Recommended Privacy Practices for UC San Diego “Return to” Programs

(26JUN2020; check back for updates as the situation evolves)

The Principles for Responsible Operation of University Locations in Light of the SARS-COV-2 Pandemic, adopted by The Regents at their May 20, 2020, meeting are meant “to guide campus scenario planning as on-site operations increase and in the event they need to be scaled back to respond to a future pandemic surge.” Developing plans for testing and contact tracing are among the first items on the roadmap to ramp up safe on-site operations. There are also significant privacy concerns associated with such large-scale programs, particularly when amplified by technology. These concerns are expressed as articles in mainstream media, papers by privacy law and other expert scholars, and by the numerous proposals for federal legislation to bound these systems to prevent them from becoming more general tools of surveillance.

Use of personal data is crucial in the delivery of healthcare as well as to ensure health and safety in the workplace, in education, and in public facilities. The rapid development of large-scale programs in our novel circumstances, prompts the need for careful consideration of the use and protection of personal data along the way. Transparency, a foundational privacy principle, enhances trust, crucial for endeavors that depend upon widespread adoption and public participation. It also provides clarity around goals and practices for the entire campus community.[1]

Campus reopening efforts may include any one of the following components, all of which process personal data:

  • Symptom surveys/screening
  • Temperature checks/thermal imaging
  • Job site/building access controls/building visitor logs
  • Diagnostic testing
  • Antibody testing
  • Collecting doctor notes
  • Isolation housing
  • Contact tracing (analog or digital)
  • Case investigations
  • Proximity tracking
  • Research and modeling 

Key risks if privacy principles are not consistently included in the development of these programs include:

  • Resistance to participation
  • Misunderstanding or misapplication of program goals
  • Community mistrust of UC San Diego
  • Discrepancies between program goals and actual practices
  • Collection, access to, or sharing of data elements beyond intended program goals
  • Mishandling or breach

Advantages of designing programs with privacy practices built-in include:

  • Greater participation in, and support for, the UC San Diego “Return to” Programs
  • Fewer complaints from the community and the public
  • Demonstrable action around equity, diversity, and inclusion
  • Increased sense of safety in the campus community
  • Wider community trust in UC San Diego
  • Reduced liability – civil rights/privacy litigation, data breach management

These recommended privacy practices are offered in support of these programs. The UC San Diego Campus Privacy Officer can assist in providing practical advice for implementing these practices. 

Recommended Privacy Practices

Individuals should

  • Be informed about the data handling practices of each component of the program (i.e., who, what, why, where, and when; see, e.g., Symptom Screening Privacy Statement)
  • Give explicit consent for some program elements; determination may be based on a variety of considerations, for example, sensitivity or volume of data or intrusiveness of the technology used
  • Have a single point of contact for questions and concerns

Programs should

  • Be limited to concrete public health activities
  • Have a written protocol describing practices and procedures
  • Have a communications plan developed for rollout
  • Be reviewed and adjusted at each stage along the resilience roadmap to fit the circumstances
  • End when no longer needed for concrete public health activities
  • Include health and campus privacy officers in the design of the program, training materials, and communications plan
  • Be analyzed for equity, diversity, and inclusion to prevent discrimination, intimidation, conflict, and bias, which could occur through certain uses of data
  • Have an appointed oversight group to ensure accountability for the consideration of ethics, human rights, privacy, proportionality of measures to their impact and effectiveness, and the appropriate handling and segregation of personal data[2]

Data should

  • Be collected only if necessary and relevant for the stated purpose(s) and for the relevant population (e.g., teleworking employees generally would not need a symptom survey); and should distinguish between collection by a healthcare provider and another entity
  • Be used only for the specified purpose communicated to individuals
  • Be properly secured from unauthorized use or disclosure, including when processed by applications that collect data, in accordance with UC information security policy and practices
  • Have written procedures allowing for data subject access rights (e.g., by students, represented staff, and the community) in accordance with applicable law and UC practices
  • Be accessible only to those with a need to know, and campuses should distinguish between medical professionals providing healthcare and administrators protecting public health and facilitating campus operations
  • Be retained no longer than necessary or as required by the UC Records Retention Schedule; if kept beyond a program’s sunset, data use should be considered a new program
  • Be de-identified, anonymized, and/or aggregated for analysis, reporting, and research to the extent feasible while maintaining usefulness for tangible public health needs
  • Be collected with practices informed by input from the health and campus privacy officers for alignment with existing campus practices
[1] OECD Guidelines on the Protection of Privacy; Privacy questions for COVID-19 testing and health monitoring
[2] World Health Organization. Ethical considerations to guide the use of digital proximity tracking technologies for COVID-19 contact tracing

 

Privacy Considerations during Modified Campus Operations due to COVID-19

(23APR2020; check back for updates as the situation evolves)
  1. General:  As campus modifies the ways in which we conduct business and moves most interactions online during this outbreak, please be mindful that general privacy requirements remain intact. Use of remote delivery software and technologies heightens the criticality of existing privacy and information security requirements. We remind the campus community to continue to follow the UC San Diego Guiding Principles for Personal Data, FERPA requirements, GDPR requirements, and privacy office guidance. Remember that privacy is the joint responsibility of the campus community and the service providers. For additional resources or questions, please contact the Campus Privacy Office, the Registrar’s Office at students.ucsd.edu/sponsor/registrar, or the Ed Tech website for educational continuity at keepteaching.ucsd.edu.  

