Guidelines to help control access to personal information
By Kitty Bridges and Norma Kenigsberg
As the amount of sensitive data we store online in services like NYU Google Apps for Education (e.g., NYU E-mail, Calendar, Docs, Groups) increases, safeguarding privacy and security is of ever-greater importance. University community members need to be aware of the policies regarding and guidelines designed to help safeguard your personal information.
“NYU Google Apps for Education is a set of communications and collaboration applications hosted by Google Inc. on behalf of New York University. NYU Google Apps for Education is offered by Google to NYU in accordance with a specially negotiated end-user license agreement designed to protect the privacy and security of information owned by New York University and the members of its community, guaranteeing that Google will not access or reuse information stored in these applications for its own, commercial purposes.”
While this agreement provides a measure of protection, it is important to remember that privacy and security remain the individual’s responsibility. NYU’s adoption of Google Apps for Education has provided an opportunity to remind ourselves of the importance of the various policies and guidelines that describe best practices and requirements concerning privacy and security, especially for sending, storing, and sharing data using these services.
Policy on Responsible Use of NYU computers and data
The Policy on Responsible Use of NYU Computers and Data is NYU’s basic policy that outlines the obligations, requirements, and specifications concerning the use of NYU computers and data. It reminds members of the University community and affiliates that access to NYU computer and data resources is a privilege and that they need to employ reasonable and appropriate administrative, technical, and physical safeguards to protect the computer and data resources that they use and the sensitive data stored on these resources.
Data Classification at NYU
The ITS Data Classification Table describes four classes of data:
- Restricted: Data whose unauthorized access or loss could seriously or adversely affect NYU, a partner, or the public (e.g., Social Security Numbers, credit card numbers, and Electronic Protected Health Information/HIPAA information).
- Protected: Data that is of a lower level of importance but that still should be safeguarded from general access (e.g., final course grades, FERPA-protected data, and HR data, such as salary and benefits).
- Confidential: All other non-public data not included in the Restricted or Protected classes (e.g., NYU NetID, University ID number, and licensed software).
- Public: All data available to the general public that can be accessed without authentication (e.g., any data on www.nyu.edu).
Nothing about the implementation of NYU Google Apps for Education changes NYU’s policies or guidelines for appropriate handling of these data sources, whether transmitted, shared, or stored.
NYU E-mail continues to be an official method of communication with the NYU community. Restricted data, unless encrypted, should not be sent via e-mail. While the contents of NYU E-mail messages are encrypted during transmission, they are not encrypted when stored. Care should be taken with Protected data as well. For example, final grades should be communicated to students via Albert and not e-mail; for interim or assignment grades, e-mail may be used.
NYU Docs and Files 2.0 should not be used to store and share Restricted data. NYU’s Webspace service was created with additional security measures, so it can be safely used for Restricted data.
NYU Google Apps for Education are sufficiently secure to be used for private documents, such as tenure committee discussions, personal papers, class notes, and scholarly materials. It is especially easy to use NYU Docs to share documents and files with others; therefore, special care should be taken to ensure that you do not share documents more broadly than you intend. In particular, when sharing documents, be sure to select the right person or people from the NYU address list. Also, be sure to understand the difference between giving a user “view” and “edit” access, and make sure you have selected the appropriate level of access. Keep the “minimum necessary” concept in mind: include only the minimum number of people and the minimum amount of information needed to achieve your intended purpose. Finally, be aware of the option to “publish to the Web,” and determine whether that is appropriate for the material you are sharing. Additional information about sharing documents via NYU Docs is available on the NYU Google Apps website.
For researchers, special care should be taken with research data to ensure that funding agency requirements and institutional IRB guidelines are met.
Federal export control regulations prohibit the unauthorized “export” of certain controlled items, information, or software to foreign persons or entities in the U.S. and abroad. Export-controlled items provided by a third party may not be shared openly with certain foreign nationals, even though those individuals may be important contributors to the performance of the research. It can be a federal crime to share export-controlled data with collaborators who are not United States citizens or permanent United States residents, or to transmit export controlled data to a location outside of the U.S. NYU E-mail users are responsible for ensuring that specific export-controlled technology or technical data may be sent via e-mail and is transmitted and stored in accordance with federal export control laws and regulations. As noted above, although encrypted during transmission, the contents of NYU E-mail messages are not encrypted when stored (see NYU’s Export Control Regulations page).
NYU’s adoption of Google Apps for Education has provided exciting new tools and new services for our educational community. However, we must not forget that although the technology has changed, our roles and responsibilities have not. We must use our new tools wisely and continue to safeguard the information and data in our care.
About the authors
At the time of this article’s publication, Kitty Bridges was Associate Vice President for Strategic Communication & Partnerships in ITS and Norma Kenigsberg was the Manager for IT Policy Development and Compliance.