COVID-19 and Privacy

1. General: As campus modifies the ways in which we conduct business and moves most interactions online during this outbreak, please be mindful that general privacy requirements remain intact. Use of remote delivery software and technologies heightens the criticality of existing privacy and information security requirements. We remind the campus community to continue to follow the UC Santa Cruz Privacy Principles and Best Practices, Federal Family Educational Rights and Privacy Act (FERPA) requirements and campus IT Policies and Guidelines. 
   
   

   Privacy: The University of California respects the privacy of individuals as fundamental to its mission and a value enshrined in the California constitution. Privacy is defined at UC as “ ...the state of being able to conduct activities without concern of or actual observation”, and “[T]he appropriate protection, use, and release of information about individuals.”  [1]

   “Privacy: 

   1. Is essential to promoting the values of academic and intellectual freedom,
   2. Plays an important role in upholding human dignity and safeguarding a strong, vibrant society, and
   3. Serves as the basis for an ethical and respectful workplace.  [2]

   Privacy By Design:  Individual privacy is essential and must be considered in all aspects of University business. Privacy is a professional responsibility, and maintaining it is an intentional act. Adopting “Privacy by Design” principles that enhance privacy in our everyday work habits is a way to mitigate potential privacy issues. Adherence to the Seven Foundational Principles of Privacy by Design while performing UCSC business will assist in keeping personal privacy front and center when examining your University business process and related changes.

   IT Policy and Information Security: Privacy and Information Security go hand in hand. Adherence to UC IT Policy, including Business and Finance Bulletins, BFB-IS-3: Electronic Information Security, and, BFB-RMP-7: Protection of Administrative Records Containing Personally Identifiable Information, serves to protect user confidentiality; maintains the integrity of all data created, received or collected by UC (Institutional Information); meets legal and regulatory requirements; and ensures timely, efficient and secure access to information technology resources.
   
   

   Privacy Balancing: Overall, we must acknowledge the distributed nature of information stewardship at UC, where responsibility for privacy and information security resides at every level. This includes the principles of “least perusal” or “least privilege” and “Need to Know”  [3], limiting access and transmission of personal data according to business need and in compliance with UC policy, State, and Federal Law.  

   The Privacy Office is here to help you think through your business processes in order to comply with the policies and principles listed above. Please contact us via email at privacy@ucsc.edu with questions.

   For additional resources or questions: 

   1. Main campus message regarding UCSC campus response to COVID-19 
   2. For privacy questions, contact the Campus Privacy Office via email at privacy@ucsc.edu
   3. For FERPA questions, contact the Registrar’s Office via email at registrar@ucsc.edu 
   4. For instructional resources, contact Center for Innovations in Teaching and Learning (CITL) 
   5. Guidelines and best practices for working remotely
   6. Campus ITS COVID-19 resources

