1 / 21

Privacy @ CMU

Privacy @ CMU. Doug Markiewicz Policy Specialist and Security Engineer Information Security Office (ISO) www.cmu.edu/iso. Agenda. University Privacy Policies Computing Policy Policy on Privacy Rights of Students Physical Privacy Web Privacy Regulatory Requirements Globalization

americus
Download Presentation

Privacy @ CMU

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Privacy @ CMU Doug Markiewicz Policy Specialist and Security Engineer Information Security Office (ISO) www.cmu.edu/iso

  2. Agenda • University Privacy Policies • Computing Policy • Policy on Privacy Rights of Students • Physical Privacy • Web Privacy • Regulatory Requirements • Globalization • Questions & Answers Information Security Office www.cmu.edu/iso

  3. University Privacy Policies • Computing Policy • Overview • 3 separate policies for students, faculty and staff • Electronic data under the proprietary control of the student, faculty or staff may not be read without consent • Implied consent • Posting to a public web server • Providing electronic access to an individual • Exceptions to privacy • Emergencies as determined by Provost or a designate • As required by law (subpoena or court order) Information Security Office www.cmu.edu/iso

  4. University Privacy Policies • Computing Policy • Investigation of Student Data • Notification within 5 days of intrusion • Unrelated findings reported to Office of Student Affairs • Investigation of Staff Data • Notification within 5 days of intrusion • Findings reported to Supervisor, Department Head and HR • Investigation of Faculty Data • Prior notification to allow faculty time to file a motion to quash • Protection from University sanctions (wrt. emergencies) • Investigation by a Faculty Senate designee Information Security Office www.cmu.edu/iso

  5. University Privacy Policies • Computing Policy • Things to Consider • Limited guidance for Office of the Dean of Student Affairs • Limited guidance on what constitutes “malicious activity” • Inconsistencies across 3 policies • Impact on e-Discovery Requirements Information Security Office www.cmu.edu/iso

  6. University Privacy Policy • Policy on Student Privacy Rights • Based on FERPA • Disclosure • “Carnegie Mellon generally will not disclose personally identifiable information from your education records without your consent except for directory information and other exceptions specified by law.” • Student Rights • Inspect and review educational records • Request an amendment to educational records • Request a hearing when amendments not resolved • Consent to disclosure of PII from educational records • File a compliant with the U.S. Department of Education Information Security Office www.cmu.edu/iso

  7. University Privacy Policy • Policy on Student Privacy Rights • Exceptions • School officials with legitimate educational interest • Federal officials in connection with federal programs • Organizations involved in financial aid • State and local officials • Test agencies • Accrediting agencies • Parents of dependent students • Court order or subpoena • Health or safety emergency Information Security Office www.cmu.edu/iso

  8. University Privacy Policy • Physical Privacy • Housing Services Privacy Policy • “Authorized representatives of the university may enter resident accommodations at any time to inspect facilities or to carry out repairs and maintenance.” • Policy on the Privacy of Faculty Offices • “No one may enter a faculty member's office, or search a faculty member's files, or examine or remove work products or documentary material without permission…” • Staff Handbook • “Carnegie Mellon reserves the right to search university property and personal property brought into the workplace and reserves the right to use other investigative methods, including video surveillance, as the university deems necessary. “ Information Security Office www.cmu.edu/iso

  9. University Privacy Policy • Web Privacy • Decentralized web development • No University-wide web privacy policy • Several departmental web privacy policies • Alumni Website • Heinz School • Information Networking Institute • Software Engineering Institute *** • Tepper School of Business • University Bookstore Information Security Office www.cmu.edu/iso

  10. University Privacy Policy • Web Privacy – Alumni Website • Things to Consider • What constitutes “all reasonable precautions”? • What liability does “all reasonable precautions” create? • The Alumni Online Community is a 3rd party website “The Alumni Association has taken all reasonable precautions to secure the personal information available through the Online community.” Information Security Office www.cmu.edu/iso

