Privacy

Privacy Considerations during Modified Campus Operations

Section 1

MARCH 2020

As UCI modifies the ways in which we conduct business during this outbreak, please be mindful that privacy requirements remain in place. Click here for Privacy Guidance for Faculty During COVID-19.

General:

As we move many of our interactions online, we remind the campus community to continue to follow FERPA and other legal privacy requirements and UCI Privacy Office guidance.

For additional resources or questions, please visit the Campus Privacy Office website at privacy.uci.edu, the Registrar’s Office at https://www.reg.uci.edu/, and the websites for educational continuity at http://dtei.uci.edu/teaching-continuity-plan-during-disruption/ and https://sites.uci.edu/teachanywhere/.

Human Resources:

  • Managers should not ask for health information about employees or employees’ family members without first discussing it with campus counsel and/or UCI’s Campus Privacy Official privacy@uci.edu.
  • Generally, units should consider whether the questions they are asking, or the information they are disclosing, are necessary and what the business purpose for collecting the information is.

Telecommuting:

Employees working from alternate locations should:

  • Use only University-issued devices, software and platforms when accessing data classified at the P4 level. https://security.uci.edu/security-plan/plan-classification-protection.html#P3
  • Use only University-issued devices, software and platforms when storing data classified at the P4 level. https://security.uci.edu/security-plan/plan-classification-protection.html#P3
  • Ensure their conversations cannot be overheard or their work observed by unauthorized persons in the alternate work location.
  • Ensure that hardcopy sensitive University records can be secured at the alternate work site. Have and use a file or box to store items during non-work hours.
  • Take extra time to verify the identities of collaborators and students, particularly as you may be receiving calls from unfamiliar numbers. Verify and double-check identities, email addresses or phone numbers prior to disclosing P2-P4 https://security.uci.edu/security-plan/plan-classification-protection.html#P3 information to an alleged colleague.
  • Monitor participants on teleconference calls to reduce the chance of unauthorized persons on the calls. For example, after taking a roll call, ask whether there is anyone else on the call before beginning the discussion.
  • When using Zoom, be aware of whether the recording feature is active or disabled.  Instructions for changing the default to “do not record” can be found at https://sites.uci.edu/teachanywhere/zoom-tips/.
  • When using Zoom, use Zoom’s virtual background feature if you do not want your surroundings to be visible. Be mindful of others who may not wish to be visible or recorded in the background.
  • Orient computer screens to reduce the chance of “shoulder surfing” or use a privacy screen.
  • Schedule deliveries of important University items or documents to campus when UC staff are present.
  • Periodically monitor the interoffice mail and US mail for important correspondence and/or assign someone or develop a schedule to allow limited presence on campus in line with campus guidance.
  • Additional security tips for remote work can be found here https://security.uci.edu/personal-device-working-remote.html

Remote class and content delivery:

  • Instructors and staff should use only platform(s) selected, vetted and approved by the University. In addition to standard Canvas tools, Zoom and Yuja, a list of approved tools can be found here. Utilizing Canvas as the main platform provides a secure starting point for sharing files with students and ensuring only authorized people have access to course materials, either your own or student generated ones.
  • Instructors and staff should not use personal (i.e., non-University issued) devices to record classes.
  • Recordings should be stored only on University-approved services (e.g., in the UCI Yuja or Zoom cloud storage, not in one's personal Google account or anywhere else).
  • Before recording begins, individuals should be informed that the session will be recorded.
  • Instructors are encouraged to provide other means of participation for students who do not want to be recorded (e.g., participating in Zoom without video, submitting questions and comments through the chat function).
  • Instructors should not require students who have placed a FERPA block on their directory information to use their name or their camera during class.
  • Students who do not want their surroundings to be visible are encouraged to use Zoom’s virtual background feature, if feasible, or, if allowed by the instructor, to participate without video. Be mindful of others who may not wish to be visible or recorded in the background.

Remote exam proctoring:

  • Instructors should remind students that students should complete their exams independently and without assistance and so are encouraged to take their exams in a room with no one else present.
  • Several proctoring services use a combination of video recording and machine learning/AI to detect potential cheating. Use of biometric technologies holds broad privacy implications and should not be used except where the service is provided through an authorized vendor.
  • Respondus and Examity are approved products in use at UCI. ProctorU is approved for use only with ILTI courses. Instructors should not use any other products to proctor exams.
  • These products monitor individual students and behaviors using video and video analysis during a remote exam to preserve its integrity. Before using this software, instructors should notify students that they will be recorded. Use this language: “This program uses video recording or other personal information capture for the purpose of facilitating the course and/or test environment. Pursuant to the terms of the agreement with UCI, the data is used solely for this purpose and any vendor is prohibited from redisclosing this information. UCI also does not use the data for any other purpose. Students who wish to opt-out need to contact the Vice Provost for Teaching and Learning at 949 824 3291.”
  • Instructors are encouraged to contact the Division of Teaching Excellence and Innovation and the Academic Integrity Office to discuss privacy-protective alternatives, including how to use question banks (in Canvas).

Remote advising:

  • Remote advising can occur remotely and should be done using only services approved by the University (e.g., Skype for Business, Zoom) or by phone.
  • Sessions should not be recorded; rather, advisors should log notes as they usually do.
  • The advisor should always be logged in on campus or through a VPN when advising.
  • Advisors should not hold advising sessions in public spaces (no coffee shops, etc.).
  • Advisors should advise students about privacy and security and tell students not to use an open network.
  • Take extra time to verify the identities of students. Verify and double-check identities, email addresses, or phone numbers prior to the discussion.

Patient care and HIPAA guidance:

Individuals who provide patient or student health care should contact the UC Irvine Health Compliance & Privacy Office, 333 City Blvd. West, Suite 110, Orange, CA 92868 or call 1-888-456-7006.

IT Security:

Finally, IT Security is also an issue while UCI works remotely. In particular, opportunistic cyber attackers can take advantage of a crisis with phishing campaigns that target individuals. Do not lower your IT security guard! Be vigilant with COVID-19-themed phishing lures, particularly with emails that contain attachments or links. Many bad actors are gaining the trust of victims by using branding associated with the CDC, the WHO, or companies, such as FedEx. Do not click on anything unless you know the sender.