Data Privacy Awareness Open Forum hosted by the Information Technology Division 10/14/20132.
-
Upload
jessie-nash -
Category
Documents
-
view
215 -
download
0
Transcript of Data Privacy Awareness Open Forum hosted by the Information Technology Division 10/14/20132.
Data Privacy Awareness
Open Forum hosted by the Information Technology Division
10/14/2013 2
Presenters and Panelists
• Marc WallmanInterim Vice President for Information Technology
• Christopher WilsonGeneral Counsel
• Matthew HammerAssistant General Counsel
• Eric MillerDirector of Ethics, Compliance and Audit
10/14/2013 3
Additional Panelists
• Theresa SemmensChief IT Security OfficerInformation Technology Division
• Jeff GimbelSenior IT Security AnalystInformation Technology Division
• Steven HammerPh.D. Candidate and InstructorEnglish Department
10/14/2013 4
Managing Electronic Communications
Marc WallmanInterim VP for Information Technology
10/14/2013 5
Forms of Electronic Communication Include:
1. E-mail
2. Instant Messaging (Lync, Google Talk, AIM, Yahoo! Messenger, etc.)
3. Voicemail
4. Text Messages
5. Video Chat (Skype, Lync…)
6. Learning Management Systems (Blackboard)
10/14/2013 6
Areas of Concern
1. Privacy
2. Open Records
3. Records Retention
4. Incidental Use
5. Personal Devices Used for Work
10/14/2013 7
Privacy Concerns
1. Who can see my data?
2. What can they see?
3. How do I know the people who can see my data without my knowledge are being responsible?
10/14/2013 8
Who Can See My Data? Third Party Services
10/14/2013 9
Privacy Concerns: What can they see?
1. It varies from service to service.
2. Some services, IT staff have full access (read and write) to everything.
3. Some services, IT staff have limited to no access. This is more likely to be true of hosted services such as PeopleAdmin.
10/14/2013 10
Privacy Concerns: IT Staff
1. Are expected to follow NDUS Procedure 1901.2.
2. Are expected to follow NDSU policies 158 and 710.
3. Have a signed confidentiality agreement on file.
4. Have expectations reviewed at all staff meetings.
10/14/2013 11
Privacy in Policy: 1901.2 2.1
2.1 PrivacyIn general, all electronic information shall be free from access by any but the authorized users of that information. Exceptions to this basic principle shall be kept to a minimum and made only when essential to:
1. meet the requirements of the state open records law and other statutory or regulatory requirements;
2. protect the integrity of the College or University and the rights and property of the State;
3. allow system administrators to perform routine maintenance and respond to emergency situations such as combating "viruses" and the like (see 4.3, 4.4).
10/14/2013 12
1901.2 4.4: Allowances for Monitoring without Notification
1. The user has voluntarily made them accessible to the public.2. It reasonably appears necessary to do so to protect the integrity,
security, or functionality of the Institution or to protect the Institution or NDUS from liability.
3. There is reasonable cause to believe that the user has violated, or is violating, Institution or NDUS policies or any applicable laws.
4. An account appears to be engaged in unusual or unusually excessive activity, as indicated by the monitoring of general activity and usage patterns.
5. A legally served directive of appropriate law enforcement agencies has been received.
6. A specific complaint of suspected or alleged violation of policy or law regarding a specific system or activity has been received.
10/14/2013 13
Open Records Concerns
1. What constitutes a record?
2. Which of these records are open and which are not?
3. What about “records” stored on my personal device (e.g., phone, computer, tablet)?
10/14/2013 14
What constitutes a record?1. NDCC 54-46-02 defines a record as "A document, book,
paper, photograph, sound recording or other material, regardless of physical form or characteristics, made or received pursuant to law in connection with the transaction of official business.”
2. A record is anything that:a. Your office created;b. Your office acted on;c. Your office receives for action;d. Your office is designated as the custodian of (i.e. record-
holder);e. Your office needs to document its decisions.
Source: NDSU Records Management FAQ. http://www.ndsu.edu/recordsmanagement/faq/.
10/14/2013 15
What records are open and what are not?
1. Everything is open by default.
2. Common sources of exemption from open records laws include:a. FERPA
b. HIPPA
c. Intellectual Property
d. IRB regulated data
10/14/2013 16
Records and Personal Devices
1. A record is a record, regardless of where it is stored.
2. Storing records on personal devices may open these devices to open records searches.
3. If you are asked for a specific record as part of an open records request, you must produce it regardless of the device it is stored on.
10/14/2013 17
Does IT take care of retention for me?1. No.2. IT does not look at the content of your data unless there is a
need as previously described.3. Retention rules are not medium specific. There is not a
specific rule for e-mail retention. E-mail messages may fall under various retention schedules, or none at all. You are responsible for managing this.
4. However, IT is responsible for making sure data on systems we manage are not lost due to hardware malfunction, software malfunction, or loss of physical facilities and Blackboard course retention schedules have been aligned with the retention schedule for student records.† Further, IT and General Counsel review relevant contracts/licenses to ensure that products used will allow for compliance with relevant records laws (among other things).
10/14/2013 18
†See http://www.ndsu.edu/its/instructional_services/blackboard/archival_retention_procedure/ for details.
Incidental Use
1. What is allowed? Activities that do not:a. Interfere with operationsb. Burden the institution with incremental costs.c. Interfere with users’ obligations to the institution.
2. What is not allowed? Activities that are not allowed include:a. Political activityb. For-profit activityc. Illegal or malicious activityd. Activity that conflicts with other policy (e.g., AUP)
10/14/2013 19
Incidental Use: Definition of Authorized Use“Use of computing and networking resources shall be limited to those resources and purposes for which access is granted. Use for political purposes is prohibited (see Section 39-01-04 of the ND Century Code). Use for private gain or other personal use not related to job duties or academic pursuits is prohibited, unless such use is expressly authorized under governing institution or system procedures, or, when not expressly authorized, such use is incidental to job duties or limited in time and scope, and such use does not: (1) interfere with NDUS operation of information technologies or electronic mail services; (2) burden the NDUS with incremental costs; or (3) interfere with the user's obligations to the institution or NDUS.”
Source: NDUS Procedure 1901.2.
10/14/2013 20
Personal Devices Used for Work
1. Allowed.2. Must follow procedure 1901.2. Pay
special attention to section 3.4.3. Does not exempt you from any records
requests or obligations.4. May open your personal content in ways
you may not like.5. May obligate you to take steps to protect
the content against accidental loss.
10/14/2013 21
Open Records Requests
Christopher Wilson, General Counsel
Matthew Hammer, Assistant General Counsel
10/14/2013 22
Records Management
Eric MillerDirector of Ethics, Compliance and Audit
10/14/2013 23
Panel Discussion
10/14/2013 24
Resources
• NDSU IT Securitywww.ndsu.edu/its/security/security/data_standards_hub
• Audit & Advisory Serviceswww.ndsu.edu/auditadvisory
• Office of the General Counselwww.ndsu.edu/general_counsel
10/14/2013 25