Re: Exchange Online

["Jones, Mark B" <Mark.B.Jones () UTH TMC EDU>]

First of all, I am not a FERPA expert or a lawyer…

 

FERPA is full of ‘exception’ language.  I suspect that exchange of information in order to deliver a service to the 
student will fall under one of the exception clauses.  But I have seen institutions withhold services if the student 
elects to have their directory information withheld.  

 

This is the legalese that caught my eye…

 

Ҥ 99.31 Under what conditions is prior

consent not requ

ired to disclose

information?

(a) An educational agency or institution 

may disclose personally identifiable 

information from an education record of 

a student without the consent required by 

§ 99.30 if the disclosure meets one or 

more of the following con

ditions:

(1)(i)(A) The disclosure is to other 

school officials, including teachers, 

within the agency or institution

whom the agency or institution has 

determined to have legitimate 

educational interests.

(B) 

A contractor, consultant, volunteer, 

or other

party to whom an agency or 

institution has outsourced institutional 

services or functions may be considered 

a school official under this paragraph 

provided that the outside party

--”

 

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Evans, 
Edward
Sent: Friday, August 14, 2015 3:33 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Exchange Online

 

I want to piggy back on this discussion.  Students have an option to restrict access to their names under FERPA.  Not 
cloud specific, how do you handle that in the Global Address List at your institutions?  Particular to Office 365, what 
do you do when the service (such as OneDrive in Office 365) would insert the user’s name into the URL for online access?

 

I appreciate your insights.

 

Thanks,

Ed

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jones, 
Mark B
Sent: Friday, August 14, 2015 6:29 AM
To: SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> 
Subject: Re: [SECURITY] Exchange Online

 

Is there something special about email in O365.

 

I think having a policy that sanctions sending PHI via email is irresponsible unless you add the requirement that the 
email be encrypted.  

 

Perhaps PHI can be protected at rest in O365, But email is email.  

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Everett, 
Alex D
Sent: Thursday, August 13, 2015 10:21 AM
To: SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> 
Subject: [SECURITY] Exchange Online

 

I am wondering if any of your organizations have sanctioned the exchange of PII or PHI via e-mail in Office 365 or are 
evaluating this.

Over time, we are seeing more security controls and features added to Office 365 and wondered if any other 
organizations had made this decision.

We have not yet made this decision and are not presently using Exchange Online/Outlook in Office365.

If you have or have not, or if you have a policy that you could point me to I would appreciate it.

Feel free to e-mail me directly if you don’t want to respond to all.

 

Sincerely,

 

Alex Everett, CISSP

IT Security Engineer

University of North Carolina at Chapel Hill

Attachment: smime.p7s
Description: