privacy and the handling of student information in the

the association formanaging and usinginformation resourcesin higher education

Privacy and the Handling ofStudent Information in the ElectronicNetworked Environments of Collegesand Universities

A white paper developed by a CAUSE task force in cooperation withthe American Association of Collegiate Registrars and Admissions Officers

Copyright © 1997 CAUSE

the association for managing and usinginformation resources in higher education

4840 Pearl East Circle, Suite 302EBoulder, Colorado 80301

phone: 303-449-4430fax: 303-440-0461

[email protected] http://www.cause.org/

A complimentary copy of this paper has been distributed to eachCAUSE member campus and organization. Additional copies areavailable to anyone on a CAUSE or AACRAO member campus at$16 per copy. The paper is available to non-members at $32 percopy. To order, send e-mail to [email protected] or call 303-449-4430.

Foreword

Virtually all colleges and universities are learn-ing to deal with the explosive growth of elec-tronic networks, connecting every part of thecampus community and linking to col-

leagues and information resources across the country andaround the world.

As an association made up predominantly of infor-mation technology professionals, CAUSE has been espe-cially concerned with the impact of such technology onthe campus community. We’re well aware that many ofthe issues higher education institutions are facing todaystem from the proliferation of campuswide networks andInternet connectivity — issues related to free speech, cen-sorship, student records privacy, ethical standards, man-aging “institutional information” on the World WideWeb, intellectual property, and copyright. And as cam-pus technology administrators and chief information of-ficers, our members are frequently expected to partici-pate in — sometimes even to drive — campus initiativesto establish policy that addresses networked electronicinformation resources.

A key set of related issues revolves around the han-dling of student information, which under the FamilyEducational Rights and Privacy Act (FERPA) of 1974 en-joys special protection. In recognition that many of ourmembers must deal with these issues, the CAUSE Boardof Directors assembled a task force of individuals withdiverse perspectives and responsibilities to identify andarticulate, through a white paper, the privacy and confi-dentiality issues that arise regarding access to and trans-mission of personally identifiable student informationin an electronic, networked environment.

Responding to this charge has not been easy. The mem-bers of the CAUSE task force found much to debate asthey met for discussions that led to the development ofthis paper, clear evidence that the issues are complex andthere are no universally agreed upon solutions. As thework of the task force progressed, new developments andperspectives fostered the realization that this is a mov-ing target. Like the task force, so too will members ofcampus communities find diverse perspectives with re-spect to the values of privacy and information access attheir institutions. What is important is the discussionand debate.

It is for this reason that this paper does not prescribewhat policy should be for every campus with respect toprivacy. Instead, it identifies the primary privacy prin-ciples involved, recommends a process whereby a fullspectrum of campus constituencies can be involved indiscussions that will lead to a better understanding ofcampus culture and values with regard to these principles,and suggests what might represent the lesser or greaterapplication of each principle. In my view, this representsa significant contribution from which all CAUSE mem-bers can benefit — thanks to each member of the taskforce for a job well done!

To support a continuing dialog, CAUSE plans to cre-ate an electronic discussion forum for those who readthis paper and wish to respond to the issues raised by thetask force and their recommendations. For more infor-mation about this forum, check the “Hot Links” at theCAUSE World Wide Web site or inquire to [email protected].

Jane Norman RylandCAUSE President

April 1997

Task Force Co-Chairs:

Virginia E. Rezmierski ([email protected]) is Director of PolicyDevelopment and Education in the Information Technol-ogy Division at the University of Michigan. An educationalpsychologist by training, she holds adjunct associate pro-fessorships in Michigan’s School of Education and Schoolof Public Policy. Dr. Rezmierski chairs the IT security com-mittee as well as many committees that analyze ethicaland legal issues. She has written policy for the Universityrelated to information technology since 1985.

Susan K. Ferencz ([email protected]) is Director of Policyand Planning for Information Technology at IndianaUniversity, and has had major responsibilities in developingthe student computing environment at Indiana for nearlyten years. She received her Ph.D. in educational psychologyfrom Indiana University and currently attends IU’s School ofLaw. She is a member of the graduate school faculty, usuallyteaching statistics. Ferencz is a member of the 1997 CAUSEBoard of Directors.

Task Force Members:

Laurence R. Alvarez (laurence.r.alvarez@sewanee. edu) isthe Associate Provost at the University of the South wherehe is responsible for all computing and telecommunica-tions. He has been involved with computing and concernedabout privacy issues since the early ‘70s. Sewanee’s cam-pus network reaching every office and student room wascreated in 1990 under his planning and direction. Alvarezis a member of the Board of Trustees and Treasurer ofEducom.

Clair W. Goldsmith ([email protected]) is DeputyDirector of Academic Computing and Instructional Tech-nology Services at the University of Texas at Austin. Hereceived his Ph.D. in Electrical Engineering from SouthernMethodist University. Dr. Goldsmith also chairs the Univer-sity of Texas System Information Technology ManagementCouncil. He participates in both technical and policy com-mittees for UT Austin, the UT System, and the higher edu-cation industry.

Kathleen R. Kimball ([email protected]) is the Computer Net-work and Information Security Officer at Penn State Uni-versity. She has over 20 years experience in researching,developing, testing, and evaluating intelligence systems,and in the security aspects of networked information sys-

tems. Prior to joining Penn State, she was instrumental inthe development, implementation, and integration of se-curity policy, procedures, and technology in support ofNORAD and the U. S. Space Command.

Robert Morley ([email protected]) is Associate Regis-trar at the University of Southern California where he hasled a number of technology initiatives over the past 15years. He also serves as a University advisor on mattersrelated to FERPA, privacy, and confidentiality in the stu-dent records area. He is former chair of the American As-sociation of Collegiate Registrars and Admissions Officers(AACRAO) committee on electronic data interchange(SPEEDE), and current chair of AACRAO’s Task Force onTechnology.

Trang Phuong Pham ([email protected]) will be receiv-ing her master’s degree in Public Policy this spring fromthe University of Michigan. She received her bachelors ofarts degree from the University of Texas in Austin, andnext plans to study law. She will be pursuing a career inintellectual property law, specifically copyright and trade-mark issues concerning the field of information technol-ogy.

Robert Ellis Smith ([email protected]) is pub-lisher of Privacy Journal, a monthly newsletter based inProvidence, RI, and the author of Our Vanishing Privacy(1993) and Privacy: How to Protect What’s Left of It (1979).A lawyer and journalist, he was associate director of theOffice for Civil Rights in the U.S. Department of Health,Education and Welfare with responsibility for higher edu-cation compliance in the 1970s.

Steven L. Worona ([email protected]) is Assistant to theVice President for Information Technologies at CornellUniversity. He has worked in the field of computer-medi-ated information storage and delivery for over 25 years,including development of CUinfo, the first campuswideinformation system. His technical responsibilities involvethe award-winning CUPID network-printing system andthe Cornell Digital Library. He is a director of Cornell’sComputer Policy and Law Program, and serves on a widevariety of on- and off-campus technical committees.

NOTE: The task force asked a number of individuals with specialperspectives and expertise to review this paper in its draft stage.See page 49 for a list of those who provided valuable input inthis process.

CAUSE Task Force Members

Privacy and the Handling of StudentInformation in the Electronic NetworkedEnvironments of Colleges and Universities

I. Executive Summary ................................................................... 1

II. Introduction .............................................................................. 2Beyond FERPA ........................................................................ 2

III. Privacy Issues in an Electronic Networked Environment. ............ 4The Importance of Privacy ..................................................... 4Technological Advances: Privacy Challenges. ......................... 5Technological Advances: Privacy Opportunities .................... 10Balancing Technology Benefits and Threats to Privacy.......... 12

IV. Principles of Fair Information Practice and Policy ......................13Notification...........................................................................14Minimization ........................................................................15Secondary Use ......................................................................20Nondisclosure and Consent ..................................................21Need to Know ......................................................................24Data Accuracy, Inspection, and Review .................................27Information Security, Integrity, and Accountability ...............29Education .............................................................................32

V. Building Policy in a Networked Information Environment .........34

Appendices

A: FERPA Overview...............................................................38B: Glossary of Terms ............................................................39C: Summary of Task Force Recommendations for Each

Principle of Fair Information Practice ................................42D: Checklist for Privacy Policy and Fair Information Practices 44E: Additional Information Principles .....................................46F: Input to this Report .........................................................48G: References .......................................................................50H: Resources ........................................................................52

… IN ELECTRONIC NETWORKED ENVIRONMENTS 1

I. Executive Summary

There is no turning back from the explosion ofinnovation and creativity the information revolu-tion represents. Information is a powerful com-

modity which, used properly, can expedite, enfranchise,and enrich. However, misuse of the power of informationcan cause harm, especially with respect to individualprivacy.

The recent shift to a networked information environ-ment is challenging the protection of privacy in a num-ber of ways. In colleges and universities, the focus onprivacy issues has traditionally been on student recordsand the officials charged with responsibility for them —registrars, bursars, financial aid officers, admissions per-sonnel, judicial administrators. But with the adoption ofdistributed technology architectures and widespread useof the network as a platform for instruction and studentservices, others in the campus community have also be-come stakeholders — faculty, deans, information systemsdevelopers, network administrators. And while these indi-viduals may gather and store information generated byand about students or develop student-related technol-ogy applications, they may be unfamiliar with theunique legal, ethical, and policy issues related to privacyand the handling of student information.

Other key factors raising student privacy issues are:✓ the increasing creation of information by and about

students that does not reside in structured databasesbut results from systems or technology transactionsor electronic communications;

✓ the ease with which information in electronic formcan be accessed, manipulated, and transported; and

✓ the security of student information accessed or trans-mitted in a networked environment.As institutions embrace information technology to

enhance teaching and learning, streamline business pro-cesses, and improve student services, they are findinginformation technology to be both a bane and a blessingwith regard to privacy. There is a delicate balance be-tween the responsibility for maintaining student privacyrights and the responsibility for providing effective andefficient service to students. To preserve that balance,colleges and universities will need to engage in a process

that examines basic principles underlying institutionalvalues and policies related to privacy and informationaccess. Enough technological change has occurred in thelast several years to prompt a reevaluation of privacypolicies created prior to the emergence of ubiquitousnetwork technologies — policies that may have beenovertaken by events — for possible adjustments. Or newpolicies may be needed where none currently exist.While this process should start with the legal implica-tions of the Family Educational Rights and Privacy Act(FERPA) — the very foundation of student informationpractices — it is also important to consider ethical andpolicy issues, as well as institutional needs.

This paper recommends using a set of principles offair information practice as a framework to guide suchcampus discussions, including:• Notification• Minimization• Secondary Use• Nondisclosure and Consent• Need to Know• Data Accuracy, Inspection, and Review• Information Security, Integrity, and Accountability• EducationThese discussions should be open and institution-wide,bringing together many different stakeholders to deter-mine campus values with respect to privacy and infor-mation access; to balance privacy rights with institu-tional needs and state and federal requirements; and toweigh the potential benefits of technology applicationsagainst the potential risk of privacy abuse.

Higher education as an industry has the uniquechallenge not only to respond to the cultural changeoccurring as a result of technological advances, but alsoto lead that change. Colleges and universities must pre-pare the next generation to fully understand both thetremendous potential embodied in new technologiesand the responsibilities that accompany their use. Under-standing the legal, ethical, and policy implications forprivacy in a networked environment is an importantpart of that education — not only for students, but alsofor faculty, staff, and administrators.

PRIVACY AND THE HANDLING OF STUDENT INFORMATION …2

Seeking new and more effective ways to fulfill theirmissions, colleges and universities are rapidly in-creasing their use of computing and communica-

tions technologies. Technological advances have openedexciting opportunities to change teaching and learningparadigms — to reach nontraditional students and im-prove learning in traditional student populations; tocreate new and more dynamic business systems to in-crease institutional efficiency; and to deliver studentservices faster and more effectively.

The ability to deliver education “virtually” throughthe use of sophisticated communications technologies isbreaking down traditional geographic barriers to compe-tition, and many institutions are losing the geographicmonopoly they previously enjoyed. In response to thesecompetitive pressures, many colleges and universitiesare looking to technology to enhance marketability andallow them to reach distant learners.

In response to demands to streamline operations,many campuses are adopting new business models thatpromise to provide efficiencies and economies — modelsthat cannot be implemented without investing in acampuswide technology infrastructure. For example,one reason many institutions have created distributed,networked environments is to support their strategy ofdecentralizing administrative functions — such as bud-geting and purchasing — to enable more efficient con-duct of business.

Most institutions are also exploring methods forgiving their students electronic network access to theirown grades, transcripts, course schedules, and other in-formation. With students being able to register online,institutions expect to see a reduction in the time it takesstudents to enroll in classes and to drop or add classes,and a general reduction in paperwork. The goal is tostreamline the delivery of student services, making stu-dent interactions with the institution more convenient.

The mission of higher education — the pursuit ofexcellence in learning, teaching, scholarship, and service— requires knowing a considerable amount about stu-dents: how well they are performing, where they live,what courses they are taking, and so on. Much of thisinformation is a product of the educational process,

some of it is a product of assisting the student withmeeting educational requirements, and some of it is aresult of simple transactions such as eating in a collegeor university dining room or checking a book out of thelibrary. This set of information contains elements that anindividual student may consider private. Further, associ-ating some items with other items may create new infor-mation that may be considered private.

Beyond FERPA

Colleges and universities have an obligation to protectthe confidentiality of student information. For morethan twenty years, the Family Educational Rights andPrivacy Act (FERPA) of 1974 has provided the foundationfor handling student information within educationalinstitutions (see Appendix A for a brief overview of thislaw). At the time of its passage FERPA was, and continuesto be, far-reaching legal protection for the privacy rightsof students.

That new technologies are being employed or thatFERPA provides the legal basis for handling studentrecords is not new. Nor is the fact that privacy violationsoccur — with or without technology. What is new, how-ever, is the increasing complexity of the issues to be ad-dressed when student information is handled withinelectronic networked environments.

Issues about handling student information are nolonger limited to student records in structured databasessuch as grades, transcripts, and class selections. Manyother pieces of information generated by and about stu-dents are becoming increasingly available because ofnetwork technology. For example, technology makes itpossible to capture, store, and access medical informa-tion, digitized and stored photo images, and informationabout individual students such as their entrance tobuildings, use of the library, the times and places theydine, when and where they sign on to computing re-sources, what they do once signed on, what they buy,and where they use their money cards. Though much ofthis information was available before the use of comput-ers, what is new is the ease with which such data can beaccessed and manipulated electronically by members of

II. Introduction


the community, and perhaps by others, with both posi-tive and negative ramifications. It is easier to combinedatabases, to perform automated search and sorting pro-cesses, to use data for secondary purposes with no hu-man authorization, and to instantly transport data overelectronic networks from one location to another — per-haps without a moment’s reflection on the privacy im-plications of such actions.

Adding to the complexity are two other factors:• the increasing distribution of student data and de-centralization of authority for its protection. In today’snetworked environment, control of this information isno longer solely in the hands of the registrar and otheracademic officers, but is shared by others who may beunaware of privacy considerations in handling studentinformation.• the fact that process decisions (how systems workand how access controls are managed) and tool decisions(how information is formatted, displayed, and presented)are often based on purely technical criteria, sometimeswithout input from the “stewards” of the data that are tobe managed within those systems. Privacy and securityissues are often addressed as an afterthought. In thewords of one registrar who provided input to our taskforce, “ ... the responsibility for technology applicationsrests with people who have not had to be concernedwith privacy and compliance issues.”

An understanding of privacy is no longer limited tothe legal implications of FERPA. Many colleges and uni-versities recognize the need to also address the ethicaland policy concerns that arise in a networked environ-ment. New technologies are exposing campus adminis-trators to a barrage of inquiries, demands, and com-plaints: “What is your policy in the area of X?” “I objectto the use of personal information Y.” “Please provideextract Z from your online database.” Without compre-hensive, carefully considered policy, the need for case-by-case decision-making will turn into an impossibleburden.

The implications of networked technologies on theprivacy of students, on the handling of personal infor-mation, on tradeoffs between privacy and service, andon the management of relationships between institu-tions and individuals are of such critical importance thatthey must be systematically examined by people with adiverse range of responsibilities institution-wide.

Notes another registrar, “A primary issue on our

campus is the conflict between the values of privacyprotection, convenience, control, and flow.” Policy re-garding privacy and networked information resourcesshould be determined at an institutional level, and canno longer be determined by any single campus depart-ment. In their 1995 book, Alderman and Kennedy wrote:

Whenever an invasion of privacy is claimed, thereare usually competing values at stake. Privacy mayseem paramount to a person who has lost it, butthat right often clashes with other rights and re-sponsibilities that we as a society deem important.1

This is at the heart of the dilemma facing colleges anduniversities. There are significant compelling, yet oftencompeting, forces as they try to make decisions abouthow to move forward in implementing information tech-nology. Tradeoffs and compromises must be considered.However, rights and responsibilities do not need to be atodds. Protection of privacy, enabling autonomy and in-tellectual freedom, and promoting civilized behaviorsare important to communities of higher education andto learning communities in general, and new technol-ogy advances can provide assistance in such efforts. Howcan colleges and universities meet those objectives andtake advantage of technological advances to meet insti-tutional needs at the same time?

This paper was developed by a task force commis-sioned by CAUSE, the association for managing and

using information resources in higher education, in co-operation with the American Association of CollegiateRegistrars and Admissions Officers (AACRAO). The pur-pose of the paper is to:• provide the reader with a framework for identifying and

understanding the issues surrounding privacy and thehandling of student information in an electronic net-worked environment,

• stimulate the clarification of values within institutionsby encouraging discussion of privacy and technologi-cal issues, and

• provide guidance, resources, and a process for examin-ing and creating policy to guide practice.

In developing this paper, our task force chose tolook beyond the letter of the law to examine ethical is-

1 E. Alderman and C. Kennedy, The Right to Privacy (New York:Alfred A. Knopf, 1995).


sues and information policies and practices not explic-itly covered by existing laws.

The paper first examines new technological ad-vances and ways they present both opportunities andpitfalls for privacy in the academic environment; thenidentifies eight principles our task force believes are im-portant to policy development and fair information

practice; and finally suggests a process that campusescan use for values clarification and policy development.Several appendices provide supplemental informationincluding an overview of FERPA, definitions, recommen-dations and a checklist for policy and practices, addi-tional information principles, information about sourcesof input to the task force, references, and resources.

Twenty years ago, except perhaps for a few scien-tists, people did not have computers in theirhomes. Similarly, only a few short years ago if

someone had used the term “World Wide Web” onemight have thought of spiders, or a creation by E. B.White. Yet today these are integral and irreplaceable ele-ments of everyday life. There is no turning back fromthe explosion of innovation and creativity the informa-tion revolution represents.

While networked environments challenge the pro-tection of privacy, they also afford opportunities to en-hance privacy. Before examining in greater detail suchchallenges and opportunities, a brief discussion of theconcept and importance of privacy is in order.

Throughout this paper, we refer to privacy as a rightof individuals to control personal information aboutthemselves (a right that in many instances is limited byother considerations). That right includes an opportu-nity to inspect information about themselves held byorganizations and an expectation that the informationwill be accurate. We refer to confidentiality as the prop-erty, or characteristic, of information that is kept secretand secure. Organizations obviously have an interest inkeeping information about themselves confidential, but,strictly speaking, that is not based on a right to privacy,which is an individual right.

The Importance of Privacy

Why is this individual right to privacy important, inparticular to students on college and university cam-puses? Privacy is the foundation of the intellectual free-dom that is critical in higher education. Especially criti-

cal for the growth of students is the ability to freely ex-plore and communicate ideas and to be totally honest informs of expression. Conditions must exist in whichthese activities may take place without stigmatizationand without later consequences for participating in thisworld of ideas. Colleges and universities have a responsi-bility to create and to protect these conditions to facili-tate and encourage the intellectual growth of students.

College is also a time of transition, pressure, anddramatic intellectual and emotional growth for moststudents. It is the time of breaking away from knownprotected environments, when students find themselvesin unfamiliar territory. It is a time of exploring new so-cial and intellectual environments in which they beginto define for themselves their more independent identi-ties and routines. During this often unstable and vulner-able time, students may be unduly sensitive about theirheritage, their strengths and weaknesses, their families,the look of their bodies, their disabilities or illnesses.Providing an environment where privacy is possible andinformation about themselves can be controlled easesone of the many pressures of campus life.

