![[ CatCard ]](cathead.gif)
(Webmaster's note: This message has been left intact. Spelling, etc, has not been changed.)
From: Terrence Bressi
Subject: Re: The New Catcard and Privacy Concerns
First, I wanted to thank everyone who responded to my first email and then I wanted to warn everyone that my second email will be longer than the first and definitely more boring. I apologize for not responding to everyone individually but the number of responses were so overwhelming I thought it better to address everyone at once. Also, please check out the front page of the Daily Star for further info.
I'm going to address what I see as the legal issues at hand but give fair warning that I feel much less comfortable on this topic then I did with the initial email. In that one, I discussed things that I had direct experience with whereas legal matters are much less cut and dry and are subject to interpretation.
The three main issues I would like to address are the following:
1.) Release of "personally identifiable information ", i.e. the SSN, to unauthorized personnel without consent from the pertinent individuals
2.) The Universities insistence that faculty, students, and staff sign legally binding documentation with third party commercial vendors as a condition for obtaining the Catcard and possibly of continued employment and/or student status.
3.) The University digitizing photos and signatures of all personnel and linking them to data bases that contain other "personally identifiable information".
What makes this job even harder is the fact that these concerns have to be addressed differently between employees and students because different laws apply.
Beginning with the release of the SSN as applicable to undergraduate and graduate students, the University clearly violated the Family Educational Rights and Privacy Act of 1974 (FERPA). The specific site that applies to the release is:
Which is read - Title 34 of the Code of Federal Regulations section 99.31 which deals specifically with the disclosure of educational records and information without prior consent of the student. There are twelve exceptions that are listed under this section of which none apply to commercial vendors selling long distance service and offering various banking services. The exact verbage can be found online at:
The twelve exceptions are abbreviated below:
1.) UofA officials or their agents who have legitimate educational interest in student records and data may review such material. This includes faculty, administrators, clerical and auxiliary staff, and medical and legal personnel, who require personally identifiable info to complete their assigned duties. - Note that Saguaro Credit Union and MCI do NOT have a legitimate educational interest in student records.
2.) Officials of another institution where the student seeks to enroll.
3.) Authorized reps of the state & local government if disclosure is specifically required by a statute passed before 1974.
4.) Authorized reps. from institutions giving financial aid to students.
5.) Authorized reps. of the U.S. Comptrollers Office, U.S. Dept. of Education, & state & local educational authorities may REVIEW student records....
6.) Fed, state, & independent organizations engaged in STUDIES for, or on behalf of educational agencies or institutions to develop, validate, or administer student aid programs, administer predictive tests, or improve education.... - Somehow I don't think Saguaro or MCI fit this criteria either.
7.) Accrediting organizations
8.) Parents of dependent students
9.) Lawful subpoenas
10.) Emergency situations to protect health and safety
11.) Disciplinary proceeding as the result of crimes
12.) Designated "directory information" of which the SSN is not.
That's it! No other unauthorized release is valid and I will personally buy lunch for the individual who is capable of legally fitting MCI and Saguaro Credit Union somewhere in that list using original language from FERPA!
In addition, FERPA requires that the University document all releases of student records and "personally identifiable information", when it was released, to whom it was released, and for what purpose the data would be used. I'm almost willing to bet the University hasn't met this requirement either but perhaps it could be a good test for students returning from spring break....The specific site in this case is:
Their is also a predefined grievance policy that only students (graduate or undergraduate) can follow. A complaint can be filed to the following address:
Family Policy Compliance Office
U.S. Dept. of Education
Washington, D.C. 20202-4605
The specific violations must be listed along with additional info. I just happen to have copies of the official complaint form and would be happy to make them available to anyone who needed one.
In one fell swoop the University has committed at least 35,000 violations and if they haven't been keeping their records up to date then that number doubles to 70,000 (Please ignore the exact numbers I'm using. I recently graduated with a BS in Astronomy where I was usually quite estatic to have the correct order of magnitude for any given calculation).
In addition to FERPA, the state has its own law that is also violated if the University fails to comply with the Act. The site is
which I believe is read Title 15 of the Arizona Revised Statutes Section 141B.I next move on to how the release of the SSN affects employees. This is a bit more tricky then for students because students had a specific law protecting them that does not apply to employees. The first thing that crossed my mind was internal policy and found what I was looking for at:
This is a page that outines policy #416.0 - ref: Arizona Board of Regents 6-912 that deals with the Access and Release of Employee Information.