2. Online exams and proctoring, in addition to videoconferencing guidance below: 

   1. Requiring students to turn on their camera to be watched or recorded at home during an exam poses significant privacy concerns and should not be undertaken lightly. Several proctoring services use machine learning, AI, eye-tracking, key-logging, and other technologies to detect potential cheating; these should be used only when no feasible alternatives exist. If instructors are using one of these services during the COVID-19 measures, they must provide explicit notice to the students before the exam. Instructors are encouraged to work with the Center for Innovations in Teaching and Learning (CITL),  and the Faculty Instructing and Technology Center (FITC). Refer to https://keepteaching.ucsc.edu/remote-teaching-practices/academic-integrity  and consider privacy-protective options, including how to use question banks (in Canvas), that will uphold the integrity and good assessment design.
   2. During classes, students should be encouraged to use the virtual background feature of Zoom if they do not want their surroundings to be visible. However, the point of proctoring is to be able to assure that students are completing their exams independently and without assistance so students are encouraged to take their exam in a room that has no one else present. Proctors and instructors are strongly discouraged from requiring students to show their surroundings on camera.
   3. Students who have no computer to complete their final exams may take advantage of computers in most labs. Students must observe social distancing and wash their hands before and after lab use. Finals CANNOT be held in a lab, that is, instructors cannot be present nor can students from a specific class be asked to gather there for a final. This is only for those students who need a computer to drop in and complete their exam.
   4. Consider implementing UC Berkeley’s best practices for remote examinations including:
      1. Make all exams open-book, so that students who consult notes and books do not gain an unfair advantage over students who adhere to closed-book rules.
      2. Schedule multiple, short, low-stakes tests, rather than one or two lengthy, high-stakes exams. This approach is shown to be superior for promoting learning. In addition, students may be less tempted to cheat if the stakes of the exam are relatively low and less able to cheat if the exams are of short duration.
      3. Shuffle answers to questions - Consider shuffling the answer options when using multiple choice-style quiz questions. When using Canvas you can set this function either globally when you create the quiz or selected individually for each question. Be sure to avoid using the global option if your quiz includes multiple-choice problems with “All of the Above” or “None of the Above” choices. 
      4. Alternatively, you may choose to have a remote examination that is deliberately collaborative, making use of Courses groups to encourage students to work remotely together.
3. Phishing:  Opportunistic cyber attackers can take advantage of a crisis with phishing campaigns that target individuals. Do not lower your privacy or security guard! Be vigilant with COVID-19-themed phishing lures, particularly with emails that contain attachments or links. Many actors are gaining the trust of victims by using branding associated with the CDC, the WHO, or companies, such as FedEx. For more information regarding Phishing visit https://its.ucsc.edu/news/spearphishing.html
4. Videoconferencing:
   1. As with all electronic communications within the University’s purview, administrative access to the information, video, audio, and metadata of online platforms is limited to the specific circumstances described in the UC Electronic Communications Policy (ECP).  For questions, contact the Campus Privacy Office via email at privacy@ucsc.edu
   2. Avoid video or audio recording of administrative meetings unless absolutely necessary. Recordings should never be saved on personal devices (i.e., non-university-issued). Recordings should only be stored on university-approved services (e.g., in Canvas or Google Drive services, not in one's personal Google account). Zoom has the capability to disallow recordings by anyone who is not the host (Settings → Recordings → Local Recording).
   3. If you will be recording, individuals must be given notice at the beginning of the recording; ideally, the notice is also recorded. Zoom has a feature to automatically inform all users that the session is being recorded and provide an option to opt-out (Settings → Recordings → Recording Disclaimer). Students should be informed that when cheating is suspected, the recording may become part of an administrative disciplinary record. Recordings should be retained no longer than necessary; consult with the campus Records & Information Management Office on guidance regarding retention schedules. Below is sample notification language:                                                                                   "This program uses video and audio recording or other personal information for the purpose of facilitating the course and/or test environment. UC Santa Cruz does not allow vendors to use this information for other purposes. Recordings will be deleted when no longer necessary. However, if cheating is suspected, the recording may become part of the student’s administrative disciplinary record.”  
      
   4. Individuals can use Zoom’s virtual background feature if they do not want to have their surroundings visible. Be mindful of others who may not wish to be visible or recorded in the background.
      
   5. “Zoom bombing” is the practice of uninvited individuals entering a video call, often to disrupt the meetings. Videoconferencing hosts should monitor participants on teleconference calls to reduce the chance of unauthorized persons on the calls. Consider using a unique meeting ID for each gathering or class or requiring authentication and a passcode for participants. (Settings → Profile → Personal Meeting ID; Meetings → Authenticate, Password). You may also uncheck the “join before host” option.

      For more information regarding Zoom security practices visit https://its.ucsc.edu/zoom/security.html

       

[1] https://www.ucop.edu/ethics-compliance-audit-services/_files/compliance/uc-privacy-principles.pdf

[2] https://policy.ucop.edu/doc/7020462/BFB-RMP-7

[3] https://policy.ucop.edu/doc/7000543/BFB-IS-3