RISK IN ASSESSMENT | Assessment and Research

Introduction - Data Management Compliance in Assessment

Data, meaning “facts, statistics, or items of information” (“Data”, n.d.), permeate through all aspects of our work. At an institution that receives funding from both the federal government and the State of Florida, the data we use daily have substantial responsibilities tied to them.

The purpose of this module is to ensure that all Division of Student Affairs staff:

• Know how to securely store, collect, and share sensitive or restricted data
• Understand the policies that support proper data usage as well as the risks associated with non-compliance or misuse

The core concepts that contribute to meeting compliance standards in data management are privacy, risk (or security in its absence), and data integrity. For most Student Affairs professionals this means successfully navigating the Family Educational Rights and Privacy Act (FERPA) through day-to-day interactions with student records and identifying information (UF Catalog, n.d.).

Data Classification

There are several components to understanding the risks and responsibilities associated with the data that you are tasked with storing, collecting and sharing as a part of your role within the University of Florida’s Division of Student Affairs.

• Understand how UF data are classified. UF’s Information Technology team’s Data Classification Guidelines are a valuable tool to help quickly identify the level of sensitivity associated with your array data (UF Information Technology, n.d.).
• Know who owns what data within the University of Florida by learning the UF Data Governance Structure (UF Data, n.d.).
• Identify your data governance role(s) as well as those of your colleagues with respect to the data you work with (UF Data, n.d.).

Data Storage/Maintenance

The following tools are secure and sustainable methods of collecting restricted FERPA (data as well as less sensitive forms of information. All tools have extremely high or unlimited storage capacity and are support by UF Information Technology (UFIT). Acceptable file types include, but are not limited to Microsoft platforms (e.g., Word, Excel, PowerPoint), PDF, SPSS, Adobe Creative Suite (e.g., Acrobat, Photoshop, Illustrator), and PNG.

Do not store data worth saving in files on your Desktop. Cloud storage systems assigned to you or your work team are not only the most reliable but also have the most storage space available to keep your computer running efficiently.

Below a highlighted list of tools supported by UF Integrated Risk Management (UF IRM, n.d.):
• GatorCloud OneDrive
• UF Teams (file storage function supported by OneDrive)
• UF Dropbox
• G Suite (UF Google)

Use of FERPA data requires annual recertification compliance training through the myTraining system at http://mytraining.hr.ufl.edu/ (FERPA Basics PRV802 & Faculty PRV803).

Secure Data Sharing

If your role requires managing data or you work with colleagues who manage data, it is likely that at some point you will either send or receive data electronically. The policy and tools for this are below.

DO NOT SEND Student UFIDs or other FERPA-protected data through email. Student UFIDs are classified as Restricted and covered by FERPA (UF Privacy, 2018).

UFIDs for employees are not classified as restricted data (UF Privacy, 2018).

Managing Data Requests – Full Student Affairs Policy still under construction… In the meantime, please see below for a few tips for non-Student Affairs departments/entities request Student Affairs unit data:

• Ask for the request in writing (e.g., email or PDF), and coach them to include
a. What specific data are being requested (e.g., UFID, type of interaction, date-time stamp)?
b. What is the purpose or business case at the heart of the data request?
c. Who will have access to the data upon receiving it?
d. How will the data be used?
e. How will the data not be used?
f. Are there any stipulations for sharing the data (e.g., must be kept in informed before summarized data are shared with a 3rd party or used to make decisions that might impact the unit from which the data originated)?

• Secure authorization from appropriate data governance roles within Student Affairs before fulfilling the request.

Secure Data Collection

• Do not collect Student UFIDs. Student UFIDs are restricted data and if you have a business need to request them then you will first need to submit a request for risk assessment with UF Privacy.

• If you need to collect unique identifiers for students:
1. Make sure that you have a legitimate business need for collecting student identification information. What is my goal for collecting this information? Can I accomplish my goal without collecting identifiable student data?
2. If you have a legitimate reason, please collect students’ UF email addresses (e.g., AlbertGator@ufl.edu)
3. Use secure data storage/maintenance methods (outlines above)

• Qualtrics – “Please note that Protected Health Information (PHI) is not permitted in the questions or answers of Qualtrics” (UF e-Learning, https://elearning.ufl.edu/supported-services/qualtrics/). If you are collecting restricted data, please contact Student Affairs Assessment & Research to collaborate on a risk assessment submission.

• Online forms, etc.

Summary

• You are responsible for data security for both students and employees.
• Your records are subject to public records requests.
• Inappropriate use or sharing of information can lead to progressive disciplinary action up to and including dismissal.
• Student Affairs Assessment & Research, Student Affairs Information Technology, and Student Affairs Risk Management Services are here to help guide you through if you have any questions.

References

Data. (n.d.). Dictionary.com dictionary. Retrieved August 4, 2020, from https://www.dictionary.com/browse/data?s=t

University of Florida Catalog. (n.d.). FERPA and Confidentiality of Student Records. Retrieved August 4, 2020,from https://catalog.ufl.edu/UGRD/academic-regulations/ferpa-confidentiality-student-records/#ferpastudentrightstext

University of Florida Information Technology. (n.d.). Data Classification Guidelines. Retrieved August 4, 2020,from https://it.ufl.edu/policies/information-security/related-standards-and-documents/data-classification-guidelines/

University of Florida Privacy. (September 1, 2018). Section 5: Security of PHI and Other Restricted Data. https://privacy.ufl.edu/wp-content/uploads/2018/08/5.2-E-Mail-Privacy.pdf

University of Florida Privacy. (September 1, 2018). Section 6: Other Privacy Policies and Procedures. https://privacy.ufl.edu/wp-content/uploads/2018/08/6.6-Privacy-of-UFIDs.pdf

University of Florida eLearning. (n.d.). Qualtrics. Retrieved August 4, 2020,from https://elearning.ufl.edu/supported-services/qualtrics/

University of Florida Data. (n.d.). UF Data Governance Structure. Retrieved August 4, 2020,from https://data.ufl.edu/organization/

University of Florida Data. (n.d.). Data Governance Roles. Retrieved August 4, 2020,from https://data.ufl.edu/organization/

Google for Education. (September 2018). G Suite for Education (Online) Agreement https://gsuite.google.com/terms/education_terms.html?_ga=2.57845098.1125475825.1595856110-551330156.1584464867

University of Florida Integrated Risk Management. (n.d.). How to Safely Work with My Data at UF. Retrieved August 4, 2020,from https://irm.ufl.edu/uf-data-guide/

Next Module