institution or the individual.

Shirley

Shirley C. Payne
Director, IT Security and Policy
University of Virginia

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Basgen, 
Brian
Sent: Monday, June 30, 2008 4:13 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Faculty handling of student data

 I'm trying to draw out whether or not institutions make any kind of exceptions/distinctions for faculty use.

 For example, we have a large number of adjunct faculty, who do not have dedicated offices/computers. Therefore, it 
isn't uncommon for them to use their own laptop. Similarly, faculty may have local grade tabulations, or perhaps take a 
stack of exams home to grade. Thus, we are looking to build our policy around the way that faculty works, yet manage it 
with reason. A lot of what I see is a sensible approach for staff, but doesn't seem to address the unique needs of 
faculty.