Data Security

Data Security in Using the New Online Review System (ePortfolio)

The new online review system has great potential to enhance the way in which we do faculty reviews, as well as improve our reporting of faculty-related data for accreditation and other external reports.  The new system will house a wide range of materials and, we hope, streamline the now often-arduous process of preparing dossiers for various reviews.  It also should enable faculty to enter information once and have the system help build the dossier cumulatively over time.

With this power comes responsibility, however.  Dossier items, like letters from external reviewers, over which we have previously maintained very tight controls will now be available in the system as PDFs.  In fact, all the documents that are available at each level of review will be available electronically in the system.  This increases the need for security.

For example, if a person prints confidential documents from the system on a public printer and fails to assure no one else could see them, he or she would have compromised the required confidentiality of those documents.  Further, if a person decided to copy the electronic files in the system to a USB key or other portable drive, the security of the data would then become only as safe as the device to which the files were copied.  This is not to say that faculty would be doing these things with inappropriate aims; it is, however, to say that the result might be inappropriate outcomes.

Thus, Lehigh needs to have strong system security and a set of rules to which all users of the system agree.

Strong System Security

All Lehigh users will be required to use their standard Lehigh login credentials to get into the new system.  All folks at Lehigh find themselves the potential victims of constant “phishing” attempts. 

Phishing is the practice of sending emails that purport to be from one authoritative source (like Lehigh’s LTS) and actually are from individuals attempting to fool you into providing your login credentials.  While some of these phishing emails are very amateurish –included serious grammar and spelling errors—others are quite convincing, including appropriate logos and other counterfeit aspects in their emails.  No matter how hard we all try, the occasional more-convincing phishing effort will fool some of us at least some of the time.

Lehigh’s Rules for Use of the New Online Review System (Faculty ePortfolio)

Rule 1: Users may not allow others to use their login credentials.

This is a standard policy at Lehigh. Sometimes, however, we hear stories that others –like grad assistants or supporting staff—are allowed to use faculty credentials to help faculty complete various university tasks. Your credentials –whether you are staff or faculty— are associated with those things that you have the right to see in the new system.  Someone else may not have the right to view such materials and allowing them to use your credentials would violate the confidentiality of the system.  If a staff member in a department has a need to go into the system to help prepare some materials for your review, he or she should already have access.  If that person does not, you can request that he or she be granted such access for this purpose.  Regardless, never allow anyone else to use your login credentials.

Rule 2: Copying review system data to portable storage devices or computers is prohibited.

Since the new online system will be available online from any location, there is no need to copy (download) files from the online system to any portable storage device or laptop computer.  The potential for a portable storage device or laptop to be lost or stolen is too great to justify the risk of copying such files and is, therefore, prohibited.

Rule 3: Printing confidential review system documents to public printers is prohibited.

The potential for trouble here is also great.  At the very least, no confidential document—such as letters from external reviewers, faculty letters, departmental summary letters, tenure and promotion committee letters, dean letters or the like—should ever be printed on a public printer.  If these are to be printed, they should be printed on a secured/private printer where one can closely control who has access to the printout.

Rule 4: All printed review system documents must be secured.

If one prints any documents from the online system, they must be secured under lock and key.  They may not be left out where others could see them.  This includes being left in one’s office when it is unlocked or in any space or area in which access is not closely limited.

Rule 5: Displayed review system images and access to the system must be secure.

You are required to log in to the system in order to view documents.  It is important that you not leave the system unsecured while logged in.  If you do, others could come in and have access to the system or read what is on your screen.  Once again, this is most likely to occur when one has the system open on one’s computer desktop while leaving one’s office unlocked.  If you plan to leave your office while logged into the system, you must either lock your office or you must ensure that your computer screen is blanked and only able to be viewed after reentering your password.  The safest and easiest thing is to logout of the review system; it takes less time to log back in than the other options here.

Rule 6: Review of confidential documents at public computer sites is prohibited.

As noted throughout, many of the documents in the review process are confidential.  If you view such documents while in a public computer site, others nearby or walking behind you may see such documents and this would violate confidentiality.  There may be many kinds of less sensitive documents in a dossier which you could review at such sites, but you must not view any sensitive documents in such a public setting.  If in doubt, wait until you are at a secure location –like your home or office—before viewing them.

Rule 7: All university policies and guidelines for faculty reviews must be followed in use of the new online system.

While the new online system will provide many new options and ways to do things, it is important to recognize that it must be used in the same way we have used paper or electronic (Mahara or our PAR systems) for reviews in the past.  This includes such things as confidentiality of process and discussion and following correct procedures.  It is important that we not allow the new technology to cause us to behave in ways that we would not behave when conducting the same reviews using different systems, nor should our decisions be different as a result of being conducted using a new tool.

Rule 8: Users of the system must not upload any documents that are classified as sensitive or are protected by law or funder requirement, or which reveal personally identifiable information where such information is to be protected.

Where this might be likely to happen is when users were uploading documents related to either their teaching or their research.  We must take great care handling data covered by HIPAA or FERPA regulations, as well as data that may have export or ITAC restrictions.  For example, one should not include social security numbers or even student LINs in documents.  In addition, in the area of research, we may be bound by protection of confidentiality and nondisclosure policies.  No materials uploaded into the system should compromise such confidentiality or disclose any information covered by such agreements.

Rule 9: Users of the new online system must follow all applicable university policies and guidelines for use of electronic systems.

Although the new online review system is a new tool, it is still governed by the existing rules and policies about use of electronic systems at Lehigh.  Such policies include:

POLICY

WHERE TO FIND (URL)

Privacy

http://lts.lehigh.edu/services/explanation/privacy-policy

Computer Use

http://lts.lehigh.edu/services/explanation/policies-use-computer-systems-and-facilities-acis-policy

Computing Accounts

http://lts.lehigh.edu/services/library-computing-policies

Cloud

http://lts.lehigh.edu/services/explanation/lehigh-university-cloud-computing-policy-acis-policy

Classification of Data

http://lts.lehigh.edu/services/explanation/classification-data