Privacy Considerations during Modified Campus Operations due to COVID-19

(23APR2020; check back for updates as the situation evolves)

ANNOUNCING Ask a Privacy Officer. A "drop-in" Zoom session where our Campus Privacy Officer answers your questions about privacy in the time of COVID-19. April 24th, 11am. Registration required:  https://ucsd.zoom.us/meeting/register/tJ0tc-GurzouEtXaoiYUYN14uW4Vak1YNi6r

 

  1. General:  As campus modifies the ways in which we conduct business and moves most interactions online during this outbreak, please be mindful that general privacy requirements remain intact. Use of remote delivery software and technologies heightens the criticality of existing privacy and information security requirements. We remind the campus community to continue to follow the UC San Diego Guiding Principles for Personal Data, FERPA requirements, GDRP requirements, and privacy office guidance. Remember that privacy is the joint responsibility of the campus community and the service providers. For additional resources or questions, please contact the Campus Privacy Office, the Registrar’s Office at students.ucsd.edu/sponsor/registrar, or the Ed Tech website for educational continuity at keepteaching.ucsd.edu.  

  2. Videoconferencing, generally: 

    1. As with all electronic communications within the University’s purview, administrative access to the information, video, audio, and metadata of online platforms is limited to the specific circumstances described in the UC Electronic Communications Policy (ECP) and must comply with the UC San Diego PPM 135-5. Contact the Campus Privacy Office with any questions.

    2. Avoid video or audio recording of administrative meetings unless absolutely necessary. Recordings should never be saved on personal devices (i.e., non-university-issued). Recordings should only be stored on university-approved services (e.g., in the UC San Diego Kaltura, Canvas, or Google Drive services, not in one's personal Google account). Zoom has the capability to disallow recordings by anyone who is not the host (Settings → Recordings → Local Recording).

    3. If you will be recording, individuals must be given notice at the beginning of the recording; ideally, the notice is also recorded. If participant video is not necessary, consider whether only the host needs to be visible in order to minimize bandwidth usage. Zoom has a feature to automatically inform all users that the session is being recorded and provide an option to opt out (Settings → Recordings → Recording Disclaimer). Participants may use appropriate pseudonyms during recordings if they let the host/instructor know before the session. Students should be informed that when cheating is suspected, the recording may become part of an administrative disciplinary record. Recordings should be retained no longer than necessary; consult with the campus Policy & Records Administration Office on guidance regarding retention schedules. Below is sample notification language:                                                                                "This program uses video and audio recording or other personal information for the purpose of facilitating the course/class/meeting. If you have privacy concerns and do not wish to appear in the recording of the class session, do not turn on your video. If you prefer to use a pseudonym instead of your name, please let the instructor know what name you will be using before class so that they will know who you are during the session. You may use the Zoom private chat feature to comment or ask questions. UC San Diego does not allow vendors to use this information for other purposes. Recordings will be deleted when no longer necessary. However, if cheating is suspected, the recording may become part of the student’s administrative disciplinary record.”   

    4. Individuals can use Zoom’s virtual background feature if they do not want to have their surroundings visible. Be mindful of others who may not wish to be visible or recorded in the background (But see note re: proctoring below).Other Zoom information:

      1. The privacy and information security offices are actively monitoring and assessing Zoom’s privacy and security stance on an ongoing basis and adjusting guidance based on changing circumstances. In response to public scrutiny, Zoom has disabled the “attention tracker” feature and stopped sharing personal information with Facebook. They have represented that do not currently employ any facial recognition software on videos. 
      2. “Zoom bombing” is the practice of uninvited individuals entering a video call, often to voice hateful and racist views. Videoconferencing hosts should monitor participants on teleconference calls to reduce the chance of unauthorized persons on the calls. Consider using a unique meeting ID for each gathering or class or requiring authentication and a passcode for participants (Settings → Profile → Personal Meeting ID; Meetings → Authenticate, Password). You may also uncheck the “join before host” option. 
      3. Users who are calling in via a phone should use the Zoom feature that masks their phone numbers.
      4. For more information about Zoom settings, please consult the UC San Diego Zoom page:  https://blink.ucsd.edu/technology/file-sharing/zoom/index.html

       

  3. Telecommuting:  Employees working from alternate locations should:
    1. Only use university issued devices when accessing or storing data classified at the P4 level.

    2. Ensure their sensitive conversations cannot be overheard or work observed by unauthorized persons in the alternate work location.

    3. Ensure that hard copy sensitive university records can be secured in the alternate work site. Have a file or box to store items during non-work hours. 

    4. Take extra time to verify the identities of collaborators and students, particularly as they may be receiving calls from unfamiliar numbers. Verify and double-check identities, email addresses, or phone numbers prior to disclosing P2-P4 information to anyone. 

    5. Orient computer screens to reduce the chance of shoulder surfing. 

    6. Schedule deliveries of important university items or documents to campus when UC staff are present. Review the latest updates for campus mail service and submit a logistics form to designate how your office/lab mail should be handled. 

    7. Tips and good practices can be found here:  https://blink.ucsd.edu/technology/file-sharing/remote-work/tips.html

  4. Online class and content delivery, in addition to videoconferencing guidance above:

    1. Instructors and staff should use the platform(s) selected and approved by the University. Platforms that have not been vetted by the university should not be used. 