In a learning environment, students need to be inde-pendent — to have a sense of autonomy in assertingtheir beliefs, ideas, and values. Privacy is the foundationfor such self-governance and autonomy. Without theability to control and release information about them-selves at will, students can become more vulnerable tothe desires, assumptions, and power of others. They mayalso be hurt economically, educationally, socially, orpsychologically by information theft or misrepresenta-tion. The incident below illustrates how information canbe used to draw assumptions and perhaps to disadvan-

III.Privacy Issues in an ElectronicNetworked Environment


retrieve the information, rectify the error, or even stopits unlimited retransmission, as illustrated by the inci-dent that follows.

In 1994, a midwestern university student sat at apublic computer to read his electronic mail, un-aware that a Trojan horse program had been placedon that machine. The program, though appearingto be a normal sign-on screen, captured and storedhis password. Only days later, a racially offensiveand threatening e-mail message was sent over theInternet to thousands of users under his name bythe person who had captured and stored his pass-word. The racist message appeared to be comingfrom the student, and he became the target of thou-sands of angry and threatening messages in re-sponse to the racist content. Though it was laterproved that the individual whose name appearedon the message did not send the message, he isstill plagued by individuals who continue to findthe message living in cyberspace and become out-raged. The student is the focus of complaints andcontinued suspicion because his name has beenwidely associated with this racist content.

Threats to privacy on today’s Internet have in partgrown out of its origins. Participation in early network-ing activities was limited to research centers at collegesand universities and government development facilities.The original Internet was designed to facilitate the wid-est possible sharing of information, so the security mea-sures essential to protect privacy were not emphasized.With access to the Internet available to the general pub-lic, and with its extremely rapid growth, there is an in-creasing awareness that the weak security practices in-herited from the network’s early culture urgently needto be addressed.

Fortunately, technologies supporting secure trans-mission of data over the Internet are now becomingavailable, and institutions of higher education are begin-ning to deploy them. (See the discussion below, begin-ning on page 10.) The effectiveness of these technologieswill be limited, however, until their use is widespreadand standardized. Institutions concerned about the secu-rity, privacy, and accountability of information sent over

tage an individual, reducing his or her autonomy.

One of the largest distributors of credit cards in thecountry at one time had the practice of routinelydenying credit cards to students majoring in his-tory, English, and art. They made the assumptionthat these students would be less likely to repaydebts because they would not receive high-payingjobs. When a student who had received a creditcard while majoring in math was denied a cardbecause he had changed his major to rhetoric, thepractice came to the light of public scrutiny.

Privacy is especially important to students until theyhave gained sufficient autonomy, knowledge, and experi-ence to make reasoned decisions about the actions theywish to take and are prepared to suffer the consequencesof those actions.

Technological Advances:Privacy Challenges

Several existing or emerging technologies that havegreat potential for improving the way higher educationserves students also have implications for their privacyrights. The discussion that follows illustrates the privacyissues that can and do arise in the context of deployingthese rapidly emerging technologies, including real-lifeincidents that have occurred in colleges and universities.While the nature of privacy violations hasn’t changed,network technology has changed the magnitude of po-tential damage, thus making it necessary to consider oldproblems in a new light.

The InternetThe Internet is a combination of international, na-

tional, state, and local electronic networks that enablespeople around the world to rapidly and easily access andexchange information. Internet privacy issues relate inpart to the structure of the Internet itself and in part toits breadth and speed. The instantaneous and global na-ture of electronically networked communications mag-nifies simple errors. It is possible to transmit sensitiveinformation, whether by accident or malicious intent, toa global audience in seconds, without ever being able to


the Internet should both install appropriate systems ontheir own campuses and get involved in network-wideactivities to promote the standardized use of these sys-tems throughout the Internet.

Higher education communities need to be cautiousand thoughtful in the way they use the Internet, espe-cially in implementing network-based applications thatrequire confidential handling of student information. Inaddition, colleges and universities need to establish andpromote institutional standards and policies to supportand guide the use of networked information resourcesand technologies. Without such widely understoodguidelines in place, privacy violations such as the onethat follows can and do occur as a result of ignorance.

An economics professor at one of the Big Tenschools decided to post the final grades of his stu-dents, using their student ID numbers (Social Se-curity number plus one digit) as identifiers, on alocal Gopher server, not realizing that the informa-tion would be accessible from any place that hadan Internet connection. Students were not happywith this use of technology for posting their gradesand, coincidentally, their identification numbers(SSN+1) to the Internet community.

Electronic mailElectronic mail is a technology that is almost univer-

sally desired and one upon which colleges and universi-ties increasingly depend. If an e-mail server is down foreven a brief time, the immediacy of the outcry fromusers illustrates the importance of the technology tomost of the campus community.

The threats to privacy related to electronic mail onnetworked mail systems are many. The primary issueinvolves the nature of e-mail itself. Is e-mail more like aphone conversation (for which records are not main-tained and which is considered private, with laws to pro-tect privacy), like sealed letters (which are subject torecords retention acts and policies, for which there arestrong laws protecting against intrusion as well as astrong tradition of respect for its sanctity), like postcards (for which there is sanctity protected by law andtradition but which everyone understands may be seen

by prying eyes), or like a bulletin board (for which thereis no expectation of privacy at all)?

The law has not yet given the community definitiveguidance on this issue. The answers to these questions insome ways dictate how electronic mail will be treated bythe institution. Unless an encryption technology isused, e-mail is not assured of confidentiality. Once sent,it may pass through a number of intermediate systemsbefore reaching its final destination. At any point alongthe journey, it has the potential for being intercepted,read, stored, modified, destroyed, or forwarded. To adegree, of course, all of these deficiencies also apply totraditional paper mail. In the world of e-mail, however,the abuses may be carried out by a much wider range ofindividuals, and without any telltale traces left behind.

Differences in expectations regarding ownership andhandling of e-mail messages is another issue. These canarise as a result of cultural differences among users andsystems managers, and/or the lack of policy defining thestatus of e-mail as confidential or public record, as inthe following incident. Institutional policy is needed tospell out standards for handling e-mail by system admin-istrators, technologists, and members of the community— that is, will e-mail be handled and managed as confi-dential?

A system manager at a university medical center,receiving complaints from male employees that afemale student was using the e-mail system to so-licit sex, decided to take matters into his own hands.He reasoned that as a manager he had the respon-sibility to see to it that the e-mail system was usedappropriately, that is, for the conduct of business.Employees understood the system to be for all oftheir uses, social and interpersonal, though prima-rily for work-related uses. The manager interceptedall messages to and from the student daily and re-viewed the content of those messages for evidenceof wrongdoing. Once the manager’s practice wasreported to university officials, he was informedthat his actions must be stopped as they violatedgood management practice, ethics, the privacy ofall of those who unwittingly communicated withthe woman, and possibly the law (Electronic Com-munications Privacy Act, 1986).


Another issue regarding e-mail occurs when it isimplemented without technologies in place that willauthenticate the sender and protect against forgery. Insuch circumstances, it may be impossible to know whothe actual sender is, as in the following incidents.

Two universities have reported forged mail purport-ing to come from their president with the obviousconfusions on the part of the recipient. At one east-ern university, mail which was sent to the presi-dent, supposedly from the director of housing, an-nounced his resignation. Before the president couldbe informed that the mail was a forgery, the resig-nation was officially accepted. At another univer-sity, a forged electronic mail message posted in thename of a professor cancelled a final examination,causing students to miss the test.

Still another issue regarding e-mail is its permanentnature. When an individual deletes a message and be-lieves that it no longer exists — assuming that the recipi-ent also deleted the mail and did not forward it — hasthe message really been deleted? Even from backups andarchival copies? Policy regarding what should be pre-served and saved as official correspondence and part ofprofessional duty within institutions should be estab-lished. Such policy relates to the fair information prac-tice of minimization, discussed on pages 15-20.

Institutions should consider the nature of e-mailwhen addressing what types of information are appro-priate for transmission via this medium. Until more ef-fective host and network security methods are in wide-spread use, the technical realities of this technology maycause it to fall short of the campus community’s expec-tations, policies, and standards. Encryption technologies(see page 11) hold promise for ensuring the confidential-ity of electronic communications, if they do not provetoo cumbersome for routine use.

World Wide WebThe World Wide Web, a network of servers on the

Internet that provide information and hypertext links toother documents, allows audio, video, graphical, andtextual content to be transported, accessed, and ex-changed worldwide. The Web has already found a role in

student information services. Comments one registrar,“For enrollment management, the Web allows collegesand universities to interact with students and prospec-tive students in a totally different way. It allows them tofind out information about the college in which they areparticularly interested in much more depth than a hard-copy publication.”

Along with the beneficial uses of this technologycome a few privacy implications for those who use it.One concern is the ability of Web browser software to“cache” (temporarily store) information that has re-cently been viewed. When student records are accessedvia a Web interface on a public microcomputer, the nextperson to use that computer may be able to view previ-ously loaded information, depending on the system de-sign or configuration. It is also the case that the variousWeb locations visited by the user of a computer arecached and, as in the incident below, this cache can beviewed by anyone with access to the computer.

A residence hall administrator at one midwesterncampus found that students knew little about therecords their Web browsing activities automaticallystored on their machines until an incident occurred.One student wishing to discredit another enteredhis dormitory room, accessed the Web cache onhis machine, and then proceeded in public forumsto announce what information the student wasreading and how often he was accessing it. Thestudent was publicly embarrassed and ridiculed.

Online monitoring and tracking by network systems(see sidebar, page 18) is usually employed to efficientlymanage systems and ensure against overloads and break-downs, but the monitoring tools may be used for otherpurposes, as well, some of which may constitute misuse.For example, the tools might be used to construct de-tailed logs of an individual’s behavior — such as the net-work sites s/he visits or the applications s/he uses — thuscreating new personal information about this individual.Even if the use is not intended to hurt specific individu-als, the threat of embarrassment may have a chillingeffect on their use of the system if the practice of moni-toring or logging transactions is not managed to protectprivacy, as in the following incident.


Twenty-eight graduate students employed as teach-ing assistants at an Ivy League university wereshocked to discover that the campus network sys-tem permitted other users to see a list that revealedthey had downloaded pornography. Apparently,the transmission of electronic mail and the transferof files from the Internet were regularly recordedin a public log in the system, which is used through-out the university by faculty and students.

This issue is analogous to the long-standing privacy is-sues surrounding library circulation records, and morerecently records of purchase or rental of videos. Policiesregarding such logging and monitoring activities and theinformation maintained in such logs — information that,if personally identifiable, is part of the student record —should be in place to guide such practices.

Organizational practices involving the Web may alsoviolate individual privacy. For example, administratorsmay require publication of student information on theWeb that students may consider personal and wish torestrict to campus viewing. Institutions should encour-age thoughtful discussion of both the positive and po-tential negative effects of using the Web, to help developpolicy in this area.

Another concern in this context is use of the Web forthe collection and transport of confidential information.College and university administrators want to be able toshare information (such as testing and transcript infor-mation) easily between institutions and to gather admis-sions and financial aid information easily and quicklyfrom individuals all over the world who wish to apply.The online environment holds remarkable promise forsuch activities, but it is important to consider privacyexpectations when evaluating what information to re-quest or disseminate via the World Wide Web, and whatlevel of security is needed to provide what the institu-tion deems reasonable assurance of privacy protection.

Digitized signaturesDigitized signatures are image replicas of the

individual’s own handwritten signature obtained duringa signing operation. (The pads/signature recording de-vices beginning to be employed by major departmentstores and express delivery services are an example.)

Digitized signatures should not be confused with digitalsignatures, one of a number of technologies that en-hance security in a networked environment (see discus-sion about encryption, page 11). Many institutions areconsidering, or have implemented, procedures for col-lecting digitized signatures.

Some colleges ask faculty, staff, and students to pro-vide digitized signatures to include on identificationcards for confirming identification when purchases aremade or checks signed. Others capture and store digi-tized signatures, rather than paper forms, to improve theefficiency of routine processes.

There are advantages and disadvantages to this pro-cess. The advantages are a reduction in the amount ofpaper and staff time needed to file, maintain, and re-trieve documents that require an original signature. Thedownside of stored digitized signatures is that their un-authorized use would constitute a forgery with exact-ness never before possible. Colleges and universitieselecting to use this technology need to consider the se-curity of the system and the storage medium employed,as well as the procedures for collecting the signatures.

Digitized photographsDigitized photographs are simply that — photo-

graphs that have been converted into digital form andplaced on a computer for storage and reproduction.There are many interesting uses that can be made ofdigitized photos. Photographic directories of classes ofstudents can be made for faculty members, helpingthem to more quickly learn student names and to con-firm the identity of individuals in their classes and thosetaking class examinations. Photographic departmentaldirectories can be created, helping departments formcommunities and helping faculty, staff, and students getto know each other. Digitized photos can be electroni-cally submitted with graduate school applications, em-ployment applications, and letters of introduction toexpedite the application process.

As illustrated in the incidents described below, how-ever, some students consider photographs to be personalpieces of information and may wish to have them treatedaccordingly. Institutional issues associated with digi-tized photos include determining when and why imagesof students are required, how images of students will bestored and secured (to prevent alteration, misrepresenta-tion, or misuse), and who may access them. Should an


administrator require individuals to place their imageinto “cyberspace” for access by unknown individuals?Should prospective employers have access to photos ofstudents or others? Institutional policy should addressthese and other issues related to digitized photographsof students.

Incidents occurred in 1996 in which students com-plained because their digitized photographs weretransmitted on departmental Web home pageswithout their informed consent. In one case, thedepartment required all students to have their pic-tures taken for transmission on the Web page withno opportunity to opt out. In the second case, stu-dents believed their pictures were being taken foruse within the university community only. In a thirdcase, graduate students who were unhappy aboutbeing ordered to have their photos taken for Webdisplay nonetheless complied because they knewthe dean favored this use of technology and theywere afraid to refuse. In all of these cases, the stu-dents who objected to the practice expressed dis-comfort because they felt more exposed and ac-cessible to strangers, and feared for safety due towhat they saw as unnecessary use of their personalimage. Other students at these universities, how-ever, have created personal home pages on whichthey have enthusiastically included their photos.The difference is a matter of personal choice andcontrol.

Desktop videoNetworked video at the desktop is technology that

holds tremendous potential for education. This technol-ogy combines video cameras for images and sound,computers for access and delivery of information, andnetworks for transporting the images, sounds, and tex-tual information. It can provide this combination tomany different locations on a campus, nationally, orinternationally with the speed and ease of the Internet.Combining sources of information from the computer,the Web, live video, audio recordings, and written infor-mation, creative presentations can be merged and sentover the campus network to residence halls throughout

the institution. Special service announcements, eventnotices, special interest programming, and classroompresentations can be simultaneously transmitted acrosscampus.

As with other technological advances, with positiveopportunities for collaboration and creation also comeopportunities for abuse of privacy. In addition to delib-erate abuse, such as one individual observing or broad-casting another individual’s behavior without his or herawareness, authorization, or consent, there is the possi-bility for unintentional privacy violations. As this tech-nology becomes more common, unless new mecha-nisms are developed to notify users when broadcast isoccurring, individuals may forget that the desktop videobroadcast capabilities are turned on and discover thatwhat they thought was a one-to-one exchange with acolleague in an office was really a broadcast discussionover the campus network.

Electronic Data InterchangeElectronic Data Interchange (EDI) is the computer-

to-computer exchange of electronic information in astandardized format. The standardized formats, or trans-action sets, are developed through the American Na-tional Standards Institute (ANSI). Using special soft-ware, information is retrieved from the computer, placedin the standardized format, and sent usually via a net-work or phone modem. The receiver takes the formattedinformation and filters it through special software andinto the appropriate file(s) in the computer.

For years the business community has been ex-changing such things as purchase orders, invoices, andinventory information. In 1992, ANSI approved a trans-action set (TS 131) for a Student Educational Record,developed by the SPEEDE (Standardization of Postsec-ondary Education Electronic Data Exchange) task forcecommissioned by the American Association of CollegiateRegistrars and Admissions Officers (AACRAO). Since thattime a number of other education-related transactionsets have been approved, including Application for Ad-mission, Verification of Enrollment, and Test Scores.Several hundred postsecondary institutions are cur-rently electronically exchanging student informationusing SPEEDE standards. Among the many advantagesare speed, elimination of data entry and data entry er-rors, and elimination of postage costs.

However, EDI presents a number of privacy and pro-


proper use. Ensuring that specific information is viewedand retrieved only by the appropriate parties becomesmore difficult with the amount and variety of informa-tion housed “under one roof” in the data warehouse.Ensuring that the meaning and attributes of the data areclearly understood by users is essential in order to elimi-nate the possibility of inaccurate or misleading analysisand decisions. Clear policies regarding what informationmay or may not be appropriate in the data warehousemust be established. Secure communications must be inplace before users have access to data in the warehouse.This is especially true in view of the fact that most accessto data warehouses is via the campus network.

Data warehouses present an exciting resource andtool for more informed decision-making and analysis,but they also present very significant challenges toproper use and access to information.

Technological Advances:Privacy Opportunities

A number of other rapidly developing technologies mayhold the keys for greatly improving personal privacy,while facilitating access to information in a networkedenvironment. Such “security” technologies are the essen-tial element that will enable the types of distributed in-formation interchange that colleges and universities seekwithout compromising users’ fundamental privacy.

There is no single security strategy that will applyuniversally to all institutions and all environments.Rather, each institution will need to develop sound secu-rity strategies that integrate emerging security tech-niques and technologies effectively in the context of itsown unique environment. Several security technologiesmay be effective, now or in the future, depending onthe institution’s specific network architecture andneeds.

FirewallsFirewalls are methods or devices that restrict access

between a trusted internal network and an untrusted, orpublic, network. While firewalls are perhaps not aswidely deployed in universities as in corporate environ-ments because the user base is quite different (for ex-ample, not all users are employees on LANs or worksta-tions that are assumed to be trusted), firewall technol-ogy can be used to good effect for certain areas or appli-

tection issues for institutions that exchange informationelectronically, especially when the exchange is transmit-ted via the Internet. While the business community hasheretofore utilized private networks or VANs (valueadded networks), availability and cost have made theInternet an obvious choice for EDI for postsecondaryinstitutions. Thus the issues facing institutions thatchoose to use the Internet for EDI are much the same asthe issues already discussed for this transmission me-dium — information security (whether the informationshould be encrypted and at what level), authentication(how to ensure that the information received is authen-tic rather than fraudulently created and transmitted),authorization (how to ensure receipt by the appropriateoffice), and integrity (whether the information has beenintercepted and altered by an unauthorized party).

Data warehousesData warehouses are fast becoming a standard infor-

mation resource at colleges and universities, providingtremendous access to information, both in terms of vol-ume and speed. Essentially a data warehouse is a data-base containing information extracted from one or moreproduction databases. For example, a data warehousemight contain information extracted from a studentrecords database, a human resources database, a finan-cial database, etc. Not only does this eliminate the needfor several separate requests for data, but it also providesfaster and easier access to information than is typicallythe case when requests are made to production databaseadministrators.

Data warehouses are often housed in a client/serverenvironment, making information access and utility fareasier than in the past. Academic and administrativeunits can quickly access their data for a variety of tasksranging from running labels for their enrolled studentsto performing high-level decision-making and analysis.People and departments requesting access to data ware-houses point out that often the information sought isowned and maintained by the requester to begin with.In fact, one of the frequently cited benefits of a datawarehouse is that it often results in “cleaner” data. Infor-mation owners can easily view and utilize their datawarehouse information, and they are quick to correcterrors in the production database.

However, this powerful information resource alsopresents significant challenges related to security and


cations. For example, firewall technology may be appliedfor administrative or medical networks, or at either themain Internet interface or the college or departmentallevel.

Encryption/digital signaturesEncryption is basically “scrambling” some or all

data in ways that are computationally secure, turningplain text into cipher text. Encryption is fundamental toprotecting the confidentiality and integrity of person-ally identifiable information when it is being transmit-ted through untrusted or public networks because of theease with which unencrypted data can be intercepted,rerouted, or modified while en route. Two commonmethods of encryption are public-key encryption andprivate or secret-key encryption.

