Data Privacy Awareness

Open Forum hosted by the Information Technology Division

10/14/2013 2

Presenters and Panelists

• Marc WallmanInterim Vice President for Information Technology

• Christopher WilsonGeneral Counsel

• Matthew HammerAssistant General Counsel

• Eric MillerDirector of Ethics, Compliance and Audit

10/14/2013 3

Additional Panelists

• Theresa SemmensChief IT Security OfficerInformation Technology Division

• Jeff GimbelSenior IT Security AnalystInformation Technology Division

• Steven HammerPh.D. Candidate and InstructorEnglish Department

10/14/2013 4

Managing Electronic Communications

Marc WallmanInterim VP for Information Technology

10/14/2013 5

Forms of Electronic Communication Include:

1. E-mail

2. Instant Messaging (Lync, Google Talk, AIM, Yahoo! Messenger, etc.)

3. Voicemail

4. Text Messages

5. Video Chat (Skype, Lync…)

6. Learning Management Systems (Blackboard)

10/14/2013 6

Areas of Concern

1. Privacy

2. Open Records

3. Records Retention

4. Incidental Use

5. Personal Devices Used for Work

10/14/2013 7

Privacy Concerns

1. Who can see my data?

2. What can they see?

3. How do I know the people who can see my data without my knowledge are being responsible?

10/14/2013 8

Who Can See My Data? Third Party Services

10/14/2013 9

Privacy Concerns: What can they see?

1. It varies from service to service.

2. Some services, IT staff have full access (read and write) to everything.

3. Some services, IT staff have limited to no access. This is more likely to be true of hosted services such as PeopleAdmin.

10/14/2013 10

Privacy Concerns: IT Staff

1. Are expected to follow NDUS Procedure 1901.2.

2. Are expected to follow NDSU policies 158 and 710.

3. Have a signed confidentiality agreement on file.

4. Have expectations reviewed at all staff meetings.

10/14/2013 11

Privacy in Policy: 1901.2 2.1

2.1 PrivacyIn general, all electronic information shall be free from access by any but the authorized users of that information. Exceptions to this basic principle shall be kept to a minimum and made only when essential to:

1. meet the requirements of the state open records law and other statutory or regulatory requirements;

2. protect the integrity of the College or University and the rights and property of the State;

3. allow system administrators to perform routine maintenance and respond to emergency situations such as combating "viruses" and the like (see 4.3, 4.4).

10/14/2013 12

1901.2 4.4: Allowances for Monitoring without Notification

1. The user has voluntarily made them accessible to the public.2. It reasonably appears necessary to do so to protect the integrity,

security, or functionality of the Institution or to protect the Institution or NDUS from liability.

3. There is reasonable cause to believe that the user has violated, or is violating, Institution or NDUS policies or any applicable laws.

4. An account appears to be engaged in unusual or unusually excessive activity, as indicated by the monitoring of general activity and usage patterns.

5. A legally served directive of appropriate law enforcement agencies has been received.

6. A specific complaint of suspected or alleged violation of policy or law regarding a specific system or activity has been received.

10/14/2013 13

Open Records Concerns

1. What constitutes a record?

2. Which of these records are open and which are not?

3. What about “records” stored on my personal device (e.g., phone, computer, tablet)?

10/14/2013 14

What constitutes a record?1. NDCC 54-46-02 defines a record as "A document, book,

paper, photograph, sound recording or other material, regardless of physical form or characteristics, made or received pursuant to law in connection with the transaction of official business.”

2. A record is anything that:a. Your office created;b. Your office acted on;c. Your office receives for action;d. Your office is designated as the custodian of (i.e. record-

holder);e. Your office needs to document its decisions.

Source: NDSU Records Management FAQ. http://www.ndsu.edu/recordsmanagement/faq/.

10/14/2013 15

What records are open and what are not?

1. Everything is open by default.

2. Common sources of exemption from open records laws include:a. FERPA

b. HIPPA

c. Intellectual Property

d. IRB regulated data

10/14/2013 16

Records and Personal Devices

1. A record is a record, regardless of where it is stored.

2. Storing records on personal devices may open these devices to open records searches.

3. If you are asked for a specific record as part of an open records request, you must produce it regardless of the device it is stored on.

10/14/2013 17

Does IT take care of retention for me?1. No.2. IT does not look at the content of your data unless there is a

need as previously described.3. Retention rules are not medium specific. There is not a

specific rule for e-mail retention. E-mail messages may fall under various retention schedules, or none at all. You are responsible for managing this.

4. However, IT is responsible for making sure data on systems we manage are not lost due to hardware malfunction, software malfunction, or loss of physical facilities and Blackboard course retention schedules have been aligned with the retention schedule for student records.† Further, IT and General Counsel review relevant contracts/licenses to ensure that products used will allow for compliance with relevant records laws (among other things).

10/14/2013 18

†See http://www.ndsu.edu/its/instructional_services/blackboard/archival_retention_procedure/ for details.

Incidental Use

1. What is allowed? Activities that do not:a. Interfere with operationsb. Burden the institution with incremental costs.c. Interfere with users’ obligations to the institution.

2. What is not allowed? Activities that are not allowed include:a. Political activityb. For-profit activityc. Illegal or malicious activityd. Activity that conflicts with other policy (e.g., AUP)

10/14/2013 19

Incidental Use: Definition of Authorized Use“Use of computing and networking resources shall be limited to those resources and purposes for which access is granted. Use for political purposes is prohibited (see Section 39-01-04 of the ND Century Code). Use for private gain or other personal use not related to job duties or academic pursuits is prohibited, unless such use is expressly authorized under governing institution or system procedures, or, when not expressly authorized, such use is incidental to job duties or limited in time and scope, and such use does not: (1) interfere with NDUS operation of information technologies or electronic mail services; (2) burden the NDUS with incremental costs; or (3) interfere with the user's obligations to the institution or NDUS.”

Source: NDUS Procedure 1901.2.

10/14/2013 20

Personal Devices Used for Work

1. Allowed.2. Must follow procedure 1901.2. Pay

special attention to section 3.4.3. Does not exempt you from any records

requests or obligations.4. May open your personal content in ways

you may not like.5. May obligate you to take steps to protect

the content against accidental loss.

10/14/2013 21

Open Records Requests

Christopher Wilson, General Counsel

Matthew Hammer, Assistant General Counsel

10/14/2013 22

Records Management

Eric MillerDirector of Ethics, Compliance and Audit

10/14/2013 23

Panel Discussion

10/14/2013 24

Resources

• NDSU IT Securitywww.ndsu.edu/its/security/security/data_standards_hub

• Audit & Advisory Serviceswww.ndsu.edu/auditadvisory

• Office of the General Counselwww.ndsu.edu/general_counsel

10/14/2013 25