  2. Videoconferencing, generally: 

    1. As with all electronic communications within the University’s purview, administrative access to the information, video, audio, and metadata of online platforms is limited to the specific circumstances described in the UC Electronic Communications Policy (ECP) and must comply with the UC San Diego PPM 135-5. Contact the Campus Privacy Office with any questions.

    2. Avoid video or audio recording of administrative meetings unless absolutely necessary. Recordings should never be saved on personal devices (i.e., non-university-issued). Recordings should only be stored on university-approved services (e.g., in the UC San Diego Kaltura, Canvas, or Google Drive services, not in one's personal Google account). Zoom has the capability to disallow recordings by anyone who is not the host (Settings → Recordings → Local Recording).

    3. If you will be recording, individuals must be given notice at the beginning of the recording; ideally, the notice is also recorded. If participant video is not necessary, consider whether only the host needs to be visible in order to minimize bandwidth usage. Zoom has a feature to automatically inform all users that the session is being recorded and provide an option to opt out (Settings → Recordings → Recording Disclaimer). Participants may use appropriate pseudonyms during recordings if they let the host/instructor know before the session. Students should be informed that when cheating is suspected, the recording may become part of an administrative disciplinary record. Recordings should be retained no longer than necessary; consult with the campus Policy & Records Administration Office on guidance regarding retention schedules. Below is sample notification language:                                                                                "This program uses video and audio recording or other personal information for the purpose of facilitating the course/class/meeting. If you have privacy concerns and do not wish to appear in the recording of the class session, do not turn on your video. If you prefer to use a pseudonym instead of your name, please let the instructor know what name you will be using before class so that they will know who you are during the session. You may use the Zoom private chat feature to comment or ask questions. UC San Diego does not allow vendors to use this information for other purposes. Recordings will be deleted when no longer necessary. However, if cheating is suspected, the recording may become part of the student’s administrative disciplinary record.”   

    4. Individuals can use Zoom’s virtual background feature if they do not want to have their surroundings visible. Be mindful of others who may not wish to be visible or recorded in the background (But see note re: proctoring below).Other Zoom information:

      1. The privacy and information security offices are actively monitoring and assessing Zoom’s privacy and security stance on an ongoing basis and adjusting guidance based on changing circumstances. In response to public scrutiny, Zoom has disabled the “attention tracker” feature and stopped sharing personal information with Facebook. They have represented that do not currently employ any facial recognition software on videos. 
      2. “Zoom bombing” is the practice of uninvited individuals entering a video call, often to voice hateful and racist views. Videoconferencing hosts should monitor participants on teleconference calls to reduce the chance of unauthorized persons on the calls. Consider using a unique meeting ID for each gathering or class or requiring authentication and a passcode for participants (Settings → Profile → Personal Meeting ID; Meetings → Authenticate, Password). You may also uncheck the “join before host” option. 
      3. Users who are calling in via a phone should use the Zoom feature that masks their phone numbers.
      4. For more information about Zoom settings, please consult the UC San Diego Zoom page:  https://blink.ucsd.edu/technology/file-sharing/zoom/index.html

       

  3. Telecommuting:  Employees working from alternate locations should:
    1. Only use university issued devices when accessing or storing data classified at the P4 level.

    2. Ensure their sensitive conversations cannot be overheard or work observed by unauthorized persons in the alternate work location.

    3. Ensure that hard copy sensitive university records can be secured in the alternate work site. Have a file or box to store items during non-work hours. 

    4. Take extra time to verify the identities of collaborators and students, particularly as they may be receiving calls from unfamiliar numbers. Verify and double-check identities, email addresses, or phone numbers prior to disclosing P2-P4 information to anyone. 

    5. Orient computer screens to reduce the chance of shoulder surfing. 

    6. Schedule deliveries of important university items or documents to campus when UC staff are present. Review the latest updates for campus mail service and submit a logistics form to designate how your office/lab mail should be handled. 

    7. Tips and good practices can be found here:  https://blink.ucsd.edu/technology/file-sharing/remote-work/tips.html

  4. Online class and content delivery, in addition to videoconferencing guidance above:

    1. Instructors and staff should use the platform(s) selected and approved by the University. Platforms that have not been vetted by the university should not be used. 

    2. Instructors are encouraged to provide other means of participation for students who do not want to be recorded (e.g., submitting questions and comments online). Instructors are encouraged to provide other means of participation for students who do not want to be recorded (e.g., submitting questions and comments online). As a reminder, notice is required to all participants of a recorded class. Instructors should explain in the class syllabus that classes will be recorded; in addition, at the beginning of the recording, notice of the recording should be provided. 