In public-key encryption, there is an element of theencryption process that can be known by all — the useror service’s public key. There is also an element that isprivate and cannot be shared — the user or service’s se-cret key. If one, for example, wishes to send an en-crypted message to someone, s/he encrypts the messageusing the recipient’s public key, but the recipient canonly decrypt the message using the secret key knownonly to him or her. Public-key technology is frequentlyassociated with digital-signature technology since theuser can “sign” a piece of correspondence with his orher secret key and the validity of the signature (andhence integrity and source of the correspondence) canbe verified by the recipient with just the public key ofthe sender. An example of public-key encryption tech-nology is Pretty Good Privacy (PGP).

Private or secret-key technology relies upon a sharedsecret. If something is encrypted with a particular secretkey and transmitted, only a user or service that knows orholds the same secret key can decrypt the message.

Today, secure Web server technology and other ap-plications are making use of cryptography to verify“digital certificates” associated with various clients, serv-ers, or users. A digital certificate is a statement about theidentity of an object (for example, a person or service)signed by an independent and trusted third party. A cer-tificate generally contains three elements: subject nameand attribute information, which describes the objectbeing certified (perhaps the individual’s name,e-mail address, or work unit); public-key information,which provides the public key of the object being certi-

fied; and finally the Certifying Authority (CA) signature.The CA cryptographically signs the attribute and publickey information. Those receiving the certificate cancheck the signature and accept the attribute and publickey information if they trust the particular CA.S/MIME, a method for secure electronic mail that will beemployed in most standard browser software, relies ondigital certificate technology. There are a number ofcomplex issues surrounding establishment of a certifi-cate authority hierarchy with which institutions willneed to become familiar and address in their planningprocesses in the near future.

Employing authentication technology will help toprevent incidents like the following from occurring.

The 13-year-old daughter of a hospital records clerkin Florida used her mother’s computer on an of-fice visit to print out names and addresses of pa-tients treated at the emergency room, and then,according to police, went home and telephonedseven of them to tell them falsely that they wereinfected with the HIV virus. Upon her arrest, thegirl told police that this was just a prank. One per-son attempted suicide after the call, and all of thevictims were severely upset.

Middleware technologyKerberos is a protocol developed at MIT that facili-

tates trusted third-party authentication. In other words,users and services are authenticated to one anotherbased on essentially a mutual “introduction” by asource that both trust — the Kerberos server. The proto-col makes extensive use of encrypted tickets for services,and user passwords are never sent across the network,even in encrypted form — they are only entered at theindividual user’s workstation. Kerberos uses the secret-key encryption methodology which relies on a secretshared between principles (for example, users or servers)and the Kerberos server.

The Distributed Computing Environment (DCE) is acollection of middleware services that expands uponKerberos capabilities (which are limited primarily toauthentication). DCE Security Services include authenti-cation, authorization, and privacy (encryption) options.


Thus,using DCE it is possible not only to mutually au-thenticate users and services but to establish granularcontrol over what a user will be able to see or modify.

There are a number of shortcomings with bothKerberos and DCE, but they do address some of the morecomplex problems with network-related security inlarge-scale, heterogeneous environments.

Some institutions are forming partnerships to worktoward solutions using these technology environments,such as the members of the Committee on InstitutionalCooperation (CIC), the academic equivalent of the BigTen athletic conference. CIC universities are workingwith the Open Software Foundation to develop a Web-based authentication and authorization mechanism thatmaps any institutional security realm to a DCE securityenvironment which in turn provides for the encryptedtransmission of information across the Internet. The goalis to allow users to make use of a Web browser of choiceto move information across the Internet encrypted fromend to end. This Web client will be used first to allowfaculty, staff, and students at one institution to accesslicensed material stored on a server at another institu-tion. The second application will be for the creation of abuying consortium among CIC institutions, so that fac-ulty and staff can order materials from an electroniccatalog and arrange payment via corporate credit cards.One can imagine the future use of the secure Web clientfor the transmission of student information from oneinstitution to another across the Internet.

Token cards, smart cards, and one-timepasswords

Token cards, smart cards, and one-time passwordsare designed to help overcome the vulnerabilities associ-ated with reusable passwords. With a token or smartcard, authentication to a computer or network resourceis based not only on “something you know” (a user IDand password), but also “something you have,” the carditself. Tokens may operate in various ways, for exampleby calculating a response to a challenge issued by theserver, or by providing a unique time-based number thatthe user furnishes to the server. A smart card may con-tain various items of information that are unique to theuser that can be used in the authentication process. Theprimary necessity is that the authentication sequencecannot be completed unless the user is in physical pos-session of the card, and the exact information the card

holder supplies during authentication is not repeated insubsequent sessions. Therefore, “sniffing” (capturing)the information does not allow the intruder access to theservice at some later date. One-time passwords are basedon the same basic philosophy — that authenticationmust be unique each time. But they may not require ahardware device. An example of a one-time passwordimplementation is S/Key.

BiometricsBiometric technology, such as voice recognition,

fingerprint matching, or hand geometry can be used toauthenticate the user based not on something he knowsor something he has, but rather by a physical character-istic that cannot be changed. While biometric technol-ogy is still relatively expensive, as it becomes less costlyand more computing power is available to support it,biometric authentication may become practical for somecollege or university environments or applications.

These technologies illustrate that it is possible toresolve many current security-related privacy con-

cerns, but it will take creative, well-planned, integratedapplication of security technology to do so. Colleges anduniversities should begin planning for the future secu-rity architecture in order to enable both open and se-cure applications. It need not be an either/or decision.

Balancing Technology Benefits andThreats to Privacy

Prior to implementing new technologies, colleges anduniversities should carefully explore both their potentialmisuses as well as the opportunities they afford, balanc-ing the individual right of privacy against the benefits tothe institution in each application. Colleges and univer-sities do not make decisions about using such wide-spread technologies as e-mail and the World Wide Webin a vacuum; they function in a world where many otherplayers and external forces — government, private sector,and public demand — influence the ways in which theyapply technology. The external environment also shapeswhat is considered an “acceptable risk” and this will dif-fer from campus to campus. Some tradeoffs may need tobe made in creating institutional policy, tradeoffs thatonly a broad set of campus stakeholders working to-gether can best determine.


As institutions redefine how they process, store,display, and disseminate student information and stu-dent-generated information, they will also confront po-tential individual student desires for limiting release ofspecific information about themselves through elec-tronic networks. In responding to rapid technologicalchange, consideration must be given to the effects ofsuch change on the concept of consent. Twenty yearsago, students gave consent for private information to becollected and released by the institution with the under-standing that the information would be kept on cards ormicrofiche and only accessed manually by authorizedpersonnel. Today, the same information is often avail-able in relational databases, retrievable instantly overelectronic networks and on individual machines thatmight have their electronic locks tested by anyone in thenetworked environment. Thus the basis for consent maychange based on technological innovation alone.

Used to its full potential, technology can empowerboth ends of the spectrum — those students who desire

to control the electronic release of any informationabout themselves and those who see positive advantagein releasing most, if not all, personally identifiable infor-mation. The challenge for information technologists isnot just to provide access, but to do so within the pa-rameters of a well-defined institutional policy on pri-vacy and information access. Where a new technologyintroduces a privacy concern, the tradeoff between easeof use and ability to keep information confidentialshould be clarified and decided where possible with in-put from the people affected.

In summary, colleges and universities have a respon-sibility to purposefully reexamine and define their val-ues and institutional needs with respect to the imple-mentation of new technologies and their impact on pri-vacy; to employ fair information practice that reflectsthose values and needs; and to make decisions abouttechnology deployment within this framework. The nextsection explores fair information practice, especially inthe context of networked information environments.

IV. Principles of Fair Information Practiceand Policy

Policies on privacy and the handling of studentinformation in networked environments shouldrest on a firm foundation of principles of fair in-

formation practice. Such policies play a significant rolein promoting coherence across the institution by pro-viding clear rules and procedures for student informa-tion management.

While much of the legal foundation of such policiesis derived from FERPA, the ethical foundation is derivedfrom the values of the college or university. The processof creating policies often requires a reexamination ofthese values, to reaffirm or clarify them, and that exer-cise may uncover strong feelings in the academic com-munity. Thus all stakeholders need to be involved —student services and other administrators, faculty, stu-dents, staff, legal counsel, and technology professionals.(See pages 34-37 for examples of policy-building strate-gies and processes.)

This section outlines eight relevant principles of fairinformation practice that our task force believes providea framework for evaluating campus values and creatingpolicy with respect to privacy and access to informationin a networked environment:

✓ Notification✓ Minimization✓ Secondary Use✓ Nondisclosure and Consent✓ Need to Know✓ Data Accuracy, Inspection, and Review✓ Information Security, Integrity, and Accountability✓ Education

These principles, though variously titled in the litera-ture, have been recognized over years of legislative in-tent, action, and implementation as the foundation forsound information practice. Documents such as the IITFPrinciples for Providing and Using Personal Information and


European Directive on the Protection of Personal Data havebeen useful resources (see Appendix H for others).

To aid policy development in the academic commu-nity, this section provides a definition of each principle,notes relevant law and its implications for practice, andprovides examples of practices that illustrate lesser andgreater application of the principle. A variety of issuesare identified, especially those that arise in a networkedenvironment, that institutions need to address in estab-lishing policy or procedures.

The Principle of Notification

1. DefinitionThe notification principle provides that students be

informed of what information is being collected; who iscollecting the information and from whom it is beingcollected; why the information is being collected (i.e.,the intended use); what steps are being taken to protectthe confidentiality, integrity, and quality of the informa-tion; the consequences of withholding information or ofproviding false or incomplete information; and anyrights of redress, such as inspection or challenge. Theseelements of the notification principle provide the basisfor knowledgeable actions when individuals are asked togive consent for others to have access to their informa-tion. Without solid knowledge, consent can be hollowinstead of informed. This is what is meant by informedconsent.

Notifying students of the gathering, storing, andresponsible management of information is essentially anawareness activity. In their rush to complete admission,orientation, registration, and financial aid paper work,students may be unaware that data are being collectedabout them. As a result, they may not take time to con-sider or question staff about such issues as disclosure oruse of their data. If students are notified of where theinformation is being stored and under whose authorityit is being collected and managed, they will have theopportunity, at a later date, to check on the accuracy ofthe information and provide updated information whenappropriate to the collecting office.

Note that the notification principle applies to infor-mation collected both from and about the student. Themeans of notification will be different in these twocases, but the principle remains the same.

2. Relevant LawFERPA requires each institution to inform students

annually of their rights of privacy and access under thelaw and to give public notice of the categories it has des-ignated as “directory information,” that is, certain infor-mation about students (such as name and address) thatmay be made public without consent unless the studentobjects.

3. Policy IssuesWithin the electronic environments of colleges and

universities, notifying and informing students is a pro-cess that may become increasingly problematic. In suchenvironments, information is being stored and trans-ported between many different offices, on a continualbasis. Questions concerning notification frequency, in-tensity, and granularity and scope will need to be ad-dressed in building policy about handling student infor-mation in this environment.

FrequencyAn institution must notify students annually of

their privacy rights under FERPA. Many institutions pub-lish such notifications in registration materials. But thismay no longer be adequate in a world of dynamic tech-nology, where new databases, information paths, andsecurity systems are being created, modified, and recre-ated continuously. This same dynamic technology canbe used to automate and facilitate the notification pro-cess; for example, e-mail messages and the Web could beused to deliver such information.

IntensityHow active will the institution be in ensuring that

students have received and understood their notifica-tions? Is a fine-print footnote on a registration formadequate, or should each student receive a personalizedletter? Should students be required to positively ac-knowledge — by signature or other means — receipt ofthis information?

Granularity and ScopeWith the increasing demise of host-based comput-

ing, student records are often no longer housed in andcontrolled by a single central system. In a distributedcomputing environment, to what extent should studentsbe notified of each record’s distinct usage, security, and


other characteristics? How much detail is it reasonableto provide before the volume itself becomes an impedi-ment to true understanding?

4. Task Force Recommendations forNotification

◆ Institutions should notify students of their privacyrights with the same prominence and frequency af-forded other important areas of campus life, such asresidence-hall regulations, course descriptions, andmeal-plan options. A useful comparison may be madebetween notification of campus judicial system regula-tions, which focus on student responsibilities and pun-ishment, and notification of privacy policies about stu-dent records, which focus on student rights and abilities.

◆ The institutional approach to notification shouldalso take into account the technological sophisticationof the student body. This and other local considerationsshould be applied in order to provide useful and mean-ingful information to students. An effort should bemade to avoid overwhelming detail on the one hand andoverly vague generalities on the other.

◆ When formulating policies and procedures concern-ing student notification, campuses should consider theeffects of the distribution of databases to non-centrallycontrolled systems, as well as transaction and trackingdata maintained as a by-product of daily operations.

Policy should determine how students can be informedof the existence of such databases and systems.

The Principle of Minimization

1. DefinitionThe principle of minimization relates to what kind

and how much information is collected from students,with an emphasis on gathering the minimum amount ofrelevant personal student information needed to accom-plish a legitimate, identified institutional purpose. Asso-ciated with this principle is the responsibility to deleteinformation when it is no longer needed. The challengeis for an institution to identify those elements that aretruly the “minimum” needed, avoiding collection forcollection’s sake or for “potential future use.”

2. Relevant LawA number of laws proscribe collection of certain

information. The federal Privacy Act requires that agen-cies of state and local government not deny a benefit toan individual for failing to provide a Social Securitynumber unless prior to 1974 there was a law or regula-tion authorizing such a demand. A few state laws pro-hibit private and public institutions from asking appli-cants about arrest records or about certain sealed crimi-nal records; in other states an applicant may legally denythe existence of certain criminal records about himselfor herself. The federal Fair Credit Reporting Act prohib-its the use of credit reports for admissions or for internal

Examples of the Principle of Notification

✩ The institution provides annual notificationinformation in the student handbook. Thatnotification includes information about students’rights to privacy and about what information theinstitution has identified as directory information.

✩ Students are not informed that data are beingcollected as a function of system transactions.

★ Students are notified and informed each timepersonal information is collected and told thepurpose for which it is being collected.

★ Students are notified of the office under whoseauthority their information is being managed andmaintained, as well as any secondary offices towhich the information might be distributed.

★ Students are informed of the existence of anypersonally identifiable system transaction data.

Lesser Application Greater Application


investigations. Federal law and state laws prohibit inter-cepting telephone, modem, electronic mail, voice mail,digital, or fax communications without consent of atleast one party to the conversation, unless an institutionis monitoring for “the protection of [its] rights or prop-erty.” Some states require the consent of both parties.

3. Policy IssuesOne driving force for increased collection of infor-

mation in higher education is the requirement by stateand federal agencies for the reporting of increasingamounts of student data. Some of that data may be in-formation the institution would not otherwise need forits purposes: ethnicity, for example. In some southernstates, laws have recently been passed which require in-stitutions to collect and use more, rather than less, per-sonal student information.

From a purely management point of view, what in-formation collection philosophy is practical and effi-cient? The institution’s information management strat-egy will to some degree guide its data collection policy.Recent demands to cut costs in higher education mayinspire more streamlined information management,prompting institutions to ask, “Do we really need tocollect this information? Can we eliminate this ques-tionnaire? Do we need to retain this information as longas we have in the past?” In the new interactive, onlineenvironment, administrators can search for ways to re-duce or eliminate altogether some of their massive data-bases of personal information. Are there ways that theinformation can be retrieved later from other sources onan “as-needed” basis? Can a student be asked to providean electronic source for locating information about himor her, rather than provide the information itself?

Other policy issues related to minimization includethe automatic collection of data by systems, appropriatesources of information about students, collection ofsensitive data, collection of data for emergencies, andhow long data should be kept.

Transactional Data CollectionThe nature of information technology is such that

inexpensive, widespread collection of information isincreasingly possible. As more of the day-to-day opera-tions of the college and university are automated, anenormous amount of transactional information is auto-matically generated, quantitatively dwarfing the tradi-

tional structured databases of relatively static informa-tion. As students move around campus — physically andvirtually — and interact with departments and serviceproviders, they inevitably leave behind traces of theiractivities. A student who walks into a computer lab, logsonto the network, browses the bookstore’s Web server,orders a text, and enters a credit card number for pay-ment may have created a dozen distinct records in anequal number of databases and logs, each under the ad-ministrative control of a separate institutional unit.

Information may be gathered as a function of thecommercial product or public domain software used bythe institution, rather than as a deliberate institutionalchoice. Should information be collected and retainedmerely because the hardware or software permits it?

Appropriate SourcesShould the only source of information about stu-

dents be the students themselves? Proponents of thisview assert that if the student has not provided the infor-mation directly, its collection is inappropriate. However,in a campus context, as in many other social venues, thisis overly simplistic. Certain elements of information thatare not provided by student forms, questionnaires, oradmissions materials alone may be mission-essential —for example, grades provided by faculty. There is also agenuine institutional need for the collection of informa-tion generated by some real-time student actions — logsof debits against a meal card are needed to ensure cor-rect balances, and the number of printed pages gener-ated by a student in a public computer lab is needed forbilling purposes. Such logs are not strictly “provided” bythe student but are created as the result of student ac-tion. Campus debate will likely center around the issueof balance in data collection.

Sensitivity of the DataAnother issue in the debate regarding the minimum

data set that should be collected about students is thesensitivity of the data themselves. Some argue that themore sensitive the information, the less it should be col-lected. Others argue that institutional need, not sensitiv-ity, should dictate the information collected.

Advocates of the first viewpoint have suggested thatno information should be collected about the exercise ofFirst Amendment rights — freedom of assembly, religion,speech. There are times, however, when institutions may


need to record religious affiliation. For example, stu-dents may need to provide religious affiliation in orderto be assigned a chaplain. Also, student activity officesmay unavoidably gather information about political af-filiation from information about membership in campusclubs. External relation offices of colleges and universi-ties may inadvertently gather information about bothreligious and political affiliation as a result of newsclips, videos, or other media development activities.

Financial aid information has always been consid-ered sensitive information, yet its collection is obviouslyessential. Other areas are decidedly more gray, however.For example, as part of the admissions process, shouldthe institution collect arrest or conviction information?What kinds of data are appropriate to collect as part ofthe admissions process? The following practice illus-trates the potential for increased collection of sensitivedata by some institutions.

Under new admissions guidelines effective in 1998,one West Coast university admissions office plansto admit up to half an incoming class on “specialcircumstances” instead of considering race or sex.This will require applicants to submit informationabout difficult family situations, economic disad-vantages (such as data about one’s neighborhood,financial status, parents’ educational level and lay-offs), psychological difficulties, and so forth.

Collection of a student’s Social Security number isanother issue (see sidebar, page 19, for a more detaileddiscussion). As the example below illustrates, however, itis sometimes difficult for an institution to elect not tocollect the Social Security number of students.

One admissions officer would like to move heruniversity’s student data systems away from usingthe Social Security number as the key to the data-base, supporting the notion of using a unique stu-dent ID number instead. However, the state inwhich the university is located requires the collec-tion and reporting of information using the SocialSecurity number as the common identifier — a ma-jor obstacle toward the university’s changing thispractice. Such conflicts are not uncommon.

Emergency DataShould the institution collect information it would

only need if an emergency arose, risking that the sameinformation later may be used inappropriately? Two ex-amples will help clarify this issue. Should a campus witha low crime rate collect and store information about allentry to locked buildings if the need for this informa-tion might only arise if a robbery or other crime occurs?Should the computer center collect and store enoughinformation to be able to retrace the steps of any and allpossible computer crimes?

✩ The institution places few restrictions on the typeor amount of data collected, and uses multiplesources to collect information about students.

✩ Data are monitored, tracked, and maintainedbased on defaults built into network softwarerather than conscious decisions about datacollection.

✩ The institution collects a range of contingencydata because of concerns about institutionalliability, and also for potential use.

Examples of the Principle of Minimization

★ The institution collects only the information thatis necessary to conduct specified institutionalbusiness. The more sensitive the data, the moreclosely the institution adheres to this practice.

★ To the greatest extent possible the source ofinformation about students is studentsthemselves.

★ The institution has adopted the practice of havingan associated disposal schedule for every elementof personal information that is collected.



In many ways, the safest philosophical approachregarding the principle of minimization is “no data, nodilemmas.” However, from a practical perspective, somelevel of contingency or emergency information is anessential part of an institution’s operation. The issue,again, is one of balancing privacy with the institution’sneed to protect itself against potential liability.