  11. University Privacy Policy • Web Privacy – Bookstore Website • Things to Consider • Is it safe to submit logon credentials? • Is it safe to submit payment information? “…while we strive to protect your personal information, we cannot guarantee or warrant the security of any information you transmit to or from our web sites.” Information Security Office www.cmu.edu/iso

  12. University Privacy Policy • Web Privacy – Cookies • Some sites that use cookies • www.cmu.edu • www.alumni.cmu.edu • www.bookstore.web.cmu.edu • www.cit.cmu.edu • www.housing.cmu.edu • www.studentaffairs.cmu.edu • Heinz School (The Heinz School Review) “There is no identification of individuals from our aggregate data. Therefore, unless you choose otherwise, you are totally anonymous when visiting our site.” Information Security Office www.cmu.edu/iso

  13. University Privacy Policy • Social Security Numbers • Current State • Currently no Policy governing use of SSNs • SSN used as identifier in Student Information System (SIS) • Multiple systems query the SIS using SSN • Numerous processes (paper and electronic) that require SSN • Numerous archived grade rosters containing SSNs • Future State • Information Security Office PII Clean-up Campaign • Implement Policy on appropriate use of SSNs • Eliminate use of SSN as primary identifier in SIS Information Security Office www.cmu.edu/iso

  14. Regulatory Requirements • Federal Laws - FERPA • Core privacy law governing the University • Policy on Student Privacy Rights • Guidelines on Student Privacy Rights • Request to Review Academic Records • Complaints can be sent to Family Policy Compliance Office • Ongoing evaluation of privacy practices • Enrollment Services • Information Security Office • Office of General Counsel • Office of Student Affairs Information Security Office www.cmu.edu/iso

  15. Regulatory Requirements • Federal Laws - GLBA • Portions of University considered a financial institution • Exempt from privacy requirements due to FERPA • GLBA Information Security Program • Federal Laws - HIPAA • Student Health Services • Currently working with Office of General Counsel on compliance • University Group Health Plan • Participants provided with HIPAA Privacy Notice • Documented Privacy Policies and Procedures • More: http://hr.web.cmu.edu/current/benefits/policies/ Information Security Office www.cmu.edu/iso

  16. Regulatory Requirements • State Laws – California • Civil Code section 1798.80 – 1798.84 • Requires security measures to protect personal information • Requires notification of breach of personal information • Exception for encrypted personal information • A.B.779 : Consumer Data Protection Act • Prohibits storage of payment related data • State Laws – Pennsylvania • Breach of Personal Information Notification Act • Requires notification of a breach of personal information • Exception for encrypted or redacted information Information Security Office www.cmu.edu/iso

  17. Regulatory Requirements • State Laws • Things to Consider • 35 states have breach notification laws • Undetermined number of states have privacy laws • Does CMU have to comply with all these laws? If so, how? Information Security Office www.cmu.edu/iso

  18. Globalization • Global University Branches • Athens, Greece • Doha, Qatar • Kobe, Japan (Cylab) • Adelaide, Australia Information Security Office www.cmu.edu/iso

  19. Globalization • International Laws • Greece • EU Directives 95/46/EC, 2002/58/EC, 2006/24/EC • Qatar • Decree Law 34 of 2006 (Telecommunications Law) • Japan • Personal Information Protection Act (2003 Law No. 57) • Australia • Federal Privacy Act • Guidelines on the National Privacy Principles • Guidelines on Privacy Code Development Information Security Office www.cmu.edu/iso

  20. Globalization • International Laws (cont.) • Things to Consider • How does the University get a handle on these laws? • Are there other privacy laws of concern? • Research, projects, degree programs, technology initiatives and study abroad programs across 142 countries Information Security Office www.cmu.edu/iso

  21. Questions? ? Information Security Office www.cmu.edu/iso

More Related