    2. Instructors are encouraged to provide other means of participation for students who do not want to be recorded (e.g., submitting questions and comments online). Instructors are encouraged to provide other means of participation for students who do not want to be recorded (e.g., submitting questions and comments online). As a reminder, notice is required to all participants of a recorded class. Instructors should explain in the class syllabus that classes will be recorded; in addition, at the beginning of the recording, notice of the recording should be provided. 

    3. Instructors should not require students who have placed a FERPA block on their directory information, or otherwise requested that the instructor not identify them in an online environment, to use their name or their camera during online classes.

    4. If students have privacy concerns and do not wish to appear in the recording of a class, they should not turn their video on. If they prefer to use a pseudonym instead of their name, they should let the instructor know what name they will be using. They may also ask questions or provide comments through the privacy chat feature of Zoom or through other private methods.
  5. Online exams and proctoring, in addition to videoconferencing guidance above: 

    1. Requiring students to turn on their camera to be watched or recorded at home during an exam poses significant privacy concerns and should not be undertaken lightly. Several proctoring services use machine learning, AI, eye-tracking, key-logging, and other technologies to detect potential cheating; these should be used only when no feasible alternatives exist. If instructors are using one of these services during the COVID-19 measures, they must provide explicit notice to the students before the exam. Instructors are encouraged to work with the Digital Learning Hub in the Commons and the Academic Integrity Office to consider privacy-protective options, including how to use question banks (in Canvas), that will uphold integrity and good assessment design.

    2. During classes, students should be encouraged to use the virtual background feature of Zoom if they do not want their surroundings to be visible. However, the point of proctoring is to be able to assure that students are completing their exams independently and without assistance so students are encouraged to take their exam in a room that has no one else present. Proctors and instructors are strongly discouraged from requiring students to show their surroundings on camera.

    3. Students who have no computer to complete their final exams may take advantage of computers in most labs. Students must observe social distancing and wash their hands before and after lab use. Finals CANNOT be held in a lab, that is, instructors cannot be present nor can students from a specific class be asked to gather there for a final. This is only for those students who need a computer to drop in and complete their exam.

  6. Online advising:

    1. Online advising can occur via chat, audio, or videoconferencing but should be done using services approved by the university (e.g., Skype for Business, VAC, Zoom) or by phone. Sessions should not be recorded; rather, the advisor should log notes as they do now. The advisor should always be logged in on campus or through a VPN when advising. 

    2. Advisors should not hold advising sessions in public spaces or where other household members can hear details of the conversation. Students should be advised about security and told not to use an open network.

    3. Take extra time to verify the identities of students. Verify and double-check identities, email addresses, or phone numbers prior to the discussion. 

  7. Human Resources; Employee and Student Health:  Managers should not ask for health information about employees and employees’ family members without discussing with campus counsel and the Campus Privacy Officer first. Generally, units should consider whether the questions they are asking, or the information they are disclosing, are really necessary to be collected or disclosed. The US Equal Employment Opportunity Commission (EEOC) has provided additional guidance to employers

    Symptomatic individuals:  University administration must inform the Campus Emergency Operations Center (EOC) if an individual shows symptoms of COVID-19 (fever and/or dry cough); the EOC is the first and only entity that administration may inform. Do not take steps to notify contacts, family, friends, or others and be cognizant of information that may indirectly identify a symptomatic individual. If a student shows symptoms of COVID-19, have the student call Student Health Services at (858) 534-3300. SHS will provide instructions for the student to follow. If a staff member shows symptoms of COVID-19, have the staff member contact their health care provider and follow the health care provider’s direction. If the manager has any questions, they can contact the Campus Emergency Operations Center (EOC) at eoc@ucsd.edu or (858) 246-4841. Do not take steps to contact anyone without instructions from the EOC or public health authorities. 

  8. Privacy reviews of tools, services, vendors; emergency purchasing protocols:  Privacy considerations are crucial as campus instruction and business move almost entirely online. To assure business continuity for the Spring Quarter of 2020, many new agreements for technologies, suppliers, or expansion of existing platforms are requiring immediate privacy review as part of the procurement process. In response, expedited privacy reviews are available for consideration of new technologies, new suppliers, or new uses of existing platforms; privacy recommendations are limited to 1) emergency use 2) during the Spring Quarter and 3) where necessary or where more privacy-protective alternatives are not available or feasible. Agreements put in place as a result of an expedited review should only be for the Spring Quarter. Should use of the tool, service, or supplier still be needed following the Spring Quarter, the agreement must be renewed, including a standard privacy review. All uses must comply with relevant privacy laws, including FERPA and the EU GDPR.

  9. Patient care and HIPAA guidance:  Individuals who provide patient or student health care should contact the UC San Diego Health Compliance Program at hscomply@health.ucsd.edu, and view a recent Q&A.

  10. Phishing:  Opportunistic cyber attackers can take advantage of a crisis with phishing campaigns that target individuals. Do not lower your privacy or security guard! Be vigilant with COVID-19-themed phishing lures, particularly with emails that contain attachments or links. Many actors are gaining the trust of victims by using branding associated with the CDC, the WHO, or companies, such as FedEx.
And finally:

 

We are updating this list as needed to address issues arising frequently and to clarify guidance as the situation evolves.

With thanks for the gracious collaboration of UC campus privacy officials and UC San Diego colleagues.