Archiving IssuesHow long should data be kept and under what con-

ditions? When are the purposes for which the informa-tion was collected deemed to no longer exist? Legal re-

strictions preventing disposal need to be factored intothese decisions. In a networked environment, issues in-clude the existence of system backups and archives andcoordination of data disposal from all such file space,including e-mail messages.

4. Task Force Recommendations forMinimization

◆ Colleges and universities should gather all legallyrequired student information and the minimal amountof additional information to accomplish a legitimate

Online monitoring and logging — watching and/or re-cording activity on a computer or network — is neces-sary to manage the flow of traffic over certain systemsand to trace incidents of misuse of those systems. How-ever, this practice can itself be misused in ways that re-sult in a violation of the privacy of individuals.

On some machines there are public routines that,when monitored and analyzed over time, can provide alot of information about the computing habits and prac-tices of a targeted individual. One may be able to tellthe hours during which the person uses particular ma-chines, the amount of time spent doing electronic mail,or even the site at which the person is working. Withenough time and persistence, such information may becombined with other publicly available information. Ifsuch data begin to be used to draw conclusions aboutthe nature of an individual’s use, the people with whoms/he communicates, the amount of time an individualaccesses certain content, or the nature of their affilia-tions on the network, the privacy of that individual maybe seriously violated.

It is also possible to write a basic program specifi-cally to scan for particular user IDs or unique names,gathering information each and every time that usersigns on to a service on the network. In some cases suchsign-on information might be routinely gathered by sys-tem administrators, for the purpose of managing thesystem, without violating the privacy boundaries of in-dividual users.

ONLINE MONITORING AND TRACKING

Commercial service providers have already begunto capture increasing amounts of information gatheredfrom online monitoring and logging mechanisms, us-ing such information to develop interest profiles of theindividuals accessing different sites on the World WideWeb. They then distribute such information to otherswho may profit from contacting individuals with par-ticular interests. Such treatment of personal informationas a commodity to be traded and sold may be a viola-tion of the privacy of individuals, especially if individu-als are not aware of the collection of such data, which isoften the case.

Higher education institutions will likely begin to in-crease the amount and kinds of logging and monitor-ing procedures they use within the next few years asthey tighten security on their systems and try to man-age and perhaps charge fees for the ever increasing useof key services. They will need to determine what onlineinformation is necessary to effectively do the job of man-aging the resources, and to consider when informationcollection goes beyond management needs and be-comes an intrusion into individual privacy. They shouldconsider standards and policies to guide the collection,storage, release, and use of any such logging or moni-toring of information that can be tied directly to an indi-vidual. And they will also need to clarify their valuesregarding the sale and/or release of such informationfor secondary uses.


NUMERICAL IDENTIFIERS

Colleges and universities should be extremely cautiousabout collecting, using, and disclosing Social Securitynumbers (SSNs) of students. There are many reasonsfor this:

1. Stolen or misappropriated Social Security num-bers lead to thousands of cases of “theft-of- identity” or“credit theft” each month, in addition to misuse by im-migrants without documentation. If lists of persons’ So-cial Security numbers are available, even within cam-pus offices, employees can deliberately misuse them orinadvertently disclose them or make them accessible.

2. With someone else’s SSN, a stranger can im-personate that person over the telephone, in person, oronline and retrieve personal information about the in-dividual. The Internal Revenue Service, for instance, willdisclose detailed tax information to anyone who pro-vides a Social Security number of an individual taxpayer.Many banks will also.

3. The number is not totally anonymous — strang-ers can tell in what state it was issued and approximatelywhat year. If grades were to be posted by Social Secu-rity number, for instance (a practice not allowed underFERPA unless permission has been given by students),a class member may be able to identify out-of-state stu-dents or older, nontraditional students, or when ar-ranged alphabetically by name, the actual person.

4. The incidents of inaccurate SSNs are so numer-ous that any record linkage based on the SSNs will beflawed.

5. Many individuals have a sincerely held religiousor philosophical objection to being enumerated.

6. Long after a student has graduated, the SocialSecurity number may show up on alumni mailing la-bels, thus publicly displaying the numbers and expos-ing alumni to the threat of fraudulent use.

All of these dangers arise when a college or univer-sity uses the SSN as the student ID number. Even thoughinstitutions may need to record Social Security numberswhen students happen also to be employed by the in-stitution or receive certain financial aid, the numbershould be collected at the time of these transactionswith student consent. These uses should not be rea-sons for requiring SSNs of all students.

With today’s database technology, the SSN andother personal identifiers are less necessary than in thepast. A search for information on Winston Smith, forinstance, when all you have is first name, last name,

and home address, telephone number, or date of birth,is a reasonable search today. In the past such a searchwould have required more computing resources thanwere available at reasonable cost.

When Social Security numbers must be kept on stu-dents in a college or university system, the numberscan be encrypted so that they may be used for linkageof data files, as necessary, without revealing the actualdigits of the SSNs. The resulting “record linkage num-ber” will not permit a stranger to derive the SSN even ifthe linkage number becomes publicly known.2

Still another alternative, if a campus office musthave a numerical identifier to make an accurate matchof a record or to detect duplicates, is to ask a studentfor only the last four digits of his or her SSN. This main-tains the anonymity and the confidentiality of the com-plete number, but will be adequate for establishingmatches.

An institution can avoid most of the dangers ofkeeping Social Security numbers by establishing its ownunique student identifying number. This will requireextra effort by some systems administrators. One argu-ment against this has been that most people don’t re-member a unique identifier, but many studies showthat a sizable percentage of people provide incorrectSocial Security numbers when asked — either in erroror in order to maintain their privacy. Records have ahigher accuracy rate when applicants are asked to con-sult a document, or use an electronic device when pro-viding an ID number, rather than to rely on memory.

In any event, the Social Security number is not areliable means for establishing personal identity becauseit has been so readily available and has been subject towidespread use by impostors. Administrators shouldrely, instead, on what has always been the best meansof establishing personal identity — personal recogni-tion. Where this is not practical or possible, there areadequate surrogate methods, like signature compari-son, passwords, personal identifying numbers (PINs)known only to the individual, encryption for authenti-cation, identity documents with photographs, finger-print comparison (where there is no stigma or compul-sion), and forms of biometrics.

2 See Eleanor Marx, “Encrypting Personal Identifiers,” HSR:HEALTH SERVICES RESEARCH 29:2 (June 1994).


institutional purpose, avoiding gathering nonessentialinformation simply because of the ease of collection orcorrelation in networked environments. Policy and prac-tice should address means to ensure that collection ofpersonally identifiable information has been appropri-ately authorized. .◆ Campuses should formulate a process for determin-ing necessary log elements and log retention require-ments, particularly for logs where the inclusion of per-sonally identifiable information is unavoidable.

◆ For those log elements over which the institutionexercises control (rather than those that are a default ofthe operating system or vendor-supplied software), de-signers should consider the principle of minimizationand identify those elements that would really be neces-sary in the event of foreseeable contingencies. Thoseelements rather than the superset of all possible ele-ments should be collected.

The Principle of Secondary Use

1. DefinitionThe premise of this principle is that when personal

information is gathered from a student, it should beused only for the purpose for which it was collected(even within the same institution or office), or for a usecompatible with that purpose, unless the individual hasgiven additional consent. Thus the principle of second-ary use goes hand in hand with the principles of notifi-cation, minimization, and nondisclosure and consent.Application of this principle means that an institutionmust articulate, when gathering personal data, preciselythe purpose for which it is being gathered. In this pro-cess, an institution may discover that it has no clear pur-pose for requiring certain personal information.

2. Relevant LawFERPA requires that any third party receiving per-

sonal information about a student may not permit an-other party to have access to it without written consentof the student. In addition, if a student waives his or herright of access to letters of recommendation, the recom-mendations may be used “solely for the purpose forwhich they were specifically intended.” The intent ofFERPA has consistently been that information collected

for one purpose not be reused without explicit consentof the individual to whom the information refers or un-less the reuse is a routine use, defined as a use which iscompatible with the purpose for which the informationwas collected.

2. Policy IssuesThe principle of secondary use is one of the most

critical to be examined and understood as colleges anduniversities network information technologies withintheir campus communities. Once information is gath-ered and stored in a medium that facilitates its fast ac-cess, sorting, transport, and reuse, this information be-comes much more accessible to the exercise of new op-tions and opportunities. Data mining and sorting infor-mation in new ways to answer new questions or to formnew hypotheses is not only possible, but may seem es-sential as institutions seek to better serve students ormore aggressively market to new students. Matching onedatabase with another enables looking at information innew ways, perhaps gleaning new information from thesecombinations. Care needs to be taken that any such ma-nipulation of data does not disclose or make accessibleindividual, personally identifiable data.

The integrity of institutional communications andrelationships with students is established at the firstpoint of contact, that is, during the admissions process.When an institution asks a student for personal infor-mation as part of this process, it does so within an un-equal power relationship — the implication is that thestudent must provide the information to be admitted tothe institution, and that the information is for admis-sions purposes. Individuals release information duringthe admissions process that is of varying degrees of sen-sitivity to them. The institution cannot know the degreeto which that information needs to be maintained asprivate or handled confidentially.

For the sake of speed or efficiency, institutionsmight engage in secondary use of student data withoutpermission. But would the individual give permission ifs/he knew how the data were being used? Uses that gobeyond a reasonable notion of compatibility with theoriginal purpose might include the sale of student mail-ing lists by an institution to generate a revenue stream— a practice that might tempt some campuses in timesof fiscal constraint. Institutions must make decisionsabout how to handle such things as commercial requests


✩ The institution does not specify potential secondaryuses of data at the time information is beingcollected, that is, agreements with students are“implicit.”

✩ The institution broadly interprets “routine” and“related” uses of information and thus frequentlyuses individual data for secondary purposes.

★ Use of student data is restricted to the purpose forwhich it was originally collected; that purpose isknown and explicitly articulated at the time ofcollection.

★ Potential related uses of information are definedat the time of collection or require additionalconsent.

Examples of the Principle of Secondary Use


for student information for marketing purposes. The law allows for, and most reasonable individuals

would agree to, routine secondary uses that are compat-ible with the purposes for which the information wascollected. But if the institution is planning to use per-sonally identifiable student data for non-routine pur-poses, the secondary use principle requires that the stu-dent be so informed and that consent be obtained.

4. Task Force Recommendations forSecondary Use

◆ The institution should be explicit about the purposefor which information is gathered at the time of its col-lection, and identify the routine and compatible uses ofthe data it expects to employ in the course of officialbusiness.

◆ Secondary uses, not included in those stated as rou-tine and compatible, should be avoided, but where suchsecondary uses are deemed significantly important tothe institution, policy should consider how additionalpermissions will be obtained from affected students.

The Principle of Nondisclosureand Consent

1. DefinitionNondisclosure means the keeping of personally iden-

tifiable information about students from third parties,that is, parties external to the college or university. The

release of such information within the institution is ad-dressed in the discussions of the principles of need toknow and secondary use.

2. Relevant LawFERPA forbids institutions to disclose student infor-

mation without written consent, except for certain spe-cific parties for certain specific purposes and except fordirectory information, which may be disclosed unlessthe student objects. At least eight states restrict disclo-sure of medical information without consent. Somestates restrict disclosure of information about patrons oftax-supported libraries; a few of these laws cover privatelibraries.

3. Policy IssuesPolicy issues related to this principle revolve around

consent strategies and data sensitivity, the nondisclosureof information created by use of information resources(such as library circulation records), and flexibility ofcampus information systems.

Consent Strategies and Data SensitivityThe consent strategies an institution selects will de-

pend on the sensitivity of the data as defined by theinstitution’s policies. Such policies should address therelative degrees of sensitivity associated with studentinformation. For example, items that might be consid-ered very sensitive include medical records, financialinformation, sexual orientation, grades, and most as-pects of family history. Examples of items that might be


considered personal but less sensitive include permanentaddress and family size. Information that is less sensitiveand whose public release would be relatively harmlessmight include such items as name, address, major, datesof attendance, and so forth. Data in the first two catego-ries are usually defined by institutions as non-directoryinformation, while data in the latter are usually consid-ered directory information.3

Methods for obtaining consent for disclosure of stu-dent information include “opt-out” and “opt-in” ap-proaches. With the “opt-out” method, commonly usedfor directory information, information is routinely re-leased unless the student initiates an action to have theinstitution withhold the information. With the “opt-in”method, used for non-directory information, the institu-tion withholds information unless the student has pro-vided written consent for its release. Such consent mightbe required for each instance of disclosure or might beobtained on a “blanket” basis. In the former case, stu-dents might be required to knowingly consent in writ-ing to each instance in which non-directory informationis released. With the blanket consent method, studentsmight be asked annually whether they agree to the re-lease of non-directory information to third parties, andif they consent to such disclosure no further consentwould be required for the institution to release suchinformation. However, if blanket consent is used, FERPArequires that it must specify the party or class of partiesto whom disclosure may be made (for example, potentialemployers) and state the purpose of the disclosure.

In an electronic networked environment, have thescope and concept of the principle of disclosure and con-sent changed? For example, though a student may nothave objected to the public release of his or her direc-tory information when it was to appear in a campusprint directory, might the student feel differently if theinstitution’s practice is to incorporate such information

into a directory accessible on the Internet? What otherkinds of information being captured about a studentmight s/he wish to exercise some control over? For ex-ample, the technology now makes it possible to createlists of those who belong to particular electronic discus-sion groups and to use that information for new pur-poses. While belonging to an electronic discussiongroup may be information a student doesn’t mind an-other on campus knowing, s/he might object to suchinformation being available beyond the campus.Institutions will need to develop policy with respect towhether they will publish directory information only inprint or, if they plan to publish it electronically, whetherit will be available only on a campus intranet or morewidely distributed on the Internet, and whether consentstrategies should be adjusted accordingly.

Flexible Policy, Procedures, and SystemsGiven that there are likely broad individual differ-

ences in what types of personal information studentsfeel are sensitive in a networked environment, how flex-ible do institutional policies, procedures, and systemsneed to be in enabling students to change categories inwhich the institution has placed a particular kind ofinformation? For example, if disclosure of campus streetor e-mail address on the Internet is unacceptable to anindividual, should a means exist for him or her to placethose elements in a more restricted disclosure category?

To what extent should campus systems be able toaccommodate individual privacy desires? Aninstitution’s application of technology or systems de-sign can hinder an individual’s desire to exercise morecontrol over release of information, but technology mayalso offer solutions that could facilitate a student’s abil-ity to choose. Advances in technology may make it pos-sible for students not to have to make all-or-none deci-sions about the handling of their personal data. Aninstitution’s policy concerning how flexible it wants tobe with respect to student choice will influence systemsgoals and design considerations and assignment of re-sources to accomplish those goals. Systems designed toprovide flexibility and choice might be viewed as highlydesirable and service oriented by prospective students,possibly justifying the additional costs of developingsuch systems. A cost/benefit analysis can help informinstitutional strategy in addressing these issues.

3 Every institution must define by policy what it considersdirectory information and inform students of this policy. Directoryinformation may include such student information as the student’sname, address, telephone number, e-mail address, date and placeof birth, major fields of study, participation in officially recognizedactivities and sports (including weight and height of athletic teammembers), photograph, dates of attendance, degrees and awardsreceived, most recent educational institution attended, and othersimilar information that would not generally be considered aninvasion of privacy or harmful to the student if disclosed.


Disclosure of Information Created by Use ofInformation Resources

There are many similarities between library recordsand the student records generated by the activities ofstudent services offices (registration, admission, finan-cial aid). By the same token, is information about whichWeb sites a student accesses and what information thestudent downloads from those sites similar to informa-tion about what library books a student checks out?

The American Library Association advises that alllibraries formally adopt a policy that specifically recog-nizes the confidentiality of its circulation records andother records identifying the names of library users. Thedefinition of circulation record varies from strict inter-pretation of items checked out through an institution’slibrary circulation system to any information about theuse of any library information resources in any format.

Of more complexity is the relationship of currentlaws and practices to the use of electronic resources atworkstations made available at the institution. Is it aninvasion of a student’s privacy, for example, for a refer-ence librarian to glance at the screen of a workstation ass/he walks by and/or to stop to suggest more effectivesearch techniques? Should the records of what a studenthas accessed on the World Wide Web enjoy the sameprivacy protection as library circulation records?

Examples of the Principle of Nondisclosure and Consent

✩ The institution uses an “opt-out” strategy fordirectory information and blanket consentstrategy for more sensitive information inreleasing such information to third parties.

✩ For such data as library circulation records, theinstitution complies with state laws regardingprivacy, but may not extend privacy to networkresources accessed.

✩ Default positions built into campus technologyapplications do not facilitate individual choice incontrolling personal information.

★ Whenever possible, the institution requires asigned consent form for individual instances ofrelease of student information to third parties,and discourages such disclosures.

★ The institution develops a robust set of policies toprotect confidentiality of library records and theuse of electronic information resources, includinguse of information on publicly accessibleworkstations.

★ Campus systems are designed when possible toaccommodate individual requests for withholdingselective information from different communities.


4. Task Force Recommendations forNondisclosure and Consent

◆ During policy development, institutions shouldconsider defining categories of information as to theirsensitivity, determining under which strata elements ofinformation fall, and establishing congruent consent/disclosure mechanisms for each type of information.

◆ In developing policy with regard to data categoriza-tion, institutions should consider the means for stu-dents to change the categorization of an element and tospecify that it be treated as more sensitive than genericpolicy would normally dictate. The use of technology tofacilitate individual choice in this area should be consid-ered.

◆ Consent should be specific with regard to the man-ner and type of disclosure, as well as the identity of therecipients and their intended use of the information. Themeans by which students may revoke consent should beaddressed during the policy development process.

◆ The institution should ensure that students fullyunderstand what their rights are with regard to request-ing that information not be disclosed.


4 The Department of Education has created a model notifica-tion of rights under FERPA for postsecondary institutions (in FERPAFinal Rule, Federal Register, November 21, 1996) that includes thefollowing statement: “A school official has a legitimate educa-tional interest if the official needs to review an education recordin order to fulfill his or her professional responsibility.” For moredetail, see definitions for “Legitimate Educational Interest” and“School Official” in Appendix B, pages 40-41.

The Principle of Need to Know

1. DefinitionThis principle is based on the premise that an indi-

vidual within the institution seeking access to person-ally identifiable student information is granted such ac-cess if and only if s/he has a need to know the informa-tion as part of an official and legitimate educational in-terest and in conformity with disclosure agreements.Under this principle, access to student information isbased on normal job duties and the purpose and scopeof the proposed use of the information.

2. Relevant LawFERPA permits disclosure of student records within

an institution to officials who have been determined bythe institution “to have a legitimate educational inter-est.”4 State laws may add more obligations for confiden-tiality. Some state freedom-of-information laws requirestate agencies, including state universities, to release cer-tain documents, but this release is subject to the confi-dentiality provisions of federal law.

3. Policy IssuesColleges and universities must establish their own

criteria, according to their own procedures and require-ments, for determining when campus officials have alegitimate educational interest in a student’s educationrecords. To this end, institutions usually establish apolicy that specifies who should be given access to stu-dent records and for what purpose. Such a policy gener-ally recognizes two types of access: (1) access that is anormal expectation for the routine performance of agiven job, and (2) access that is required for special cir-cumstances.

Most such policies also address the data “steward-ship” function for student information. The responsibili-ties of the data steward generally include ensuring thataccess to the information is controlled by and consistent

with both the needs of the institution and the privacyneeds of individual students.

With respect to job-related access, an institution’spolicy generally reflects its unique culture and environ-ment. It is usually clear who needs access to studentrecords to perform their jobs — faculty members, stu-dent services personnel, financial aid personnel, bursar’soffice personnel, and so forth. In the case of access re-quested for special circumstances, evaluating the pur-pose and scope of the proposed use of information canhelp the data steward solidify whether there is sufficientneed to allow access to particular student records.

In a networked environment, institutions increas-ingly encounter situations that are less well defined andwhere effective “control” may be difficult to enforce.For example, the counseling office may think it appro-priate to access computer or network access logs for stu-dents who have been identified as being at risk of fail-ing, based on their grades. In this case, who is respon-sible for determining whether access can be granted tolog information that is not part of the structured data inthe office of the data steward? On what basis is such adetermination made? What happens if the system man-ager and/or data steward disagree with the counselingoffice’s need to access this information? Access to infor-mation in structured databases may also become more ofan issue. As technology makes access to such databasesmore readily available, battles on campus over who haslegitimate educational interest will proliferate.

