College of Arts and Sciences Information Storage Policy

To: College of A&S Department Chairs and Faculty

From: Director of eTech

Ashley Ewing, Information Security Officer

Date: January 19, 2012; rev. June 26, 2014

Re: Information Storage, College of A&S

With the increasing interest from faculty in reporting student and course information electronically, it is important that this information be stored and transferred using secure methods. The College of Arts and Sciences’ Office of Educational Technology has worked with the Office of Information Technology to establish some guidelines that departments can use to make sure that their information is as safe as possible and that no one inadvertently violates any Family Educational Rights and Privacy Act (FERPA) regulations.

All faculty and staff members should keep the following points in mind when storing and transferring student information. Please be aware that failure to abide by these guidelines could result in legal liability for the individual and/or the department.

Do

Do store all student information and sensitive information (personnel information, research, if applicable, etc.) on the University network drives. This includes the share drive, faculty home drives, and UA Box, all of which are contained within the University firewall.

Do use the University of Alabama Virtual Private Network (VPN) whenever attempting to access share drives from off-campus. Additional information on when to use the VPN can be found under the FAQs section at the end of this memo and on the OIT website page on virtual private networks. For those who have difficulties accessing the VPN, contact the Office of Information Technology (OIT) at itsd@ua.edu.

Do send all correspondence with students and about students through UA email accounts only. Please keep in mind that while non-UA email servers may advertise that they are secure, these providers glean information from your emails for research purposes. Therefore, outside email sources should never be used for sending any student information such as CWIDs or grades. OIT has been implementing a newer email system (Exchange) across UA. As part of this process, any forwarding from UA emails to off-site systems will be eliminated. For those who want to keep email in a single location, this can be done through clients such as Outlook and Apple Mail. For more information on these systems, contact eTech at eTech@ua.edu or OIT at itsd@ua.edu.

Do practice due diligence when maintaining grade books. Faculty are allowed to keep grade books (hard copies and electronic) in locations off the network drives, with the assumption that appropriate precautions are taken to make sure that the information is not easily accessible or viewable by other people. When faculty are using external sources (laptops, home computers, physical grade books, iPads, etc.) to record student grades, they should take care to disclose as little information as possible on these records. Student names are acceptable, while last name only (or last name with first initial) would create a higher level of security. Faculty should never record student names with CWIDs in their grade books.

Do Not

Do not save any CWIDs to unprotected devices, such as a non-compliant server, flash drive, unencrypted laptop, disk, external hard drive, or an unsecured online system such as Dropbox, Evernote, or GoogleDocs. If you are unsure whether the device or system is secure, contact eTech at etech@ua.edu or just don’t use it.

Do not store social security numbers for students, staff, or faculty on any personal devices, external storage devices, or office computers. There is NO reason that departments should ever need or use social security numbers for work or any other purpose. If departments are using forms that ask for social security numbers, they should remove this category immediately. If the form is from an outside source, the department should instruct the individuals filling out the forms to write “declined” in that section. (If the form is from an outside source within UA, please contact eTech so we can alert OIT security to investigate the matter.) When departments receive documents that contain social security numbers, they should obliterate the numbers with black markers on hard copies and delete the numbers on electronic copies.

Do not collect or store sensitive student information on unsecured electronic devices (this does not include grade books). Sensitive information includes student names when they are combined with CWIDs, birth dates, mothers’ maiden names, social security numbers, grades, medical records/data, or entrance exam scores. If any faculty or staff members are collecting this type of information, it should be stored on the share drive or a University-encrypted laptop. Anyone who is storing this information on unsecured external electronic devices should transfer it to the share drive and immediately delete it from the external source. Any hard copy materials with sensitive student information should be shredded.

Departments should not use unapproved off-network servers to store student information, department emails, share drive folders, etc. Any existing share drives in departments must be cleared through the College of Arts and Sciences and undergo review from OIT security to determine whether they can be used.

FAQs

What is a server?
A server can be ANY computer regardless of size or location that accepts external connects for services such as Web Sites, FTP, SSH, or any other file-sharing services through databases or other software that is made available to external users.

What is the Virtual Private Network (VPN) and when should I use it?
The virtual private network (VPN) allows faculty and staff to securely access systems on the UA network while using a public network connection. The following list describes when it is typically necessary to connect to the VPN.

  • The VPN is necessary to remotely access data on faculty or staff office systems off campus using either a desktop or laptop. Remote Desktop (RDP) is necessary to log into the faculty or staff office computers from another computer either on or off campus.
  • It is necessary to connect to the VPN when using a computer off campus to access folders/files on an office PC or folders/files on the share drive or home drive. In order to do this, the faculty or staff should first log into VPN, then log into RDP.
  • When faculty or staff who normally use University laptops are off campus, they must connect to the University Network through the VPN in order to access shared folders/files. No RDP is necessary.
  • Email can be accessed remotely through webmail at webmail.ua.edu. No VPN connection is necessary for this connection; however, this connection will not provide access to local files or files on the share drive. Webmail is only a web interface to email – not a client interface like Outlook or Entourage.
  • Self-Service Banner and Banner INB can both be remotely accessed without using VPN.
  • Remote Desktop (RDP) can be used by a faculty or staff to access files on a campus computer from another computer that is also located on campus.
  • In some special cases, users may access servers using Secure Shell (SSH) through the VPN as well.

What do we do with old graduate applications or documents containing social security numbers?
Although the Graduate Office has now discontinued the practice of collecting social security numbers for graduate student applications, many departments are wondering what to do with the information already collected. For those departments who have retention policies for these applications, make sure that the paperwork is always stored in a secure location. When the retention period has expired, hard copies of documents containing these numbers should be shredded. Departments should not be collecting SS numbers as part of an electronic database. If any grad student databases currently contain social security numbers, delete this column immediately. Grad application information is considered sensitive and should be stored on the network drives.

What if we want to share faculty or staff applications among our hiring committee or share documents within a select group of individuals?
UA now has UA Box, which is available for free to all faculty, staff, and students. It allows individuals to share files with a designated group of people, and it is protected by the UA firewall so it can be used to share sensitive information, such as application materials. For more information on how to register for a UA Box account, go to the OIT website page on UA Box.

What constitutes FERPA information?
For a complete description of FERPA information, please see the FERPA fact sheet on the Registrar’s website. However, here are some highlights that are pertinent to faculty:

In Order To Avoid FERPA Violations, Faculty Should Not:

  • Use the SSN/Student ID/Student Names to post grades.
  • Leave graded tests [electronically or in print] for students to sort through.
  • Circulate electronically or in print, class list with the Student Name and SSN/Student ID.
  • Provide anyone with student schedules.
  • Provide anyone with lists of students enrolled in your classes.
  • Include confidential information (i.e., grades, #of credits) in a commendation letter without the written consent of the student [Note: If a student provides you a resume with the information, you may disclose whatever is in the resume.]

Faculty or staff with any questions about electronic security issues can contact Ruth Pionke at eTech, OIT, or they can go online to oit.ua.edu/service/security/.