Western Oklahoma State College

Transportation of Confidential Data

• Password protected OwnCloud hosting
  • Western employees may request a Western OwnCloud account. An account will be setup and instruction provided in the procedure to create a password-protected link that can be attached to an unsecure email.
  • The password in this case should be communicated either in-person or over the telephone, never over email and only when the identity of the receiver has been positively confirmed.
• Encrypted Flash Drive
  • Properly utilizing an approved encryption enabled flash drive to encrypt and transport the data.
  • Information about approved devices can be obtained on the IT Approved IT Equipment Specification List or by contacting the help desk.

Safe Handling of Confidential Data

Confidential data includes but is not limited to information protected under FERPA regulations.

College communication of issues related to student efforts (academic, conduct, and/or employment) may necessitate utilization of electronic communication such as email(s).  However, misdirected email(s) may result in exposure of student identifiable information to those without a legitimate educational interest in the information. In addition, the email protocol and services are inherently insecure and any information sent via email should be considered publically disclosed.

In-person delivery of confidential data may occasionally be the best option. In these cases, the transportation of the data may require the use of an external storage device such as a flash drive or an external hard drive. In such cases, the loss or theft of the data device would result in the disclosure of confidential data.

Careful consideration should be used to determine whether FERPA data must be transmitted. In most cases, safer alternatives are available. For instance, students can be identified with only their full names and the last four digits of their student id.

Federal regulations require we establish “reasonable methods” to ensure that student data is secured and only available to those with legitimate educational interest.  To obviate the potential FERPA violation caused by a misdirected or intercepted email, Westerns guidelines are as follows:

• Do not include personally identifiable FERPA data in totality in an email: no full name and full student ID.
• Do not list name and ID in the subject line
• Do not attach spreadsheets or scanned documents with full identifiers or non-directory information via email.  Communicate spreadsheets or scanned documents via a secure link using a Western IT supported methods (Listed Below)

In order to prevent a confidential data disclosure event in the case of the loss or theft of the data device, the device should be encrypted in an approved manner.

• Do not store FERPA data on an unencrypted external storage device.
• Only utilize Western approved encryption and external storage devices.