Institutions need to consider the age of their dataaccess policies and the potential need to reevaluate themin light of a ubiquitous networked information environ-ment. One way to approach this challenge is to create aprocess that brings together a wide range of campus con-stituents to systematically reexamine these policieswithin the framework of institutional discussion of val-ues of privacy and access. Undertaking such a process isdiscussed in greater detail later (see pages 34-37).

How the institution defines the boundaries of legiti-mate educational interest will depend on many factors,but it will be increasingly important to articulate suchpolicy very carefully. As institutions continue to movetoward the goal of having more information available forplanning and decision-making, how can personally iden-tifiable student information be protected against accessthat does not meet the institution’s need-to-know defi-nition?


There are often misconceptions about privacy and itsprotection. Administrators should realize that privacytraditionally extends not to all information about anindividual; rather the context determines what is con-sidered private under the law. Privacy protection gen-erally does not extend to persons who have died.

Privacy is a shield, not a sword. It ought not be ameans for covering up wrongdoing or perpetuating afraud. Often, among employers, there is a “conspiracyof silence,” in which a representative of the institutionis either untruthful, misleading, or noncommittal whenasked about the work performance of a recently de-parted employee, including a student employed by theinstitution. This simply passes on an undesirable em-ployee to another unknowing employer.

Such silence, which is sometimes blamed on “pri-vacy,” may actually stem from a fear of a later lawsuitbased on defamation. But employers should realize thatthey would not lose such a lawsuit if they can defendthe truth of what they have said or if it is clearly anopinion. An observation that “I would not hire the per-son again” or that “We would not recommend the per-son,” whether written or verbal, raises little if any riskof later retaliation.

There have been cases in higher education ofpresent or former students using the protection of theFamily EducationalRights and Privacy Act to perpetratea fraud. For instance, by asking a college or university

MISAPPLICATIONS OF PRIVACY

not to release “directory information” about him, a stu-dent may lie to a prospective employer and say that hehas a degree from the institution when he does not.The student expects that the federal law will render theinstitution powerless to set the record straight.

When asked whether the employment applicantreceived a degree, the campus official has some op-tions, under the law:(1) Answer by saying, “We have no information that

we are permitted to disclose per student re-quest.”

(2) Suggest that the inquirer get the consent of theemployment applicant to release his/her infor-mation.

So long as the official is not disclosing information fromstudent records, s/he is on the safe side of the law.

Similarly, FERPA may make it difficult or impossiblefor different institutions to exchange information oncethey have been alerted to the possibilities of fraud per-petrated by a student or former student (for instance,a student who was admitted to a graduate school onthe East Coast based on a fraudulent undergraduaterecord discovered at a West Coast institution). Manypeople believe that the only solution is an amendmentto the federal law, permitting certain disclosures in or-der to correct erroneous assertions or to prevent thecontinuation of a fraud or deceit.

One public university registrar notes, “As institu-tions move toward networked information systems, therole of the student data steward becomes very complexand time-consuming. Perhaps the time is at hand to rec-ognize the full-time profession of a student records datasteward responsible for working with technicians in thedevelopment of systems which comply with policy, le-gal, and ethical standards; handling authorizations forsystem access, requests for student information, legalsummons and subpoenas, and requests to withhold orrelease information for individual students; investigatingcomplaints about inappropriate access or release of in-formation or breaches of the security of the system itself;

disposing of cases of outright fraud; and providing train-ing in the legal and ethical handling of student data. Toexpect that all of these bases will be appropriately andconsistently covered by individuals with other studentservice or technical responsibilities may be wishfulthinking.” Again, such choices about information prac-tices will necessarily include a cost/benefit analysis.

Technology and ControlImplementations of technology — for example, a

network-based information system — must incorporatethe meaningful involvement of the relevant data stew-ards to guarantee their ability to control information


the student to which the faculty member is not entitledaccess, this could violate the student’s privacy.

In discharge of its stewardship responsibilities, andin design of its information systems, an institutionneeds to ensure that individuals be given access only torecords they need, not to all information concerning astudent or to the same information about all students, asin the incident below. This extends to routine, job-re-lated access, as well as to special requests or circum-stances necessitating access to student information.

A financial aid officer in a large midwestern uni-versity was pleased with the plan to reformat fi-nancial aid information and make it available toauthorized individuals in the student’s department.She believed this would make it easier for depart-ment personnel to discuss financial aid informa-tion with students directly and more conveniently.However, she found that the new application al-lowed all authorized personnel in all departmentsto access the financial aid information of all stu-dents. Insufficient input from this student servicesofficer into the application development processresulted in greatly expanded potential access bymany different individuals to student data and in-creased potential for privacy violations.

dissemination in accordance with the institution’s de-fined need-to-know criteria. For example, personallyidentifiable student information may be accessible tosomeone classified as a “school official” without thestudent’s prior consent. However, the definition of aschool official may be vague, ambiguous, or not univer-sally understood. It may permit inclusion of individualssuch as affiliated legal counsel and contracted consult-ants. For these individuals, technology permits necessaryand easy access to information while reducing institu-tional control of the dissemination of the information.While persons granted official access to protected infor-mation have an obligation equal to the data steward’s tomaintain privacy and confidentiality, they may not un-derstand their responsibilities fully nor the implicationsof emerging technologies.

In addition to finding that technology may contrib-ute to the complexity of exercising their stewardshipresponsibilities, data stewards may also find that somecommercial information systems have limited mecha-nisms for providing access restrictions. Some institu-tions integrate student information in other informationdatabases or displays. This commingling or merging ofinformation presents challenges with regard to the prin-ciple of need to know in that certain personal informa-tion will require a higher level of access privilege. Forexample, a faculty advisor may have a legitimate need toaccess a student’s grade information, but if the student’sinformation is displayed with other information about

✩ The institution allows access to student informationbased on the legal constraints of FERPA.

✩ Student information is available throughtechnology applications that have been minimallyanalyzed for compliance with the institution’sprivacy policies and procedures.

★ The institution has developed and published adata access policy that addresses legitimateeducational interest and access responsibilities ina networked environment.

★ While appropriate staff members in each officehave access to student information, theinformation is not readily transferred acrossdifferent offices.

★ A custodial panel reviews and decides questionsabout legitimate educational purpose.

Examples of the Principle of Need to Know



5 FERPA defines education records as those records, files, docu-ments, and other materials which (1) contain information directlyrelated to a student, and (2) are maintained by an educationalagency or institution or a person acting for such agency or insti-tution. (See the expanded definition of “Education Records” inAppendix B, page 40, for a list of records which are not consid-ered education records under FERPA.)

The incident also illustrates the importance of involvingdata stewards in the design and implementation of stu-dent applications to protect privacy.

4. Task Force Recommendations for Needto Know

◆ A clearly defined institutional policy should beadopted regarding access to student information, takinginto consideration such criteria as job duties, purposeand scope of proposed use, and compliance with privacyregulations.

◆ Implementations of new technology applicationsshould consider whether the system design supportsinstitutional privacy policies and procedures, especiallythe design of display and report formats to limit theamount of information displayed on a screen.

◆ Technology implementations should include theactive involvement of not only information technolo-gists but also data stewards to ensure system design thatsupports need-to-know policy decisions.

The Principle of Data Accuracy,Inspection, and Review

1. DefinitionThe premise of the principle of data accuracy, in-

spection, and review is that information about studentscollected and maintained by a college or university mustbe accurate, and that students have the right to examineinformation about themselves and to request changesthey feel should be made to their education records.5

Without a sound approach to inspection and review, theinstitution will be hampered in meeting its requirementto correct information that is incorrect because inputfrom students about the accuracy of their data will belacking. A person cannot knowingly and meaningfully

consent to the release of information in a record if s/hedoesn’t know what information is in the record.

2. Relevant LawFERPA requires each institution (1) to permit a stu-

dent “the right to inspect and review” education records;(2) to have an opportunity to challenge the accuracy oftheir records; and (3) as necessary, to include with therecord a statement of dispute. Certain information is notsubject to review. For example, substantive decisionssuch as grades or evaluations in lieu of grades are gener-ally not subject to FERPA’s amendment process. Laws inabout twenty states permit a person to inspect his or hermedical records. Further, institutions have an obligationto inform students each year of their rights under FERPA,which includes the right to inspect and review educationrecords.

3. Policy IssuesThe institution’s responsibility with respect to this

fair information principle is to define an effective re-quest process and to make known to students the typesof data that are being collected and maintained and thevarious offices responsible for the records to facilitatetheir request for review of their data. Within the contextof FERPA, when a student asks to see his or her records,the institution must make the information available,unless there is a compelling and legally justifiable rea-son for non-release, and explain the information to thestudent during the inspection/review process. Methodsfor properly authenticating the identity of the studentmaking the request should be in place prior to informa-tion release.

Two issues associated with this principle in a net-worked environment relate to responsibility for ensuringaccuracy of student data in distributed databases, andthe extent to which the right of inspection and reviewapplies to data captured through transactions and auto-matic logging, including the feasibility and cost implica-tions of such review.

Data Accuracy in a Distributed EnvironmentTechnology has enabled student information to be

replicated in a number of different databases, under thecontrol of a number of different organizations withinthe institution. Since students have a vested interest inthe accuracy of their own information, as well as the


right to inspect and review information stored aboutthem, there is a certain logic in vesting primary respon-sibility for error detection with the student. However,the issue is more complex in a distributed environment.For while a student may be able to communicate to thesteward of his or her information that a data element(for example, local address) is incorrect, it is unreason-able to expect the student to be cognizant of every of-fice that may have replicated that information and tocontact each one. The issue of how to synchronize ormaintain currency of disparate databases is an institu-tional responsibility that must be addressed. Networktechnologies and network-based student systems canactually facilitate a student’s access to his or her owndata, and thus make it much easier for a student to in-spect and review that data to be sure of its accuracy.

Review of Transactional DataThere are items of information now being collected

about students that are not a part of the structured data-bases under the jurisdiction of student services and aca-demic discipline officers — primarily data captured as afunction of electronic transactions generated by studentactivity such as accessing a dining room or signing on

to computer systems. To what extent is it possible tomake such data available for student inspection and re-view? May a student request a modification to an eventlog, and how should such a request be handled? Theremay be costs associated with complying with studentrequests to inspect and review such records that the in-stitution will need to address. Policies and procedureswill be needed concerning these types of records, todefine the records that can be made available and therelated request and change process.

4. Task Force Recommendations for DataAccuracy, Inspection, and Review

◆ Students are responsible for providing accurate in-formation about themselves for entry into college oruniversity databases. However, institutions need to con-sider how distributed databases can be synchronizedwith the master data source so that students do not bearthe responsibility for accuracy of their data in multipledatabases. Institutions should also consider how suchdatabases will be administered to increase consistencyand employ good data management practices.

✩ The institution responds once data inaccuracy isreported but places responsibility on the studentfor the accuracy of his or her data. Information isprovided once by the source (student) and uponentry it is assumed to be valid unless the studentspecifies otherwise.

✩ There is no policy or set of guidelines in place toaddress data administration issues to ensuregood data management practices.

✩ The institution does not systematically informstudents of their right to inspect transational datafor accuracy or have a process by which they cando this.

✩ The institution does not address the problem ofdata synchronization in a distributedenvironment.

Examples of the Principle of Data Accuracy, Inspection, and Review

★ The institution acknowledges its sharedresponsibility for data accuracy and spells out inpolicies or guidelines individual and institutionalrights and responsibilities.

★ Data administration policy and procedures havebeen created to address the issue of dataaccuracy in a distributed computingenvironment.

★ The institution reveals all information beingcollected and facilitates student review of records,providing a convenient way to request a review.This is the case for all information, regardless ofits sensitivity or how it is being collected.

★ The institution employs routine validity checks,and periodically asks students to review criticaldata.



◆ Institutions should periodically ask students to re-view critical data for accuracy, and should consider theuse of secure technology to allow students direct accessto their own data to facilitate inspection and review.

◆ Institutional policy and procedures should addressthe issues of inspection and review of transactional data,defining records that can be made available and the re-lated request process.

Principle of Information Security,Integrity, and Accountability

1. Definition The principle of information security, integrity, and

accountability is composed of three related elements.Security, in terms of information technology, is the pro-tection of user files and system resources from loss,damage, inappropriate access, and unauthorized disclo-sure or use of sensitive or private information. Integrityis reasonable assurance that data, once entered, will notbe subject to unauthorized modification by intentionalor unintentional means, and that data will remain unal-tered during transmission between sending and receiv-ing systems. Accountability in this context is the abilityto explain security-related events and to link them to theoriginator. The cost of security, integrity, and account-ability measures should be commensurate with the over-all value of the information resource, and assessment ofthe overall risk posed by the existing or planned systemor network implementation to the institution, to othersites, and to individual users’ information.

2. Relevant Law FERPA requires each institution not to disclose stu-

dent information without written consent, except forcertain specific uses and except for directory informa-tion, which may be disclosed unless the student objects.FERPA also requires each institution to maintain an au-dit trail within each student record listing all outsiderswho have had access to the record and to keep that audittrail confidential, unless the disclosure is with consentor is limited to directory information. State computercrime laws provide punishment for the use of a com-puter in a crime and for unauthorized access to a com-puter system. The federal computer crime laws providepunishment for trafficking in stolen passwords and un-

authorized access to a system across state lines. Fair in-formation practice laws in several states require securityof personal information in state institutions and, insome cases, the designation of a data security officer ineach institution.

3. Policy Issues

Policy issues related to this principle arise in several ar-eas, including appropriate levels of security for informa-tion of varying sensitivity; institutional policy for infor-mation access and acceptable use of electronic resources;and limitations and capabilities of the technologies em-ployed.

Data and System Classification Before institutions can begin to define adequate

and reasonable security for their environments, theremust be a shared understanding of which informationis, in fact, sensitive and the degree of sensitivity. Whilelegal and policy definitions may exist in the case ofrecords in central student information systems or forresearch grants that contain explicit security provisions,the expansion of access to information generated by stu-dent activity or data in system logs introduces issuesthat may not yet have been considered. For example,how sensitive is student electronic mail? Is its protectionto be a high priority or is it to be assumed and madeknown to students that unencrypted electronic mail isnot private? How sensitive is a file about a student that iskept online by a faculty advisor? What security mea-sures are appropriate for information the institutionmight require in an online application form (for ex-ample, family and background information, credit cardnumber)? Is an individual’s picture more sensitive whenstored or disseminated electronically?

The rapid expansion in the number and character ofitems that may be shared electronically should evokepolicy discussion on appropriate levels of security andsensitivity classifications for student information out-side structured databases. The commonly used guidelinehas been: “If the information is personally identifiable,it must be protected.” However, how the data will beprotected and the measures that are reasonable for theassessed risks are institutional decisions that must beconsidered in light of the network environment andinstitutional culture. Moreover, assessment should be


made as to which systems are truly critical in the distrib-uted environment (for example, ones whose loss or com-promise would unduly jeopardize the security or integ-rity of private information or of other systems whereprivate information is maintained).

As colleges and universities begin to transmit moreand more information of a private nature to and abouttheir students, the need to extend to academic networksthe types of security that used to be associated primarilywith administrative mainframe systems must be evalu-ated to avoid incidents such as the following.

The online student system at one eastern univer-sity was accessed for over two years by someonewho knew how to work around newly implementedprocedures. Sixty-eight grades for seven studentswere changed. Once the unauthorized access wasdetected, two employees were fired and three de-grees were rescinded.

Responsible Use Policies An institution must consider whether and how to

define what it considers acceptable use of its informationresources and how potential breaches in security or in-formation privacy will be handled. Without a formalpolicy to define security rules, roles, and responsibili-ties, it may prove difficult to hold users accountable.Rules that are unwritten may also prove unenforceable.

Technical Capabilities and Limitations In a nutshell, the primary security issue surround-

ing electronic transmission of private student informa-tion is: can information be ensured of privacy protec-tion if the network itself is not at least reasonably se-cure? Having determined and defined appropriate uses(and abuses) of information and categories of sensitivityfor both database records and data captured from track-ing systems, how can the data be protected? Are thereareas where limitations in existing security technologymake a particular implementation unwise? Who willdecide? In instances where technical security measuresmay be unavailable or inadequate, how will the institu-tion gather user input on whether the value of access ismore important than the risk of a privacy violation?

How can individual choice to receive or not receive per-sonal information electronically be accommodated?

Fundamental technical issues for heterogeneous net-works of the type found in most institutions includeauthentication and authorization, communications secu-rity, physical security, and logging.

Authentication and Authorization. What technicalmeans can and should be employed to reliably validatethe identity of network users (authentication) and todetermine their access (authorization) levels? How cannetwork access be controlled such that unauthenticated(and thus untraceable) access is eliminated, or servicesthat can be obtained anonymously are limited to onlythose that can do little harm? How can individuals en-sure that the electronic correspondence they receive isactually from the purported sender? How can an appli-cation determine it is connecting to the correct serverand not to a system that has assumed its network iden-tity? There are emerging cryptographic solutions inthese areas (see page 11), but who will be responsible forplanning their widespread introduction and use, and inwhat timeframe?

Communications Security. How can institutions safe-guard private information being transmitted to orthrough traditionally less-controlled academic networkswhere students work? In particular, how can this bedone in an era in which it is very easy for even amateursystem crackers to “sniff” or read data from many unen-crypted communications links? How can the institutionensure that applications developed in the distributedenvironment take into account communications secu-rity? How and where can technologies such as encryp-tion be employed effectively, and how will institutionalstandards in this area be determined? Who is respon-sible for defining solutions to protect the privacy andintegrity of student information on an institution-widebasis? What types of data integrity and checksummingmeasures are appropriate for information at the varioussensitivity levels? Without a carefully planned strategythat facilitates protection of information as it is trans-mitted through the network, privacy may not be pos-sible in any meaningful sense.

Physical Security. How will physical access to key net-work components, whose compromise could justify theprivacy of attached networks, be controlled? If physicalaccess can be gained to a major component of the net-work, or even to a PC where critical information is


downloaded and stored — and there are no compensat-ing security software products in place — private infor-mation can be read, modified, removed, or retransmit-ted. Policies should address the susceptibility to theft ofcomponents where sensitive data are kept.

Logging. A final technical network security issue ishow much information about network transactions willactually be maintained. Because network intrusion de-tection is in its infancy, security events are seldom re-ported in real time. Thus, there is an increasing need for

logs sufficient to reconstruct events weeks or evenmonths after the fact. However, many of the systems thatstudents commonly use may not yet employ an adequatelevel of logging to permit detailed reconstruction. More-over, the logs themselves, if not properly managed, used,and secured may become a target or a potential privacyconcern. How will accesses be logged and how much isappropriate and necessary to log (in keeping with theprinciple of minimization)?

✩ The network security function is not coordinatedinstitution-wide, nor are information securityconcerns integrated into planning processes;security is left largely to individual systemadministrators.

✩ Automated error checking, audit trails, and purgecriteria are not widely implemented.

✩ Formal risk assessment methodologies,vulnerability testing, security training, disasterrecovery, and incident response strategies andresponsibilities are not defined, or are ad hoc innature.

★ The institution plans for and implements policyand processes to address the more critical physicaland procedural security issues surrounding thedissemination of student information via networks.

★ Responsibilities for security are formally defined;security and integrity issues are integral andmandatory parts of the application design processat all levels.

★ Formal risk assessment methodologies,vulnerability testing, disaster recovery, incidentresponse strategies, and responsibilities aredefined.

★ The institution employs a confirmation process(such as digital signatures or encryption) thatensures student record information cannot bechanged without detection while traveling acrosscampus networks.

★ Automated error checking, checksums, audit trails,and purge criteria in some combination areroutinely used.

★ Technical guidelines and training “how to’s”related to security issues are provided toindividual system administrators and to users.

★ Information management practices ensure thatonly authorized and authenticated staff membersperform updates, and information is released onlyto authorized and authenticated requesters.

Examples of the Principle of Information Security, Integrity, and Accountability



4. Task Force Recommendations forInformation Security, Integrity, andAccountability

◆ The institution should address the development ofpolicies, processes, and procedures that deal with themore critical physical and procedural security issuessurrounding the widespread dissemination of studentinformation via networks.

