student's or faculty's personal email account any more than we would
want to go to their homes and read a student's physical mail.
Our data retention policies apply only to materials on school owned
computers. For servers holding student records that is indefinite but
we do have then photographed and stored off site after 7 years. For
financial and fundraising it is five years. For school originated
email, and there is very little of that, 90 days.
Student lab computer are set to destroy anything that is not part of
the basic OS every night. Like I said they had better save their stuff
to their personal pen drives. We do have a policy which lets us look
at the pen drive should we suspect porn or other inappropriate
material but we have never had occasion to do so. This is the same as
looking into lockers.
So if someone come knocking wanting to look at personal email they can
do so at Google, Yahoo or who ever and deal with Google's lawyers but
not the schools.
At some point both students and faculty need to learn to be
responsible for themselves and not expect that the school and it IS
staff will be watching over them all the time. In our case we start
that at the very beginning.
No issued laptops but personal ones are fine, no school email and no
school storage, everyone will learn and be forced to use all three
operating systems. We haven't got into the whole tablet computer
thing. One student has one. In my professional work I have seen a
grand total of two of these in real work setting. They strike me as a
gimmick.
Greg
On Sep 27, 2007, at 7:17 AM, Johnson, Jason P Mr WRAMC_Wash DC wrote:
> Classification: UNCLASSIFIED
> Caveats: NONE
>
> Unfortunately all data is not created equal. Even within email. The
> rule of thumb is that you keep any data for the shortest period of
> time
> required (by law, financial commitment, compliance, and perceived
> institutional need) and have a data retention policy that clearly
> outlines what types of data you keep and for how long. Most of your
> email can probably have a short retention period (1 year, 90 days, or
> less) but there are some types of data and email you may be required
> to
> retain longer (e.g. related to a bond financing or HIPAA) these will
> tend to be the exception and not the rule and you may want your policy
> to be printing them out. Regardless, you really need a written policy
> for each class of data (student records, library circulation reports,
> etc.), stick to it, and don't define it by type of system (email, file
> server, etc). NAIS has some good resources on this.
>
> Secondly, everything in backup is just as vulnerable to subpoena and
> warrant, so proper destruction of backups is necessary as well and
> should align with your retention policy.
>
> Finally, having students and teachers use real-world email accounts
> is a
> wonderful educational tool, and I don't mean this as a criticism of
> the
> value of Greg's program to students and teachers, but from a legal
> perspective I believe you are far worse off having faculty and staff
> use
> external services because you have no way to enforce or monitor
> compliance with your data retention policies. Sure you will not have
> the hassle of officer's seizing your servers, but lack most of the
> controls that would allow you to enforce compliance on deletion or
> proper retention, and ensure that during a discover phase documents
> that
> might help the school are not destroyed. In terms of students it is
> not
> quite as bad, but you are giving up the option to review student email
> for in-school offenses (unless they give you permission and log you
> in).
> Your only option to review student email is to start a civil or
> criminal
> case and take it through the courts. As always, it would be best to
> consult with a real lawyer about these kinds of things, as I may be
> way
> off-base.
>
> _Jason
[ For info on ISED-L see http://www.gds.org/ISED-L ]
Submissions to ISED-L are released under a Creative Commons license.