    3. Instructors should not require students who have placed a FERPA block on their directory information, or otherwise requested that the instructor not identify them in an online environment, to use their name or their camera during online classes.

    4. If students have privacy concerns and do not wish to appear in the recording of a class, they should not turn their video on. If they prefer to use a pseudonym instead of their name, they should let the instructor know what name they will be using. They may also ask questions or provide comments through the privacy chat feature of Zoom or through other private methods.
  5. Online exams and proctoring, in addition to videoconferencing guidance above: 

    1. Requiring students to turn on their camera to be watched or recorded at home during an exam poses significant privacy concerns and should not be undertaken lightly. Several proctoring services use machine learning, AI, eye-tracking, key-logging, and other technologies to detect potential cheating; these should be used only when no feasible alternatives exist. If instructors are using one of these services during the COVID-19 measures, they must provide explicit notice to the students before the exam. Instructors are encouraged to work with the Digital Learning Hub in the Commons and the Academic Integrity Office to consider privacy-protective options, including how to use question banks (in Canvas), that will uphold integrity and good assessment design.

    2. During classes, students should be encouraged to use the virtual background feature of Zoom if they do not want their surroundings to be visible. However, the point of proctoring is to be able to assure that students are completing their exams independently and without assistance so students are encouraged to take their exam in a room that has no one else present. Proctors and instructors are strongly discouraged from requiring students to show their surroundings on camera.

    3. Students who have no computer to complete their final exams may take advantage of computers in most labs. Students must observe social distancing and wash their hands before and after lab use. Finals CANNOT be held in a lab, that is, instructors cannot be present nor can students from a specific class be asked to gather there for a final. This is only for those students who need a computer to drop in and complete their exam.

  6. Online advising:

    1. Online advising can occur via chat, audio, or videoconferencing but should be done using services approved by the university (e.g., Skype for Business, VAC, Zoom) or by phone. Sessions should not be recorded; rather, the advisor should log notes as they do now. The advisor should always be logged in on campus or through a VPN when advising. 

    2. Advisors should not hold advising sessions in public spaces or where other household members can hear details of the conversation. Students should be advised about security and told not to use an open network.

    3. Take extra time to verify the identities of students. Verify and double-check identities, email addresses, or phone numbers prior to the discussion. 

  7. Human Resources; Employee and Student Health:  Managers should not ask for health information about employees and employees’ family members without discussing with campus counsel and the Campus Privacy Officer first. Generally, units should consider whether the questions they are asking, or the information they are disclosing, are really necessary to be collected or disclosed. The US Equal Employment Opportunity Commission (EEOC) has provided additional guidance to employers

    Symptomatic individuals:  University administration must inform the Campus Emergency Operations Center (EOC) if an individual shows symptoms of COVID-19 (fever and/or dry cough); the EOC is the first and only entity that administration may inform. Do not take steps to notify contacts, family, friends, or others and be cognizant of information that may indirectly identify a symptomatic individual. If a student shows symptoms of COVID-19, have the student call Student Health Services at (858) 534-3300. SHS will provide instructions for the student to follow. If a staff member shows symptoms of COVID-19, have the staff member contact their health care provider and follow the health care provider’s direction. If the manager has any questions, they can contact the Campus Emergency Operations Center (EOC) at eoc@ucsd.edu or (858) 246-4841. Do not take steps to contact anyone without instructions from the EOC or public health authorities. 

  8. Privacy reviews of tools, services, vendors; emergency purchasing protocols:  Privacy considerations are crucial as campus instruction and business move almost entirely online. To assure business continuity for the Spring Quarter of 2020, many new agreements for technologies, suppliers, or expansion of existing platforms are requiring immediate privacy review as part of the procurement process. In response, expedited privacy reviews are available for consideration of new technologies, new suppliers, or new uses of existing platforms; privacy recommendations are limited to 1) emergency use 2) during the Spring Quarter and 3) where necessary or where more privacy-protective alternatives are not available or feasible. Agreements put in place as a result of an expedited review should only be for the Spring Quarter. Should use of the tool, service, or supplier still be needed following the Spring Quarter, the agreement must be renewed, including a standard privacy review. All uses must comply with relevant privacy laws, including FERPA and the EU GDPR.

  9. Patient care and HIPAA guidance:  Individuals who provide patient or student health care should contact the UC San Diego Health Compliance Program at hscomply@health.ucsd.edu, and view a recent Q&A.

  10. Phishing:  Opportunistic cyber attackers can take advantage of a crisis with phishing campaigns that target individuals. Do not lower your privacy or security guard! Be vigilant with COVID-19-themed phishing lures, particularly with emails that contain attachments or links. Many actors are gaining the trust of victims by using branding associated with the CDC, the WHO, or companies, such as FedEx.
And finally:

 

We are updating this list as needed to address issues arising frequently and to clarify guidance as the situation evolves.

With thanks for the gracious collaboration of UC campus privacy officials and UC San Diego colleagues.