◆ The institution should take reasonable steps to pro-tect the integrity of student records by ensuring thatthey are not unduly subject to inadvertent or intentionalmodification or deletion when collected, stored, ma-nipulated, displayed, or disseminated using theinstitution’s electronic information resources.

◆ Responsibilities for security should be formally de-fined; security and integrity issues should be consideredan integral and mandatory part of the application designprocess at all levels; and individual system administra-tors and users should be provided technical guidelinesand training related to security issues.

◆ Care should be taken in setting up systems to avoidinappropriate — but in many cases built-in — informa-tion access, such as world-readable log files or Webcaches not cleared from user to user.

◆ Institutions should articulate procedures for howpotential breaches in security or privacy will be handled.

The Principle of Education

1. DefinitionThe premise of this principle is that colleges and

universities have a basic responsibility to educate notonly their students but faculty, staff, and administratorsabout the privacy rights of students and potential impli-cations of use and misuse of personal information, espe-cially in a networked environment. Students may not befamiliar with these issues upon enrollment, and suchunderstanding is necessary before they can give theirinformed consent for information use. This definition of“education” extends beyond simple notification and in-formed consent and includes information on the aspectsof technology that may cause privacy concerns.

2. Relevant LawFERPA requires each institution to inform students

of their rights of privacy and access under the law. Eachinstitution is also required to give public notice of thecategories it has designated as directory information andtherefore releasable unless the student objects.

3. Policy IssuesAdministrators who handle arbitration of computer

abuse incidents on college campuses have long recog-nized that more harm is done through ignorance aboutinformation technology than through a motivation toharm. Education, then, becomes a practical matter forthe institution, if not an ethical matter. Such educationregarding the privacy of student information in a net-worked environment means systematic instruction bythe college or university to enable students to under-stand fully their privacy rights and the potential implica-tions of uses and misuses of information.

There is a vast continuum between the legal require-ment to inform students of what constitutes directoryinformation and systematic instruction in privacy issuesand technological impacts. If there were no legal obliga-tions, what would the institution do? Colleges and uni-versities will need to adopt an education policy some-where along this continuum, based upon their culture,values, and commitment to an ethical approach.

Assessment of Educational NeedsCentral to developing an educational program is

assessing the current state of awareness by the studentbody and administration regarding privacy issues. Isthere widespread awareness of the possible ramificationsof providing increased electronic access to personal stu-dent information and an understanding that implicittradeoffs exist between convenience and privacy? Isthere an awareness that unencrypted electronic mail isnot secure, or that e-mail may not be a privacy-protectedentity on a given campus or in a given state? Are stu-dents knowledgeable enough about the World Wide Webto understand how the data and images posted theremight be disseminated and subsequently used?

To what degree does the college or university wishto be responsible for helping its students become in-formed consumers of information technology, fully cog-nizant of both risks and benefits? How proactive doesthe institution want to be and what format will it use to


educate students with regard to privacy issues, includingexisting discipline and enforcement procedures, in theuse of electronic information resources? Institutionswill need to answer these questions as they formulateprivacy education programs, especially to think aboutwhether the tone of their program will be “educate toinform” versus “educate to warn.”

TimingWhen and how to reach students is an important

issue in the formulation of an educational program, andthe answers are probably unique to each campus. Manyinstitutions provide information about computing dur-ing freshmen orientation, along with a deluge of otherinformation ranging from parking to health services.This may be too much information to expect any indi-vidual to assimilate at one time. However, students usu-ally want access to the Web and electronic mail servicesimmediately upon arriving on campus, so it may be un-wise to delay instruction about these services. Howmuch information do students need immediately, andwhat information can be disseminated after freshmenorientation?

Dissemination VehiclesStudents may sign a statement during freshmen ori-

entation that they agree to abide by the campus policyfor ethical use of electronic resources. Receipt of a com-puting account may be contingent on this signing. If

information isn’t provided during freshmen orientation,what student communication vehicles (student govern-ment, student newspaper, campus radio station, institu-tional Web pages) are the most effective disseminationtools? What are the best mechanisms for reaching stu-dents within a particular institutional context? By whatmeans do students receive information about the generalpolicies of the institution and their responsibilities innetworked environments, and how effective are thesevehicles? For example, if an institution offers studentsan opportunity to opt out of getting their photo digi-tized, this option would best be explained to them on ornear the time of the photo session. This form of educa-tion is in contrast to a sign posted in the back of theroom which makes no mention of their choices, options,and access concerning such digitized photos.

Educating Faculty and StaffBeyond education of the students, there remains an

institution-wide process of raising the community’ssensitivity to privacy, and to their individual responsi-bilities referred to by FERPA. When privacy education ismentioned, most people typically think about instruct-ing students in these matters. But there is another popu-lation on campus that will likely need education on pri-vacy issues as well — information handlers (includingfaculty) and technologists. Some unit or individual oncampus should take responsibility for periodically pro-viding professional development opportunities for data

✩ The institution provides required notification aboutstudents’ right to privacy in compliance withFERPA, probably through the student handbook orcampus newspaper, but does not educate studentsfurther.

✩ The institution does not systematically attempt toeducate faculty, staff, or administrators in legal orethical privacy considerations.

★ The institution has developed an institutionalprocess and delivers both a formal and informalinstructional program that educates the entirecommunity (not just students) about policies onprivacy and the potential uses and abuses oftechnology in this regard.

★ The institution assumes the responsibility forassessing the effectiveness of this process/program.

Examples of the Principle of Education



V. Building Policy in a NetworkedInformation Environment

handlers and technologists. While many professionalorganizations provide training/seminars/conferences onprivacy issues, the campus has a role to play here, also.

4. Task Force Recommendations forEducation

◆ Institutions should address the most effective meth-ods in their environments to provide systematic instruc-tion to students regarding their privacy rights and the

Our task force recommends that each collegeand university engage in a process to clarifythe values that generally reflect its unique cul-

ture, mission, and environment (small or large, public orprivate, urban or rural), and to develop policy congruentwith those values that addresses privacy issues in a net-worked information environment. How might a campusundertake such a process? Three key success factors arethat the process be open, that it have executive-levelsupport, and that the discussions be based on real inci-dents.

An Open Process

It is important that the process of building policy abouthandling information in a networked environment beinstitution-wide and open, that is, involve many differ-ent campus constituents — faculty, staff, students, ad-ministrators. Both technologists and non-technologistsshould participate in these discussions to fully explorethe implications of a networked information environ-ment, identify relevant laws, clarify values, and weighpotential tradeoffs.

Several colleges and universities have developedmodel policy-building processes (primarily for develop-ing policies addressing broader networked informationresources issues, including privacy). Four campus experi-ences are described below..

Cornell University Cornell University relies on fundamental principles

and mission when developing any policy. Both com-puter use and abuse policies have been created to con-form to the University’s existing understanding of issuesand to reflect Cornell’s culture. The best way to ensurethis outcome is to include community members in itscreation. At Cornell this process is multi-stepped.

The process used to develop Cornell’s electronicresources policy began with the Vice President of Infor-mation Technologies asking the Associate Vice Presidentfor Human Resources, the University Counsel’s Office,the Judicial Administrator, and several representativesfrom the Information Technologies organization to joinhim in discussion about responsible use of electroniccommunications. These discussions, which occurredover the course of a year, took into consideration exist-ing relevant University policies, codes, guidelines, andpractices, and resulted in the drafting of a policy. Thisdraft policy was then reviewed by faculty members,staff, and students prior to its implementation. TheDean’s Council, the Faculty Committee of Representa-tives, and the University Assemblies (representing thestudents, faculty, and staff) all discussed and had inputinto the revisions of the draft policy. After such widecampus involvement, the ratification process wassmooth, paving the way for implementation and educa-tion.

Implementation and education are as important as

potential implications of uses and misuses of informa-tion. Instruction should include information about as-pects of the technology that may result in these uses andmisuses, beyond simple notification and informed con-sent.

◆ The institution should ensure that faculty, staff, andadministrators are also educated about the legal, ethical,and policy issues of students’ right to privacy.


the policy creation, especially since there is a computeruse culture that often runs counter to institutional poli-cies and state and federal laws. At Cornell, all new stu-dents attend a 50-minute education program to learnabout and discuss electronic communications and com-puter resources on campus. Part of this course focuseson responsible use issues. In addition, the office of In-formation Technologies provides educational programsto the colleges, including the deans, directors, and de-partment heads as well as system administrators andstudent groups. The programs provided at Cornell thatwere the most well attended in 1996 focused on theCommunications Decency Act and included discussionson censorship, freedom of expression, privacy, and ethi-cal use of computer resources. For more information,contact Marjorie Hodges at [email protected] or seehttp://WWW.UNIVCO.CORNELL.EDU/policy/RU.html

University of Maryland at College ParkThe University of Maryland at College Park is the

flagship campus of the University of Maryland System.The campus administration does not adhere to a singlepolicy-making process but offers a variety of avenues bywhich policy can be developed. Decision-making isnotably decentralized at an institution that includesthirteen colleges and schools and three administrativedeans who manage programs in a cooperativeadministrative structure.

The College Park Senate provides an opportunity forfaculty, staff, students, and administrators to participatein campus governance. While, to date, the Senate’s rolein the development of technology policy has been mini-mal, it has the potential for providing the forum neces-sary for open and inclusive deliberations. A data policycommittee has also been established to develop guide-lines and policies governing the development and man-agement of campuswide data and databases. Some poli-cies are developed from grass-roots efforts; the Guide-lines on the Acceptable Use of Computing Resources re-sulted from the work of a group of faculty, administra-tors, and staff and the review of legal counsel, cabinet,and Dean’s Council.

Project NEThics, a new initiative of Academic Infor-mation Technology Services, provides a model for opencommunity discussion and examination of issues. TheProject’s mission is to ensure responsible use of Univer-sity computing resources through policy enforcement

and user education designed to inform communitymembers about the legal and ethical implications ofcomputer use. Project NEThics staff play a key role inpulling together policy-makers and users from across thecampus to stimulate dialogue in this area. Given theUniversity’s ambiguous policy structure and a persistentcampus culture that favors decentralized decision-mak-ing and authority, it is expected that Project NEThics’efforts to coordinate policy development will be vital tothe establishment of technology policy that maximizesinput, ensures the support of upper-level administration,and is based upon real incidents. For more informationabout this model, contact Rodney Petersen [email protected] or see http://www.inform.umd.edu:8080/CompRes/PolicyAndEthics/aug/

University of MichiganThe University of Michigan is also a highly decen-

tralized environment. There are three campuses withinthe University system. The largest campus, in Ann Arbor,has seventeen schools and colleges, each with its ownadministrative decision-making processes. The Univer-sity has a large, diverse community of approximately80,000 faculty, staff, and students.

Information technology policy has been madethrough a combination of efforts, mostly committeecentered. Committees, representing faculty, staff, andstudents, have been assembled to gather information,discuss, and formulate recommended policy on suchissues as responsible use of technology, privacy of elec-tronic mail, definition and handling of electronicrecords, handling of personal information, and data ad-ministration. All policy recommendations are also re-viewed by legal counsel, and most also by the campusCivil Liberties Board, Faculty Senate, Council of Deans,and other relevant groups. Even with such committeeinvolvement, however, achieving adequate input andresponse from the campus community is a significantchallenge.

A model which has been successfully used at theUniversity of Michigan, called the “Think About It Cam-paign,” has provided a mechanism for expanding thedebate of important issues and increasing both input tothe formulation of policy and commitment to the estab-lished policies. In this model, faculty, staff, and studentvolunteers are recruited to facilitate, in pairs, small andlarge group discussions of ethical issues related to tech-


nology use on campus. The volunteers are trained ingroup facilitation techniques and given an opportunityto debate the issues themselves prior to being assigned agroup. Real vignettes, illustrating technology-relatedethical dilemmas such as conflicts between ease of useand security, between freedom of speech and freedomfrom harassment, and between censorship of contentand unlimited access, are provided as discussion starters.The key component of this model is that discussion isthe goal in and of itself, not necessarily finding the“right” answer. In this way, participants are made com-fortable sharing their points of view and the communityview is allowed to emerge. For more information aboutthis model, contact Virginia Rezmierski at [email protected] or see http://www.cause.org/information-resources/ir-library/text/cem9233.txt

University of North Carolina-Chapel HillThe University of North Carolina-Chapel Hill, an-

other large and complex community, has successfullyused an open process to develop a policy framework fornetworked information. The Information Resources Co-ordinating Council (IRCC) at the University of NorthCarolina was created by the chief financial officer tocoordinate the management of pan-University digitalinformation stores and technologies distributed acrossorganizational boundaries. The committee reviewed is-sues and principles which had previously been devel-oped by a faculty-based advisory committee. They devel-oped a policy framework to guide ongoing developmentof information policy. The council of library and tech-nology leaders then initiated a series of discussions withrepresentative focus groups, administrative units, andgovernance councils. Participants in these discussionsreceived advance copies of the draft policy along withdescriptions of several information-related campus inci-dents. These incidents/cases served to highlight implica-tions and tradeoffs inherent in the policy frameworkand to underscore the need for such a document. Finally,after these extensive open campus discussions, theChancellor’s Administrative Council endorsed the policyframework for the campus.

Implementation of this policy framework is alsobeing done through an open, participatory process. TheIRCC has commissioned several working groups to be-gin the implementation process. One group is focusedon the scope, integrity, and presentation of “official”

institutional data, another on coordinating departmen-tal and special interest Web pages, another with recom-mending institutional standards for imaging applica-tions, and another on privacy. For more informationabout this model contact Anne Parker at [email protected] or see http://www.cause.org/information-re-sources/ir-library/text/cem9524.txt

Other resourcesResearching the way other institutions have dealt

with developing policy about privacy and other issuesthat arise in an electronic networked environment canbe a valuable part of the process of policy building inthis area. In addition to the experiences described here,several other resources on the World Wide Web areworth investigating. The University of Pennsylvania of-fers an excellent set of privacy resources, including thereport of Penn’s privacy task force, on their Web site (seehttp://www.upenn.edu/security-privacy/privacy.html).In addition, as part of the work of our CAUSE task force,a Web site at the University of Texas/Austin was devel-oped to provide an index and hypertext links to nearly100 policies that deal with privacy of student informa-tion at various colleges and universities, indexed by statelocation (see http://www.utexas.edu/computer/vcl/projects/privacy.html).

Also, at the CAUSE Web site (http://www.cause.org/)is a resource page that provides links to networked infor-mation policies that have been contributed to the CAUSEInformation Resources Library, many of which are avail-able electronically on the Web and linked from thatpage. The page (at http://www.cause.org/issues/policy.html) provides other related resources, such aslinks to the Electronic Frontier Foundation’s guidelinesfor computing policies and sites addressing first amend-ment issues. Appendix H provides additional resources.

Highest Level Support

In addition to being an open process, the task force rec-ommends that it be supported publicly at the highestlevels of the college or university administration. Execu-tive officers may even want to go beyond public endorse-ment of the process, actively receiving output from thediscussions and/or personally charging groups to re-search and debate selected topics such as technology-related risk management and cost analyses, effects of


process reengineering on privacy, and others.Risk management discussions are important with

respect to the security, integrity, and accountability ofdata. The acceptable risk level for one campus may betoo great for another. Open discussions in this area canhelp to identify risks and clarify community values re-garding acceptable and unacceptable risk levels. Theycan also help to identify ways in which technologymight be deployed to reduce or eliminate risks for bothindividuals and the institution. It will be important toexplore the costs of implementing security technologiescompared to the potential costs of liability resultingfrom a violation of privacy. Open discussion of theseand other values-related topics can help colleges anduniversities in strategic planning to identify those areasin which the greatest investment will reap the greatestbenefits in line with institutional values and mission.

Seeing more efficient and effective ways of doingbusiness has led some institutions to engage in processreengineering, which usually involves technology appli-cations. Open discussion of the challenges facing col-leges and universities that lead to process reengineeringcan foster increased understanding, community trust,and endorsement of the new processes. The partnershipsthat are established between data stewards, data owners,data users, and technology designers can be invaluablewhen they result in new and creative ways to maximallymeet both the needs of the student/customer and theinstitution.

College and university communities will also beable to steer the identification and initiation of neededtechnological pilots if there are open discussions about

these issues. Identifying units within colleges that areready and eager to pilot new applications and discuss thepilot results can facilitate the process of evaluating newapplications. Encryption and digital signature technol-ogy pilots are among those that may help campuses ap-ply technology to protect privacy. Finding out whethersuch technologies will prove cumbersome to the com-munity or be embraced by it would be enormous ben-efit before wide scale applications are implemented.

Based on Real Incidents

Finally, our task force recommends that values clarifica-tion and development of policy be based on specificincidents and issues. Sometimes a campus does not wantto make public the incidents of misuse or abuse thathave occurred for fear of liability for errors in informa-tion delivery or access that find one person in themiddle of another’s sensitive data. However, the commu-nity needs to be able to understand and relate directly tothe issues at hand. More information shared, rather thanless, will help to build community consensus and stan-dards. At a minimum, information needs to be dissemi-nated to the community to spark discussion — informa-tion about the dilemmas and any potential tradeoffsfaced by the institution between efficiency and indi-vidual privacy. If it is an open and listening process, oneof forming consensus and sharing different points ofview, the community as a whole benefits with increasedcommitment to community values and the developmentof informed and supported policies


Appendix A: FERPA Overview

The information below is excerpted from the Guidelines for Postsecondary Institutions for Implementation of the Family EducationalRights and Privacy Act of 1974 as Amended, edited by Richard Rainsberger, published by and available from the AmericanAssociation of Collegiate Registrars and Admissions Officers (AACRAO, One Dupont Circle, NW, Suite 330, Washington,DC 20036-1171; 202-293-9161). Periodically amendments are made to FERPA regulations; the Department of Education’sWeb site provides access to such changes in the Federal Register Documents section under News (at http://www.ed.gov/news.html).

The purpose of the Family Educational Rights andPrivacy Act of 1974, commonly referred to as theBuckley Amendment or FERPA, is to afford cer-

tain rights to students concerning their educationrecords.

FERPA gives students who reach the age of 18 or whoattend a postsecondary institution the right to inspectand review their own education records. Furthermore,students have other rights including the right to requestamendment of records and to have some control overthe disclosure of personally identifiable informationfrom these records. Institutions may grant a studentmore rights than those guaranteed in the Act.

Institutions may not disclose information containedin education records without the student’s written con-sent except under conditions specified in the Act. Aninstitution is not required to disclose information froma student’s education records to the parents of depen-dent students but may exercise its discretion to do so. Itis the responsibility of an institution to ensure that in-formation is not improperly disclosed to the parents ofstudents.

Institutions must annually notify students currentlyin attendance of their rights by any means that are rea-sonable, such as publication of a notice in the studenthandbook, catalog, or student newspaper. The regula-tions do not specify the means to be used. Schools arenot required by FERPA to notify former students of theirFERPA rights.

FERPA deals specifically with the education recordsof students, affording them certain rights with respect tothose records. For purposes of definition, educationrecords are those records which are (1) directly relatedto a student and (2) maintained by an institution or aparty acting for the institution. Records containing astudent’s name, Social Security number, or other per-

sonally identifiable information, in whatever medium,are covered by FERPA unless identified in one of theAct’s excluded categories (see the definition of “Educa-tion Records” on page 40).

Educational institutions and agencies are required toconform to fair information practice. This means thatpersons who are fair subjects of data systems (i.e., stu-dents at an institution) must:• be informed of the existence of such systems,• have identified for them what data about them are

on record,• be given assurances that such data are used only for

intended purposes,• be given the opportunity to request an amendment

or correction to their records, and• be certain that those responsible for data systems

take reasonable precautions to prevent misuse of thedata.Although the Act does not require it, those respon-

sible for data systems are obliged to consider properlydisposing of, or destroying, information when the condi-tions under which that information was collected nolonger exist and there are no legal restrictions prevent-ing such disposal.

FERPA applies to all schools that receive fundingunder most programs administered by the Secretary ofEducation. Most postsecondary institutions, both publicand private, generally receive such funding and must,therefore, comply with FERPA.


