Main Nav

Did you miss today's Data Privacy Month webinar? Listen to it here: http://www.educause.edu/Resources/LaunchofDataPrivacyMonthforHig/243711
 
You’ll hear some great tips from our three speakers – Jolynn Dellinger, Nat Wood, and Merri Beth Lavagnino – about planning privacy-related events on your campus this month. You’ll also find links for many free resources!
 
And don’t forget…
  1. We have three additional webinars scheduled on January 10 (Daniel Solove), January 25 (Kathleen Styles), and January 30 (Matt Ivester). Learn more at: http://www.educause.edu/policy/dataprivacy
  2. Let us know if you’re planning an event or activity on your campus by sharing a URL or more info with this list. Note: Hosting one of our upcoming webinars is easy with the EDUCAUSE On Campus planning resources
  3. Become a Champion of Data Privacy Day and have your institution recognized on NCSA’s website: http://www.staysafeonline.org/dpd/get-involved/become-champion
 
Please feel free to contact me if you have any questions. Have a great evening!
Valerie
_______________
 
Valerie M. Vogel
Program Manager, EDUCAUSE
office: (202) 331-5374
_______________
 
Follow us on Twitter! @HEISCouncil
 

Comments

Did you miss yesterday’s Data Privacy Month webinar? Visit the archive to hear some great tips from our three speakers – Jolynn Dellinger (NCSA), Nat Wood (FTC), and Merri Beth Lavagnino (Indiana University) – about planning privacy-related events on your campus this month. You’ll also find links for many free resources. The archive is available at: http://www.educause.edu/Resources/LaunchofDataPrivacyMonthforHig/243711

 

And don’t forget…

  • We have three additional webinars scheduled on January 10 (Daniel Solove, GWU Law School), January 25 (Kathleen Styles, U.S. Department of Education), and January 30 (Matt Ivester, author and founder of JuicyCampus). No registration required! Learn more at: http://www.educause.edu/policy/dataprivacy
  • Let us know if you’re planning an event or activity on your campus by sharing a URL or more info with this list. Note: Hosting one of our upcoming webinars is easy with the EDUCAUSE On Campus planning resources.
  • Become a Champion of Data Privacy Day and have your institution recognized on NCSA’s website: http://www.staysafeonline.org/dpd/get-involved/become-champion

Best,

Karen

------------------

Karen A. Wetzel

Program Manager, EDUCAUSE

1150 18th Street NW, Washington, DC 20036

202-872-4200 (main) / 202-331-5346 (direct)
202-872-4318 (fax)

kwetzel@educause.edu

www.educause.edu

 

Get the latest news on higher education IT policy issues and regulations.
Subscribe to EDUCAUSE Policy Digest.

www.educause.edu/policydigest

 

 

********** Visit the EDUCAUSE Policy website at http://www.educause.edu/policy.

After a lot of time googling this topic, I'd appreciate comments from the group regarding faculty using e-mail to send grades to individual students. While it may be obvious that sending grades to a public account like gMail isn't a good idea, what about internal mail systems? Do you have specific policies or communications from the US Dept of Ed on this topic?
 
Thanks
 
Bob
 
 
 
 
Robert E. Meyers,  Ms.Ed.
Educational Program Manager
  Office of Information Security
West Virginia University
office: (304) 293-8502
remeyers@mail.wvu.edu


This question is very timely for us as well and I would appreciate being copied on any reply. 

Thank you,

Julie Myers 
Chief Information Security Officer

University of  Rochester - University IT

julie.myers@rochester.edu  

p: 585.273.1804  c: 585.208.0939  

P Think twice before you print

 CONFIDENTIALITY: This email (including any attachments) may contain confidential, proprietary and privileged information, and unauthorized disclosure or use is prohibited. If you received this email in error, please notify the sender and delete this email from your system. Thank you.

 

I would contribute that there are three issues: 1.) the basic insecurity of email transmission. (imagine grades with gmails targeted advertising engines) because most schools likely permit email forwarding even if it does begin in house. 2.) the basic insecurity of email archiving. (What if a student grows up to be president but didn't do so well on an economics course). 3.) The inability to repudiate email. (The student who's dog ate their email... or the 'I never got it' excuses). All of these seem to point to a secure, authenticated, repudiated web service.

Randall Grimshaw rgrimsha@syr.edu
 
Our institution offers a course management system (Blackboard) for assignment based electronic grade delivery to students and UAOnline (frontend to Banner) as the portal for historical final grades. With this there should be no need to email grades.

Nathan

Our students can refer to our course management system, Blackboard; or they can access the University ERP system, PeopleSoft to check their grades.   We do not send out grades via email.

 

Theresa Semmens, CISA

NDSU Chief Information Technology Security Officer

NDSU Dept. 4510

210D IACC, PO Box 6050

Fargo, ND 58108-6050

Office: 701-231-5870

Cell: 701-+212-2064

Theresa.Semmens@ndsu.edu

www.ndsu.edu/its/security

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Nathan Zierfuss
Sent: Thursday, January 05, 2012 2:48 PM
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Subject: Re: [SECURITY] FERPA and E-mailing grades

 

Our institution offers a course management system (Blackboard) for assignment based electronic grade delivery to students and UAOnline (frontend to Banner) as the portal for historical final grades. With this there should be no need to email grades.

