Privacy Practices @ CMU

Document Sample
Privacy Practices @ CMU Powered By Docstoc
					Privacy @ CMU
Doug Markiewicz Policy Specialist and Security Engineer Information Security Office (ISO)

• University Privacy Policies
– – – – Computing Policy Policy on Privacy Rights of Students Physical Privacy Web Privacy

• Regulatory Requirements • Globalization • Questions & Answers
Information Security Office 2

University Privacy Policies
• Computing Policy
– Overview
• 3 separate policies for students, faculty and staff • Electronic data under the proprietary control of the student, faculty or staff may not be read without consent

– Implied consent
• Posting to a public web server • Providing electronic access to an individual

– Exceptions to privacy
• Emergencies as determined by Provost or a designate • As required by law (subpoena or court order)

Information Security Office


University Privacy Policies
• Computing Policy
– Investigation of Student Data
• Notification within 5 days of intrusion • Unrelated findings reported to Office of Student Affairs

– Investigation of Staff Data
• Notification within 5 days of intrusion • Findings reported to Supervisor, Department Head and HR

– Investigation of Faculty Data
• Prior notification to allow faculty time to file a motion to quash • Protection from University sanctions (wrt. emergencies) • Investigation by a Faculty Senate designee

Information Security Office


University Privacy Policies
• Computing Policy
– Things to Consider
• • • • Limited guidance for Office of the Dean of Student Affairs Limited guidance on what constitutes “malicious activity” Inconsistencies across 3 policies Impact on e-Discovery Requirements

Information Security Office


University Privacy Policy
• Policy on Student Privacy Rights
– Based on FERPA – Disclosure
• “Carnegie Mellon generally will not disclose personally identifiable information from your education records without your consent except for directory information and other exceptions specified by law.”

– Student Rights
• • • • • Inspect and review educational records Request an amendment to educational records Request a hearing when amendments not resolved Consent to disclosure of PII from educational records File a compliant with the U.S. Department of Education
Information Security Office 6

University Privacy Policy
• Policy on Student Privacy Rights
– Exceptions
• • • • • • • • • School officials with legitimate educational interest Federal officials in connection with federal programs Organizations involved in financial aid State and local officials Test agencies Accrediting agencies Parents of dependent students Court order or subpoena Health or safety emergency

Information Security Office


University Privacy Policy
• Physical Privacy
– Housing Services Privacy Policy
• “Authorized representatives of the university may enter resident accommodations at any time to inspect facilities or to carry out repairs and maintenance.”

– Policy on the Privacy of Faculty Offices
• “No one may enter a faculty member's office, or search a faculty member's files, or examine or remove work products or documentary material without permission…”

– Staff Handbook
• “Carnegie Mellon reserves the right to search university property and personal property brought into the workplace and reserves the right to use other investigative methods, including video surveillance, as the university deems necessary. “
Information Security Office 8

University Privacy Policy
• Web Privacy
– Decentralized web development – No University-wide web privacy policy – Several departmental web privacy policies
• • • • • • Alumni Website Heinz School Information Networking Institute Software Engineering Institute *** Tepper School of Business University Bookstore

Information Security Office


University Privacy Policy
• Web Privacy – Alumni Website
– Things to Consider
• What constitutes “all reasonable precautions”? • What liability does “all reasonable precautions” create? • The Alumni Online Community is a 3rd party website

“The Alumni Association has taken all reasonable precautions to secure the personal information available through the Online community.”

Information Security Office


University Privacy Policy
• Web Privacy – Bookstore Website
– Things to Consider
• Is it safe to submit logon credentials? • Is it safe to submit payment information?

“…while we strive to protect your personal information, we cannot guarantee or warrant the security of any information you transmit to or from our web sites.”

Information Security Office


University Privacy Policy
• Web Privacy – Cookies
– Some sites that use cookies
• • • • • •

– Heinz School (The Heinz School Review)
“There is no identification of individuals from our aggregate data. Therefore, unless you choose otherwise, you are totally anonymous when visiting our site.”
Information Security Office 12

University Privacy Policy
• Social Security Numbers
– Current State
• • • • • Currently no Policy governing use of SSNs SSN used as identifier in Student Information System (SIS) Multiple systems query the SIS using SSN Numerous processes (paper and electronic) that require SSN Numerous archived grade rosters containing SSNs

– Future State
• Information Security Office PII Clean-up Campaign • Implement Policy on appropriate use of SSNs • Eliminate use of SSN as primary identifier in SIS

Information Security Office


Regulatory Requirements
• Federal Laws - FERPA
– – – – – – Core privacy law governing the University Policy on Student Privacy Rights Guidelines on Student Privacy Rights Request to Review Academic Records Complaints can be sent to Family Policy Compliance Office Ongoing evaluation of privacy practices
• • • • Enrollment Services Information Security Office Office of General Counsel Office of Student Affairs
Information Security Office 14

Regulatory Requirements
• Federal Laws - GLBA
– Portions of University considered a financial institution – Exempt from privacy requirements due to FERPA – GLBA Information Security Program

• Federal Laws - HIPAA
– Student Health Services
• Currently working with Office of General Counsel on compliance

– University Group Health Plan
• Participants provided with HIPAA Privacy Notice • Documented Privacy Policies and Procedures • More:
Information Security Office 15

Regulatory Requirements
• State Laws – California
– Civil Code section 1798.80 – 1798.84
• Requires security measures to protect personal information • Requires notification of breach of personal information • Exception for encrypted personal information

– A.B.779 : Consumer Data Protection Act
• Prohibits storage of payment related data

• State Laws – Pennsylvania
– Breach of Personal Information Notification Act
• Requires notification of a breach of personal information • Exception for encrypted or redacted information
Information Security Office 16

Regulatory Requirements
• State Laws
– Things to Consider
• 35 states have breach notification laws • Undetermined number of states have privacy laws • Does CMU have to comply with all these laws? If so, how?

Information Security Office


• Global University Branches
– – – – Athens, Greece Doha, Qatar Kobe, Japan (Cylab) Adelaide, Australia

Information Security Office


• International Laws
– Greece
• EU Directives 95/46/EC, 2002/58/EC, 2006/24/EC

– Qatar
• Decree Law 34 of 2006 (Telecommunications Law)

– Japan
• Personal Information Protection Act (2003 Law No. 57)

– Australia
• Federal Privacy Act • Guidelines on the National Privacy Principles • Guidelines on Privacy Code Development
Information Security Office 19

• International Laws (cont.)
– Things to Consider
• How does the University get a handle on these laws? • Are there other privacy laws of concern? – Research, projects, degree programs, technology initiatives and study abroad programs across 142 countries

Information Security Office



Information Security Office


Lingjuan Ma Lingjuan Ma MS
About work for China Compulsory Certification. Some of the documents come from Internet, if you hold the copyright please contact me by