AuthenticationA process that verifies the identification or genuinenessof a person or service. Traditionally, authenticationmethods in networked computer systems include a userID/password combination (“something you know”), atoken (“something you have”), and/or biometrics identi-fication (“something you are and cannot change”).

AuthorizationAccess permissions or rights given to a user, process, orprogram. Usually, authorization is used in conjunctionwith the concept of authentication. Once a user hasbeen authenticated, s/he may be authorized to have dif-ferent types of access or activities.

ChecksumA computed value which depends on the contents of ablock of data and which is transmitted or stored alongwith the data in order to detect corruption of the data.The receiving system recomputes the checksum basedupon the received data and compares this value with theone sent with the data. If the two values are the same,the receiver has some confidence that the data were re-ceived correctly.

Data MiningAnalysis of data in a database using tools that look fortrends or anomalies. These data can then be extracted insuch a way that the new information is used for decisionsupport, prediction, forecasting, and estimation.

Data StewardPerson or entity responsible for the management, integ-rity, and safeguarding of information. Data stewardshave evolved to include not only traditional stewardssuch as registrars for student data, but also such peopleas database administrators.

Data WarehouseA collection of data extracted from one or more produc-tion databases, housed in a separate database, providingfast and easy user access to “high-demand” information.

Digital SignatureExtra data appended to a message that identify and au-thenticate the sender and message data using public-keyencryption.

Digitized PhotographA photograph recorded in binary code and stored oncomputer-compatible media (for example, disk, tape,CD-ROM). Digitized photos are particularly easy to en-hance, modify, or manipulate. Such photos can bestored in a database, outputted as a print or transpar-ency, or converted for video-screen display from a CD-ROM or photo CD.

Digitized SignatureImage replicas of an individual’s own handwritten signa-ture obtained during a signing operation (much like thepads/signature recording devices beginning to be em-ployed by major department stores).

Directory InformationInformation about students of an institution that is con-sidered part of the public record of their attendance andthat may be made public unless the student specificallyasks that it be suppressed. This may include some or allof the following: name, local address, local phone num-ber, e-mail address, major field of study, participation inrecognized activities and sports, weight and height ofathletic team members, photograph, dates of attendance,most recent institution attended, degrees and awardsreceived.

DisclosurePermitting access to or the release, transfer, or othercommunication of personally identifiable informationcontained in education records to any party, by anymeans, including oral, written, or electronic means.

EDI (Electronic Data Interchange)A technology that uses standard data formats to transmitdata from one computer to another. In higher education,EDI has been used to transmit student transcripts.

Appendix B: Glossary of Terms


Education Records*Those records directly related to a student and main-tained by the institution or by a party acting for theinstitution. The term “education records” does not in-clude the following:• records of instructional, supervisory, administrative,

and certain educational personnel which are in thesole possession of the maker thereof, and are notaccessible or revealed to any other individual excepta substitute who performs on a temporary basis (asdefined in the institutional personnel policy) theduties of the individual who made the records.

• records maintained by a law enforcement unit ofthe educational agency or institution that were cre-ated by that law enforcement unit for the purpose oflaw enforcement.

• records relating to individuals who are employed bythe institution, which are made and maintained inthe normal course of business, relate exclusively toindividuals in their capacity as employees, and arenot available for use for any other purpose. (Recordsof individuals in attendance at an institution whoare employed as a result of their status as studentsare education records, for example, workstudy.)

• records relating to a student which are (a) created ormaintained by a physician, psychiatrist, psycholo-gist, or other recognized professional or paraprofes-sional, acting in his/her professional capacity orassisting in a paraprofessional capacity; (b) usedsolely in connection with the provision of treatmentto the student; and (c) not disclosed to anyone otherthan individuals providing such treatment, so longas the records can be personally reviewed by a physi-cian or other appropriate professional of thestudent’s choice. (Appropriateness may be deter-mined by the institution.) “Treatment” in this con-text does not include remedial educational activitiesor activities which are part of the program of in-struction at the institution.

• records of an institution that contain only informa-tion relating to a person after that person is nolonger a student at the institution (for example, in-formation gathered on the accomplishments ofalumni).

EncryptionAny procedure used to convert plain text into cipher textin order to prevent any but the intended recipient fromreading that data.

IdentificationAny means of identifying an individual, physical or au-tomated. A process that enables recognition of an entityby an automated information system is generally accom-plished through the use of unique machine-readable usernames.

Informed ConsentPermission given by an individual to another for someaction, with such consent being well-founded in infor-mation and knowledge about the issues.

Legitimate Educational InterestFERPA does not define “legitimate educational interest”but states that institutions must establish their own cri-teria according to their own procedures and require-ments for determining when their school officials have alegitimate educational interest in a student’s educationrecords. However, the Department of Education has cre-ated a model notification of rights under FERPA forpostsecondary institutions (in FERPA Final Rule, FederalRegister, November 21, 1996) that includes the followingstatement: “A school official has a legitimate educa-tional interest if the official needs to review an educa-tion record in order to fulfill his or her professional re-sponsibility.”

Log FileA collection of information, generally of machine anduser activities, that shows sequence of machine transac-tions.

MiddlewareSoftware that mediates between an application programand a network. Such software manages the interactionbetween disparate applications across heterogeneouscomputing platforms.


MonitoringWatching or recording activity on a particular machineor network or by a particular user or set of users usuallyfor system management purposes.

Personally Identifiable*Data or information which include (1) the name of thestudent, the student’s parent, or other family members;(2) the student’s address; (3) a personal identifier such asa Social Security number or student number; or (4) a listof personal characteristics, or other information whichwould make the student’s identity easily traceable.

ProfilingThe process of gathering information about a particularindividual or class of individuals for purposes of outlin-ing/highlighting data such as their potential productinterests or ability/desire to contribute to a particularphilanthropy.

RecordAny information recorded in any way, including, but notlimited to, handwriting, print, computer media, video oraudio tape, film, microfilm, and microfiche.

School OfficialFERPA does not define “school officials” but states thatinstitutions must establish their own criteria accordingto their own procedures and requirements for determin-ing them. However, the Department of Education hascreated a model notification of rights under FERPA forpostsecondary institutions (in FERPA Final Rule, FederalRegister, November 21, 1996) that includes the followingdescription of a school official: “A person employed bythe University in an administrative, supervisory, aca-demic or research, or support staff position (includinglaw enforcement unit personnel and health staff); a per-son or company with whom the University has con-tracted (such as an attorney, auditor, or collection agent);a person serving on the Board of Trustees; or a studentserving on an official committee, such as a disciplinaryor grievance committee, or assisting another school offi-cial in performing his or her tasks.

SniffingA process accomplished by a non-intrusive technicaldevice, difficult to detect, placed on a network segmentwhich collects and stores all data moving across thatsegment for later analysis and unauthorized use. Sniffingcan be a legitimate and authorized tool for solving net-work problems, but it can also be misused.

Student*Includes any individual for whom an educational insti-tution maintains education records. The term does notinclude an individual who has not been in attendance atthe institution. An individual who is or has been en-rolled in one component unit of an institution, whoapplies for admission to a second unit, has no right toinspect the records accumulated by the second unit untilenrolled therein.

World Wide Web (WWW) A client/server software package which uses hypertext toorganize, connect, and present information and servicesthroughout the Internet.

* This definition is excerpted from AACRAO’sGuidelines for Postsecondary Institutions for Implementationof the Family Educational Rights and Privacy Act of 1974 asAmended.


Recommendations for Notification

◆ Institutions should notify students of their privacyrights with the same prominence and frequency af-forded other important areas of campus life, such asresidence-hall regulations, meal-plan options, andcourse descriptions. A useful comparison may be madebetween notification of campus judicial system regula-tions, which focus on student responsibilities and pun-ishment, and notification of privacy policies about stu-dent records, which focus on student rights and abilities.

◆ The institutional approach to notification shouldalso take into account the technological sophisticationof the student body. This and other local considerationsshould be applied in order to provide useful and mean-ingful information to students. An effort should bemade to avoid overwhelming detail on the one hand andoverly vague generalities on the other.

◆ When formulating policies and procedures concern-ing student notification, campuses should consider theeffects of the distribution of databases to non-centrallycontrolled systems, as well as transaction and trackingdata maintained as a by-product of daily operations.Policy should determine how students can be informedof the existence of such databases and systems.

Recommendations for Minimization

◆ Colleges and universities should gather all legallyrequired student information and the minimal amountof additional information to accomplish a legitimateinstitutional purpose, avoiding gathering nonessentialinformation simply because of the ease of collection orcorrelation in networked environments. Policy and prac-tice should address means to ensure that collection ofpersonally identifiable information has been appropri-ately authorized.

◆ Campuses should formulate a process for determin-ing necessary log elements and log retention require-

Appendix C: Summary of Task ForceRecommendations for Each Principle ofFair Information Practice

ments, particularly for logs where the inclusion of per-sonally identifiable information is unavoidable.

◆ For those log elements over which the institutionexercises control (rather than those that are a default ofthe operating system or vendor-supplied software), de-signers should consider the principle of minimizationand identify those elements that would really be neces-sary in the event of foreseeable contingencies. Those ele-ments rather than the superset of all possible elementsshould be collected.

Recommendations for Secondary Use

◆ The institution should be explicit about the purposefor which information is gathered at the time of its col-lection, and identify the routine and compatible uses ofthe data it expects to employ in the course of conductingofficial business.

◆ Secondary uses, not included in those stated as rou-tine and compatible, should be avoided, but where suchsecondary uses are deemed significantly important to theinstitution, policy should consider how additional per-missions will be obtained from affected students.

Recommendations for Nondisclosure andConsent

◆ During policy development, institutions should con-sider defining categories of information as to their sensi-tivity, determining under which strata elements of infor-mation fall, and establishing congruent consent/disclo-sure mechanisms for each type of information.

◆ In developing policy with regard to data categoriza-tion, institutions should consider the means for studentsto change the categorization of an element and to specifythat it be treated as more sensitive than generic policywould normally dictate. The use of technology to facili-tate individual choice in this area should be considered.


◆ Consent should be specific with regard to the man-ner and type of disclosure, as well as the identity of therecipients and their intended use of the information. Themeans by which students may revoke consent should beaddressed during the policy development process.

◆ The institution should ensure that students fullyunderstand what their rights are with regard to request-ing that information not be disclosed.

Recommendations for Need to Know

◆ A clearly defined institutional policy should beadopted regarding access to student information, takinginto consideration such criteria as job duties, purposeand scope of proposed use, and compliance with privacyregulations.

◆ Implementations of new technology applicationsshould consider whether the system design supportsinstitutional privacy policies and procedures, includingthe design of display and report formats to limit theamount of information displayed on a screen.

◆ Technology implementations should include theactive involvement of not only information technolo-gists but also data stewards to ensure system design thatsupports need-to-know policy decisions.

Recommendations for Data Accuracy,Inspection, and Review

◆ Students are responsible for providing accurate in-formation about themselves for entry into college oruniversity databases. However, institutions need to con-sider how distributed databases can be synchronizedwith the master data source so that students do not bearthe responsibility for accuracy of their data in multipledatabases. Institutions should also consider how suchdatabases will be administered to increase consistencyand employ good data management practices.

◆ Institutions should periodically ask students to re-view critical data for accuracy, and should consider theuse of secure technology to allow students direct accessto their own data to facilitate the inspection and reviewprocess.

◆ Institutional policy and procedures should addressthe issues of inspection and review of transactional data,

defining records that can be made available and the re-lated request process.

Recommendations for InformationSecurity, Integrity, and Accountability

◆ The institution should address the development ofpolicies, processes, and procedures that deal with themore critical physical and procedural security issuessurrounding the widespread dissemination of studentinformation via networks.

◆ The institution should take reasonable steps to pro-tect the integrity of student records by ensuring thatthey are not unduly subject to inadvertent or intentionalmodification or deletion when collected, stored, ma-nipulated, displayed, or disseminated using theinstitution’s electronic information resources.

◆ Responsibilities for security should be formally de-fined; security and integrity issues should be consideredan integral and mandatory part of the application designprocess at all levels; and individual system administra-tors and users should be provided technical guidelinesand training related to security issues.

◆ Care should be taken in setting up systems to avoidinappropriate — but in many cases built-in — informa-tion access, such as world-readable log files or Webcaches not cleared from user to user.

◆ Institutions should articulate procedures for howpotential breaches in security or privacy will be handled.

Recommendations for Education

◆ Institutions should address the most effective meth-ods in their environments to provide systematic instruc-tion to students regarding their privacy rights and thepotential implications of uses and misuses of informa-tion. Instruction should include information about as-pects of the technology that may result in these uses andmisuses, beyond simple notification and informed con-sent.

◆ The institution should ensure that faculty, staff, andadministrators are also educated about the legal, ethical,and policy issues surrounding students’ right to privacy.


Appendix D: Checklist for Privacy Policyand Fair Information Practices

The following is a checklist that will help guidethe development or revision of policies on thehandling of student information to ensure pri-

vacy and confidentiality. The task force suggests that theitems below be addressed within the process outlined insection V, and within the framework of recommenda-tions for policy and practice summarized in Appendix C.

The Principle of Notification

___ We have established procedures for notifying stu-dents about their privacy rights and responsibilities in anetworked environment.

___ We have established procedures for notifying stu-dents about disciplinary action that will be taken whenstudents violate the privacy rights of others.

___ We have established procedures for notifying stu-dents about what data are considered “directory infor-mation” and the medium for publishing such informa-tion — paper, campus intranet, public network.

The Principle of Minimization

___ We have a policy that addresses logging and/ormonitoring individually identifiable online transactionsand activity of students.

___ We have a policy that addresses logging and/ormonitoring individually identifiable online transactionsand activity of students at public workstations in com-puter labs.

___ We have established procedures for approving on-campus research using online data, including collectingdata about how students use the campus network.

___ We have an institution-wide policy that addressesissues related to the sources, collection, storage, andpurging of student information in a networked environ-ment.

___ We have a policy about the collection of contin-gency data to manage institutional risk.

The Principle of Secondary Use

___ We have a policy about what students should be toldat the time of enrollment about possible secondary useof information they provide.

___ We have a policy that addresses the potential to cre-ate new, potentially confidential information from exist-ing data that have been collected by the institution.

___ We have defined the routine and compatible uses ofdata the institution expects to employ in the course ofconducting official business.

The Principle of Nondisclosure andConsent

___ We have a policy that addresses nondisclosure andconsent issues that arise in a networked environment,such as what information may be posted on the WorldWide Web, with or without consent, and by whom.

___ We have a policy on nondisclosure and consent thataddresses institutional ownership versus student owner-ship of such student information as digitized signaturesand photographs.

___ We have a policy that addresses issues of sensitivityof data, congruent consent/disclosure mechanisms, andthe ability of students to request that data be treated asmore confidential or to revoke consent.

___ We have a policy that addresses requests for accessto student records by parents.

___ For the purpose of consistency among our policies,we have defined what constitutes an “emergency re-quest” for student e-mail or other electronic records.

___ We have a policy outlining procedures for handlingsubpoenas requesting access to student e-mail and com-puter records.

____ We have a policy that addresses the confidentialityof electronic mail and articulates standards for handlinge-mail by system administrators and others in the cam-pus community.


____ We have a policy that addresses what types of infor-mation are appropriate for transmission by electronicmail.

The Principle of Need to Know

___ We have an institution-wide policy about access tostudent information that includes definition of a schoolofficial and what the institution considers legitimateeducational interest, to guide decisions about who has a“need to know.”

___ We have procedures in place to ensure that new orreengineered automated systems will support privacyrights.

___ We have identified which administrators can ap-prove a search of student e-mail boxes or confidentialrecords.

___ We have identified who may have access to systemstransactions and under what circumstances (for example,monitoring for the purposes of system administration).

___ We have a policy requiring frequent review of jobcategories for need-to-know access.

___ We have a policy requiring a review of need-to-knowstatus when databases are created or merged.

___ We have a policy about which administrators canhave access to student disciplinary information in com-puter abuse cases.

The Principle of Data Accuracy, Inspection,and Review

___ We have a policy and procedures about when andhow students can change their own online directoryinformation.

___ We have a policy and procedures that address theadministration of multiple and/or distributed databasesto ensure good institution-wide data management prac-tices.

___ We have a policy and procedures that address theissues of inspection and review of transactional data.

The Principle of Information Security,Integrity, and Accountability

___ We have a policy on the security of passwords.

___ We have identified authentication methods for on-line commerce.

___ We have a policy regarding level of security/encryp-tion required for sensitive data transmitted through thecampus network.

___ We have a policy regarding level of security/encryp-tion required for sensitive data transmitted throughpublic/untrusted networks.

___ We have a policy with regard to integrity checks forsensitive or mission-critical data transmitted throughthe campus network or through public/untrusted net-works.

___ We have policies regarding appropriate host and net-work security geared to the sensitivity of data.

___ We have identified and publicized appropriate sanc-tions to be levied in cases where students alter onlinedata owned by the institution or data of other students.

___ We have a security policy that formally defines re-sponsibilities for security, encourages the considerationof security in applications development and design, andarticulates procedures for how potential securitybreaches will be handled.

___ We have a training program that ensures that systemadministrators and users are provided technical guide-lines related to security issues.

The Principle of Education

___ We have established a program to provide instruc-tion to students about their privacy rights and the poten-tial implications of uses and misuses of electronic infor-mation resources, including awareness about theinstitution’s policy on e-mail confidentiality.

___ We have established an educational program to en-sure that faculty, staff, and administrators are educatedabout the legal, ethical, and policy issues surroundingstudents’ right to privacy.


A Code of Fair Information Practice

The following code of fair information practice is ex-cerpted from House Report 103-601 Part V and is derivedfrom several sources, including codes developed by theDepartment of Health, Education, and Welfare (1972report); Organization for Economic Cooperation andDevelopment (1981); and the Council of Europe Conven-tion (1981). It was provided to our task force by privacyand information policy consultant Robert Gellman.

1. The Principle of Openness, which provides that theexistence of record-keeping systems and data banks con-taining data about individuals be publicly known, alongwith a description of main purpose and uses of the data.

2. The Principle of Individual Participation, whichprovides that each individual should have a right to seeany data about himself or herself and to correct or re-move any data that is not timely, accurate, relevant, orcomplete.

3. The Principle of Collection Limitation, which pro-vides that there should be limits to the collection of per-sonal data, that data should be collected by lawful andfair means, and that data should be collected, where ap-propriate, with the knowledge or consent of the subject.

4. The Principle of Data Quality, which provides thatpersonal data should be relevant to the purposes forwhich they are to be used, and should be accurate, com-plete, and timely.

5. The Principle of Use Limitation, which providesthat there must be limits to the internal uses of personaldata and that the data should be used only for the pur-poses specified at the time of collection.

6. The Principle of Disclosure Limitation, which pro-vides that personal data should not be communicatedexternally without the consent of the data subject orother legal authority.

7. The Principle of Security, which provides that per-sonal data should be protected by reasonable securitysafeguards against such risks as loss, unauthorized ac-cess, destruction, use, modification, or disclosure.

8. The Principle of Accountability, which provides

that record keepers should be accountable for complyingwith fair information practice.

Principles of Information PrivacyBy Robert Ellis Smith, Publisher, Privacy Journal

Adapted from Our Vanishing Privacy (Loompanics, 1993)Copyright 1993 Robert Ellis Smith. Reprinted with per-mission.

Information collectors are constantly saying, “Privacy isa vague concept. It means different things to differentpeople.” In fact, over the past two decades a substantialamount of study has gone into privacy issues — alwayswith an eye to developing principles that will guidethose who develop information systems. Some of theprinciples that follow have widespread agreement amongexperts in the privacy field; others are fairly new anduntested.

1. There must be no personal-information systemswhose very existence is secret.

2. There must be a way for a person to find out whatinformation about him or her is in a record and how it isused.

3. There must be a way for a person to prevent per-sonal information that was obtained for one purposefrom being used or made available for other purposeswithout the consent of the person.

4. There must be a way for a person to correct oramend a record of identifiable information about theperson.

5. Any organization creating, maintaining, using, ordisseminating records of identifiable personal data mustassure the reliability of the information for its intendeduse and must take precautions to prevent misuse of thedata.

6. Any systems of records about people must have apurpose that is socially desirable, and only relevant in-formation should be collected.