 

Nathan

 

Message from mclaugkl@ucmail.uc.edu

Hi All:

We had a similar discussion yesterday and our FERPA compliance officer came to the following conclusion:

 

So Google staff have unfettered access to these transmissions?   If that actually is the case, then yes.  UC has not oversight over Google, no contractual relationship.  Google thus is not obliged to safeguard or in any way protect the privacy of the grade information.  It can use the info for whatever reason, and without UC ever knowing.  So that would be unacceptable, and also a FERPA violation.

 

 

So our going forward approach is that we will not encourage this type of use (we encourage Blackboard and other systems like the ones already mentioned in this thread).  When we find out about faculty who are sending emails through and to a non-Institution system (and I know some of you find this surprising but this does happen  J  ) we will remind them that they are violating FERPA if they continue to circumvent the official systems and process. 

 

- Kevin

 

 

Kevin L. McLaughlin,  CISM, CISSP, GIAC-GSLC, CRISC, PMP, ITIL Master Certified

Assistant Vice President, Information Security & Special Projects

University of Cincinnati

513-556-9177

 

The University of Cincinnati is one of America's top public research institutions and the region's largest employer, with a student population of more than 41,000.

 

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Semmens, Theresa
Sent: Thursday, January 05, 2012 3:51 PM
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Subject: Re: [SECURITY] FERPA and E-mailing grades

 

Our students can refer to our course management system, Blackboard; or they can access the University ERP system, PeopleSoft to check their grades.   We do not send out grades via email.

 

Theresa Semmens, CISA

NDSU Chief Information Technology Security Officer

NDSU Dept. 4510

210D IACC, PO Box 6050

Fargo, ND 58108-6050

Office: 701-231-5870

Cell: 701-+212-2064

Theresa.Semmens@ndsu.edu

www.ndsu.edu/its/security

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Nathan Zierfuss
Sent: Thursday, January 05, 2012 2:48 PM
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Subject: Re: [SECURITY] FERPA and E-mailing grades

 

Our institution offers a course management system (Blackboard) for assignment based electronic grade delivery to students and UAOnline (frontend to Banner) as the portal for historical final grades. With this there should be no need to email grades.

 

Nathan

 

Message from dean.halter@notes.udayton.edu

I agree that course management systems and ERPs are better ways of accessing/providing this information.  That said, I'm not sure that FERPA prohibits use of email to provide grade information.  Whether internal or contracted w/ a provider (Google, for example, is a "school official" per contract within Google Apps for Edu), I believe you should be able to use email as long as the solution is "secure."  Making sure faculty and staff address the information from and to university provided accounts is as important as the technical transport and storage.  Students, on the other hand, should be able to forward or share their mail if they choose.  Very interesting conversation and I appreciate everyone’s insight.

Dean
___________
Dean Halter, CISA, CISSP
IT Risk Management Officer, UDit
University of Dayton

"Security is a process, not a product."  Bruce Schneier
I have to agree with Dean. I'm not convinced FERPA prohibits providing students grades via email. In fact some CMSs can be configured to automatically email or text students their grades when the grade-book is updated. I use this feature and suspect most students do. 

My experience has been our institution is struggling with not being the source of a digital identity for students that we used to be and coming to trust the one students have established for themselves prior to entering university. I believe FERPA requires us to validate who we are communicating with but not to secure the communications methods they elect. 

Has anyone explored identity validation via credit report questions similar to what banks do when you open an account online and accepting gmail, yahoo, ect. as a students email address rather then issuing them a new one?

Nathan

Message from mclaugkl@ucmail.uc.edu

I think that the cornerstone of Dean’s argument was that a contractual relationship existed between the entities (in particular he referenced Google – not Yahoo, hotmail, ACME mail, etc. )   without that contractual relationship (just my opinion here) I believe that it is prohibited under FERPA. 

 

- Kevin

 

 

Kevin L. McLaughlin,  CISM, CISSP, GIAC-GSLC, CRISC, PMP, ITIL Master Certified

Assistant Vice President, Information Security & Special Projects

University of Cincinnati

513-556-9177

 

The University of Cincinnati is one of America's top public research institutions and the region's largest employer, with a student population of more than 41,000.

 

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Nathan Zierfuss
Sent: Friday, January 06, 2012 1:22 PM
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Subject: Re: [SECURITY] FERPA and E-mailing grades

 

I have to agree with Dean. I'm not convinced FERPA prohibits providing students grades via email. In fact some CMSs can be configured to automatically email or text students their grades when the grade-book is updated. I use this feature and suspect most students do. 

 

My experience has been our institution is struggling with not being the source of a digital identity for students that we used to be and coming to trust the one students have established for themselves prior to entering university. I believe FERPA requires us to validate who we are communicating with but not to secure the communications methods they elect. 

 

Has anyone explored identity validation via credit report questions similar to what banks do when you open an account online and accepting gmail, yahoo, ect. as a students email address rather then issuing them a new one?

Nathan