7. To the maximum extent, personal informationshould be gathered from the individual himself or her-self.

Appendix E: Additional InformationPrinciples


8. The keepers of personal information should act inthe role of trustee, safeguarding the information andusing it in the best interests of the individual but not“owning” it.

9. Privacy interests should be considered specificallyin the design and creation of new data systems, commu-nications services, and other new technology that affectsthe interests of individuals.

10. Privacy protections, as much as possible, shouldbe tailored to the needs of each individual, and eachindividual should be able to choose from among variousdegrees of privacy protections, perhaps bearing an addi-tional cost for special services.

11. A company or government agency that compro-mises current expectations of privacy should be obli-gated to offer a means of restoring the lost degree ofprivacy at no cost to consumers.

12. Information provided to a business or govern-ment agency by a person should be used only in connec-tion with services or benefits sought by the person, un-less the person agrees otherwise.

13. Privacy expectations may change over time, asnew technology, new markets, new attitudes, and newsocial concerns emerge.

14. When information is disclosed for commercialpurposes, an individual ought to have a means to “optout” by having his or her information not disclosed.

15. The concept of privacy applies only to actualpersons, not to organizations. It applies only to informa-tion that identifies an individual (by name, number, orotherwise), not to cumulative or anonymous informa-tion.

16. Privacy problems lend themselves to negotiationand complaint resolution, often on a case-by-case basis,rather than hard-and-fast legal language.

17. Personal information provided to a third party(for processing or billing or research) is governed by thesame protections applicable to the original keeper of therecords.

18. Personal information may be transferred fromone country to another only if the second country hasprivacy protection at least equal to those of the firstcountry, unless the first country provides special permis-sion.

19. Information used by a government agencyshould be available to citizens in two formats: in themedia (whether electronic or otherwise) used by the

agency itself, and in the form that is usable and readableto a person without electronic media.

20. In the absence of factual suspicion, overhearingprivate conversations or viewing people’s personal activi-ties from afar with technological enhancements is un-ethical.

Sources:The first five principles of information privacy were origi-

nated by a study committee in the U.S. Department of Health,Education, and Welfare in 1973, and endorsed later by an IBMCorporation study and by the organization of Computer Profes-sionals for Social Responsibility. This “Code of Fair InformationPractice” appears again and again in laws passed since 1973,including the federal Privacy Act, state fair information practiceacts, and national laws enacted by European countries.

Principle 6 is part of the 1981 privacy guidelines of the Or-ganization for Economic Cooperation and Development (OECD)in Europe.

Principle 7 is part of the federal Privacy Act.There is less agreement about Principle 8, which is not yet a

part of any recognized code of practice.Principles 9-13 are based on principles published in 1991 by

the New York State Public Service Commission, under the lead-ership of Commissioner Eli Noam. Principles 10 and 11 togethermean that customers or citizens should not have to pay to pre-serve the privacy status quo; however, customers or citizenschoosing a greater degree of protection should expect to bearat least part of the cost themselves. Many European nationshave adopted a variation of Principle 12, saying that an indi-vidual is entitled to know from the beginning the purpose forinformation he is asked to provide.

Principle 14 is promoted by the direct-marketing industryand others. It begs the question of whether people know theconsequences of “opting out” and whether information shouldbe collected or disclosed at all.

The first part of Principle 15 is a general concept of law.Businesses may have an interest in secrecy or confidentiality butthis is different from the uniquely individual right of privacy.

In the U.S. there is no general agreement on Principle 16,which seems to guide policy makers in Europe, Australia, andCanada.

Principle 17, part of the federal Privacy Act, assures thatprocessing or research organizations merely act as the agent ofthe original organization when it comes to handling personalinformation entrusted to the third party. As a condition of usinginformation from the first organization, the third party agrees tobe bound by the first organization’s privacy safeguards.

Principle 18 is required by law in Austria, Denmark, France,Sweden, and the United Kingdom, and is part of guidelinesdrafted by the European Community to apply to all Europeancountries.

Principle 19 is a concept of freedom of information devel-oped by the author. Principle 20 was developed by the author.


Appendix F: Input to this Report

In fulfilling our charge, the task force sought inputfrom many different segments of the academic com-munity. We are grateful for the thoughtful and in-

sightful input we received from each of these sources —administrators, staff, students, and agency and associa-tion representatives.

Input from Student ServicesAdministrators and InformationTechnology Professionals

To better understand the visions, demands, needs,and concerns of the people who traditionally are respon-sible for collecting, storing, handling, managing, andreleasing student information, members of the task forcefirst surveyed the bursars, admissions officers, registrars,and financial aid officers from our own campuses. Addi-tionally, we conducted phone interviews with persons inthese same roles on other campuses, asking the follow-ing questions:• What types of records do you maintain and collect?• What law/policy guides your practices in this area?• Who are you able to release this information to inter-

nally? Externally?• Where would you like to be in three years regarding

electronic handling of data?• What issues do you see in this regard?

Additionally, the task force solicited input from theCAUSE membership, most of whom are informationtechnology professionals, by requesting contributions ofprivacy policies, examples of privacy incidents, and iden-tification of key issues.

Individuals from each of the following institutionsprovided information, responses, and/or comments tomembers of the task force either in person, via tele-phone, or via electronic mail. While they did not intendto represent the official position of their institutions,they provided invaluable insight into the dilemmas theyface, the questions and concerns they have, and thepressing issues and problems to be resolved.

Arizona State UniversityBoston CollegeBrown University

California Lutheran UniversityCalifornia State University SystemCarnegie Mellon UniversityCentral Washington UniversityCentral College (Iowa)Columbia UniversityCornell UniversityDickinson CollegeHarvard UniversityIndiana UniversityJohns Hopkins UniversityLansing Community CollegeMaricopa Community CollegesMcMaster UniversityMassachusetts Institute of TechnologyMt. Hood Community CollegeNorthwestern UniversityPennsylvania State UniversityPortland State UniversityPrinceton UniversitySan Diego State UniversitySeminole Community CollegeSt. Louis UniversitySimon Fraser UniversitySonoma State UniversityTufts UniversityUniversity of ConnecticutUniversity of DelawareUniversity of KansasUniversity of Maryland/College ParkUniversity of Michigan/Ann ArborUniversity of New MexicoUniversity of North Carolina/Chapel HillUniversity of OregonUniversity of the SouthUniversity of Santa CruzUniversity of Southern CaliforniaUniversity of Tennessee/KnoxvilleUniversity of Texas/AustinUniversity of VirginiaUniversity of Wisconsin/MadisonWest Virginia University


Survey of Student AttitudesMembers of the task force also gathered information

and comments about electronic access to private andpublic personal information from students. The taskforce conducted informal surveys, collecting informal,non-random data from students at the University ofMichigan, Pennsylvania State University, the Universityof the South, the University of Texas at Austin, IndianaUniversity, and MIT. These were not intended to be sta-tistically significant or controlled research studies byany means; however, they did provide anecdotal infor-mation regarding some student attitudes and concerns.

Students were asked to rank their preferences onhow strongly they felt certain information should beprotected, or if it was free to be published within theinstitution and beyond. The student information typesvaried from directory information to more personal in-formation.

In general, students felt it was permissible for infor-mation traditionally defined as directory informationunder FERPA (name, address, phone number) to be pub-lished within and beyond their institution, such as toother colleges and universities, but not to the generalpublic. A small minority felt this information should beaccessible only to others within their institutions. Gen-erally, students felt it was inappropriate for permanentaddresses and phone numbers to be published, prefer-ring that only their school addresses be published.

Regarding more personal information, most studentswere in favor of protecting these records from anyoneother than those officials authorized to access the dataand the students themselves for review of the files. Thisview was held whether the frame of reference was withinthe university, beyond the university to other scholars,or to the general public.

A class of MIT students were asked to identify thepros and cons associated with the institution puttingstudent photos on the Web. Students were thoughtfulabout the issues, identifying both valuable uses and po-tential misuses. While they recognized the potentialbenefits to faculty of having access to student photos,they generally felt that the photos should have restrictedaccess within the university community, and that theplacement of photos on the network needed to be fullywithin the decision-making purview of each student.

ReviewersOur task force asked a number of individuals with

specific institutional or organizational perspectives toreview this paper and provide input prior to publication.We are grateful to those who responded to our request:

Robert Atwell, President EmeritusAmerican Council on Education

Wayne Becraft, Executive DirectorAACRAO

Herbert Evert, Associate RegistrarUniversity of Wisconsin/Madison

Susan J. Foster, Vice President, Information TechnologiesUniversity of Delaware

Robert Gellman, Privacy & Information Policy Consultant

Marjorie Hodges, Policy AdvisorOffice of Information TechnologiesCornell University

Steve Jarrell, Executive DirectorAdministrative Information ServicesUniversity of North Carolina/Chapel Hill

Paula T. Kaufman, Dean of LibrariesUniversity of Tennessee/Knoxville

Anne Oribello, Information Security OfficerBrown University

Rodney Petersen, Coordinator, Policy and PlanningAcademic Information Technology ServicesUniversity of Maryland/College Park

Richard Rainsberger, RegistrarCentral College (Iowa)

LeRoy Rooker/Sharon ShirleyFamily Policy Compliance OfficeDepartment of Education

Barbara Simons, ChairpersonUnited States Policy CommitteeAssociation for Computing Machinery

Duane Webster, Executive DirectorAssociation of Research Libraries

Donald J. Wermers, RegistrarUniversity of Wisconsin/Madison


Appendix G: References

Alderman, E., and C. Kennedy. The Right to Privacy, NewYork: Alfred A. Knopf, 1995.

Allmendinger, Susan. “Internet-Worthy: Getting Stu-dents Fit for the Road.” CAUSE/EFFECT, Spring 1995,56-57.

American Association of Collegiate Registrars and Admis-sions Officers (AACRAO). Guidelines for Post SecondaryInstitutions for Implementation of the Family Educa-tional Rights and Privacy Act of 1974 As Amended.Washington, D.C.: AACRAO, 1995.

Askins, Peggy C. (ed). Misrepresentation in the Market-place and Beyond: Ethics Under Siege. Washington,D.C.: AACRAO, 1996.

Baase, Sara. A Gift of Fire: Social, Legal, and Ethical Issuesin Computing. New York: Prentice-Hall, 1996.

Bernbom, Gerald, Mark Bruhn, and Dennis Cromwell.“Security in a Client/Server Environment.” CAUSE/EFFECT, Winter 1994, 19-26.

Branscomb, Anne Wells. Who Owns Information? FromPrivacy to Public Access. New York: Basic Books, 1994.

Computer Matching and Privacy Protection Act of 1988,5 U.S.C. §552a(o) (1988).

Computerization and Controversy: Value Conflict and So-cial Choices. Edited by Charles Dunlop and Rob Kling.Boston: Academic Press, 1991.

Computers, Ethics & Social Values. Edited by Deborah G.Johnson and Helen Nissenbaum. Englewood Cliffs,N.J.: Prentice-Hall, 1995.

Electronic Communication Privacy Act of 1968, codifiedas amended at 18 U.S.C. §§2510-21 (1988).

Electronic Privacy Information Center. “Privacy Guide-lines for the National Information Infrastructure: AReview of the Proposed Principles of the PrivacyWorking Group.” Report 94-1. In EPIC database [data-

base online]. See http://www.epic.org/privacy/internet/EPIC_NII_privacy.txt

European Parliament and Council of the EuropeanUnion. Directive 95/46/EC of the European Parliamentand of the Council of 24 October 1995 on the Protectionof Individuals with Regard to the Processing of PersonalData and on the Free Movement of Such Data. Brussels,1995.

Family Educational Rights and Privacy Act of 1974, 20U.S.C. §1232g (1996).

Graves, William H., Carol G. Jenkins, and Anne S. Parker.“Development of an Electronic Information PolicyFramework.” CAUSE/EFFECT, Summer 1995, 15-23.

Hodges, Marjorie W., and Steven L. Worona. “Legal Un-derpinnings for Creating Campus Computer Policy.”CAUSE/EFFECT, Winter 1996, 5-9.

Information Infrastructure Task Force. InformationPolicy Committee. Privacy Working Group. “Privacyand the National Information Infrastructure: Prin-ciples for Providing and Using Personal Information.”Final version. June 6, 1995. In EPIC database [databaseonline].

Jacobson, Carl. “Internet Tools Access AdministrativeData at the University of Delaware.” CAUSE/EFFECT,Fall 1995, 7-12.

Johnson, T. “Protecting Privacy in the Face of Technol-ogy.” Risk Management 88 (May 1992).

Johnson, T. Page. “Managing Student Records: TheCourts and the Family Educational Rights and PrivacyAct of 1974 (FNa).” West Publishing Company, 1993.In Westlaw database [database online], 79 WELR 1, 79Ed. Law Rep. 1.

Kallman, E., and S. Sherizen. “Privacy Matters.”Computerworld, 23 November 1992.


Litigation Under the Federal Open Government Laws. 17thed. Edited by Allan R. Adler. Washington, D.C.: Ameri-can Civil Liberties Union Foundation, 1992.

Marx, E. “Encrypting Personal Identifiers.” Health Ser-vices Research 29:2 (June 1994).

McLaughlin, J.A. “Intrusions Upon Informational Seclu-sion in the Computer Age.” John Marshall Law Review17:831-839 (1984).

National Research Council Computer Science and Tele-communications Board. For The Record: ProtectingElectronic Health Information. Washington, D.C.: Na-tional Research Council, 1997.

Organisation for Economic Co-operation and Develop-ment. “OECD Recommendation Concerning andGuidelines Governing the Protection of Privacy andTransborder Flows of Personal Data.” O.E.C.D Docu-ment C(80)58 (Final). 1980. In EPIC database [data-base online]. Available on the Internet at http://cpsr.org/cpsr/privacy/privacy_international/international_laws/ 1980_oecd_privacy_guidelines.txt

Porter, John D., and John J. Rome. “Lessons Learnedfrom a Successful Data Warehouse Implementation.”CAUSE/EFFECT, Winter 1995, 43-50.

Privacy Act of 1974, 5 U.S.C. §552a (1996).

Privacy Rights Clearinghouse. First Annual Report of Pri-vacy Rights Clearing house. San Diego, California:Center for Public Interest Law, University of SanDiego, 1994.

Privacy Rights Clearinghouse. Second Annual Report ofPrivacy Rights Clearing house. San Diego, California:Center for Public Interest Law, University of San Di-ego, 1995.

Rainsberger, Richard. FERPA and Secondary Education:The Family Educational Rights and Privacy Act of 1974as Amended and the Student. Washington, D.C.:AACRAO, 1997.

Rezmierski, Virginia. “Electronic Communication: Vaporor Paper?” In The Use and Abuse of Computer Networks:Ethical, Legal, and Technological Aspects. Preliminaryreport based on a conference held December 17 to 19,

1993, at the Arnold and Mabel Beckman Center of theNational Academies of Sciences and Engineering,Irvine, California. Washington, D.C.: American Asso-ciation for the Advancement of Science, 1994.

__________. “Managing Information Technology Issuesof Ethics and Values: Awareness, Ownership, and Val-ues Clarification. CAUSE/EFFECT, Fall 1992, 12-19.

Smith, H. Jeff. Managing Privacy: Information Technologyand Corporate America. Chapel Hill, N.C.: Universityof North Carolina Press, 1994.

Smith, Robert Ellis. Compilation of State and Federal Pri-vacy Laws. 1992 ed. Providence, R.I.: Privacy Journal,1992.

U.S. Department of Commerce. “Privacy and the NII:Safeguarding Telecommunications-Related PersonalInformation.” Washington, D.C., 1995. In UnitedStates National Information Infrastructure VirtualLibrary [database online]. Available on the Internet atgopher://www.ntia.doc.gov:70/H0/policy/privwhitepaper.html.

U.S. Department of Education. Education Data Confiden-tiality: Two Studies. Washington, D.C.: U.S. Govern-ment Printing Office, 1994.

U.S. Department of Health, Education, and Welfare. Of-fice of Technology Assessment. “Protecting Privacy inComputerized Medical Information.” Washington,D.C.: U.S. Government Printing Office, 1973.

U. S. Privacy Protection Study Commission. “PersonalPrivacy in an Information Society.” Washington, D.C.:U.S. Government Printing Office, 1977.

Warren, Samuel D., and Louis D. Brandeis. “The Right toPrivacy.” The Harvard Law Review. 4, no. 5 (December15, 1890): 193-220.

Webster, Sally, and Frank Connolly, “When Bad ThingsHappen to Good Campuses,” CAUSE/EFFECT, Spring1996, 44-48.

Westin, Alan F. Privacy and Freedom. New York:Athenium, 1967.


Appendix H: Resources

AACRAOThe American Association of Collegiate Registrars andAdmissions Officers (AACRAO) is a nonprofit, volun-tary professional association of more than 8,800 highereducation administrators who represent more than2,300 institutions and agencies in the United States andabroad. AACRAO’s Guidelines for Postsecondary Institu-tions for Implementation of the Family Educational Rightsand Privacy Act of 1974 as Amended (Richard A.Rainsberger, et al.; 1995; 124 pp; Item #1246) updatescurrent terminology, requirements, procedures, andstrategies for compliance, issues such as SPEEDE/ExPRESS, fax, and parental access, student directories,and annual notification of students. The AACRAO Gov-ernment Relations Department offers a weekly elec-tronic newsletter through the Govrel-L listserv that con-tains timely information on important subjects, includ-ing FERPA and privacy issues. AACRAO’s Web site canbe found at http://www.aacrao.com/

CAUSECAUSE serves as a clearinghouse for information onmanaging and using information resources in highereducation. Its Information Resources Library is an inter-national repository for documents contributed by mem-ber campuses, CAUSE/EFFECT journal articles, and con-ference papers. Information about and access to thelibrary is available through the CAUSE Web server(http://www.cause.org/).

Also at the CAUSE Web site is a resource page thatprovides links to networked information policies thathave been contributed to the library, many of which areavailable electronically on the Web and linked fromthat page. The page (at http://www.cause.org/issues/policy.html) provides links to related resources, such asthe Electronic Frontier Foundation’s guidelines forcomputing policies.

Among the resources listed on the CAUSE policypage is a site at the University of Texas/Austin, devel-oped as part of the task force’s efforts, which providesan index and hypertext links to nearly 100 policies thatdeal with privacy and the handling of student informa-

tion at various colleges and universities, indexed by statelocation (see http://www.utexas.edu/computer/vcl/projects/privacy.html).

Computer Security InstituteThis membership organization, located in San Francisco,publishes materials and sponsors workshops on the latestin computer security hardware and policies. For furtherinformation, call 415-905-2626 or send e-mail [email protected]

Electronic Frontier Foundation (EFF)The Electronic Frontier Foundation is a non-profit civilliberties organization working in the public interest toprotect privacy, free expression, and access to publicresources and information in new media. EFF’s Web site,at http://www2.eff.org, provides a wealth of informationrelated to this subject.

Electronic Privacy Information CenterThe Electronic Privacy Information Center (EPIC) is apublic interest research center in Washington, D.C., es-tablished in 1994 to focus public attention on emergingcivil liberties issues and to protect privacy, the FirstAmendment, and constitutional values. EPIC’s Web site(at http://www.epic.org) provides legislative updates onthese issues and more.

Privacy JournalPrivacy Journal is an independent monthly publicationon privacy in a computer age available on a subscriptionbasis. Other privacy-related publications are offeredthrough the journal. Inquire at P. O. Box 28577, Provi-dence, RI 02908 (e-mail [email protected]).

U. S. Department of Education, FamilyPolicy Compliance OfficeThis government office enforces the requirements of theFamily Educational Rights and Privacy Act and canclarify its requirements. For further information, contactLeRoy Rooker in the Family Policy Compliance Office([email protected]).


CAUSE is an international nonprofit association dedicated to enabling the trans-

formational changes occurring in higher education through the effective man-

agement and use of information resources — technology, services, and informa-

tion. Incorporated in 1971, CAUSE serves its membership of over 1,400 cam-

puses and organizations and nearly 4,000 individuals from its headquarters in

Boulder, Colorado.

CAUSE is an Equal Opportunity Employer and is dedicated to a policy that fosters

mutual respect and equality for all persons. The association will take affirmative

action to ensure that it does not discriminate on the basis of age, color, religion,

creed, disability, marital status, veteran status, national origin, race, sex, or sexual

orientation, and encourages members and other participants in CAUSE-related

activities to respect this policy.