In short this policy states that the only persons who can access non-public employee information include persons employed by the Arizona Board of Regents, authorized external auditors, University Legal Counsel, employees of Employee services and other persons authorized by the Director of Employee Services. Unauthorized access, release, or use of personnel records for a purpose not authorized by this policy may be subject to disciplinary action.
Do contracted companies automatically become employees of the Board of Regents? If not then that doesn't apply but I don't know for sure. If the Director of Employee Services had authorized them access then I would like to see that authorization. Otherwise there was no legitimate access of the records and I would think that if the intent of the policy was to allow commercially contracted vendors to have access then that would have been explicitly written into the policy from the beginning.
The next item I will address is an item I have absolutely no doubt was a violation by the University for all personnel; staff, faculty, and students. This requirement comes from the Privacy Act of 1974 (different from FERPA) which gets its authority from 5 U.S.C. 552a sec. 7(b) which reads:
"Any Federal, State, or local government agency which requests an individual to disclose his social security account number shall inform the individual whether that disclosure is mandatory or voluntary, by what statuatory or other authority such number is solicited and what use will be made of it."
I have the Catcard contract sitting in front of me right now where the social security number is the first item requested and nowhere on the form does the University tell whether or not it is mandatory, where their authority to demand the SSN comes from, or to what use it will be put. If they had had this statement on the form then we probably wouldn't be having this exchange right now because you would have discovered that the release was voluntary, that the University had no statuatory authority to demand it, and that they were planning on selling it for commercial purposes to MCI and Saguaro Credit Union. The text of the Privacy Act of 1974 can be found at:
The next section is probably where I feel the most unclear about and has to do with whether or not the University falls under other requirements of the Privacy Act besides what I just sited above. There is an interesting article located at:
that deals with just about every aspect of the social security number. This article appeared to be completely factual to me but I did not independently verify all aspects of it. One aspect I didn't verify was that a ruling placed all public universities along with federal agencies under the jurisdiction of this act in its entirety. If thats the case then the University messed up yet again but what has been hard to verify is the definition of the term "agency" within the text of the act. It referenced the definition to a place I couldn't find on the web although I suppose if I mosied on over to the library I could dig up what I needed. If the University does have to comply then almost the exact same things that applied to students at the beginning of this thesis also apply to employees. The University cannot release "personally identifiable information" on anyone in their records unless cetain circumstances were met which as far as I can tell were not. The only possible exception to this appears in the following text:
"(m) Government contractors
(1) When an agency provides by a contract for the operation by or on behalf of the agency of a system of records to accomplish an agency function, the agency shall, consistent with its authority, cause the requirements of this section to be applied to such system. For purposes of subsection (i) of this section any such contractor and any employee of such contractor, if such contract is agreed to on or after the effective date of this section, shall be considered to be an employee of an agency. "
This passage struck me as interesting because I heard from Liz Taylor and several times since then that the University didn't feel it did anything illegal because the contracts it wrote with the vendors made them agents of the University. Well if you read over the passage above quickly, you may interpret that the same way but read it again more slowly. This passage only applies to vendors who were specifically contracted to operate a 'system of records' for a University function. MCI and Saguaro were contracted to provide long distance service and banking services - not to operate a records system for the University. I feel that's a very important distinction and if the University is attempting to seek shelter behind this clause (and I have found no other clauses that mention external contracts) then its like seeking shelter in an outhouse in the middle of a tornadoe.
Well that's all I have found for specific laws and regulations which certainly doesn't mean there aren't others that apply to this situation. In addition I would encourage eveyone with an interest in this to verify everything independently. I have after all filtered everything I've read through my own bias which may or may not represent reality.
Regardless of what all the laws and regulations say, its clear to me that this incident has struck a real nerve in the University community and as such shouldn't be allowed to be glossed over so easily. No where in any of these very bulky Laws and Acts did I ever see any reference to the right of an institution to just sell or give away personal information that was given to them on the basis of trust and clearly many people don't want this to happen. The spirit of the law certainly wasn't trying to make this so in fact quite the opposite. Those laws were placed there for a reason and that reason is to protect privacy rights. The content and spirit of the law is just as important as the actual implementation and the University has shown no regard for this whatsoever.
We are rapidly moving into an age where the dissemenation of increasingly sensitive information will be easier and easier to accomplish on increasingly larger scales. One careless or callous act can cause a lot of damage as was demonstrated in this instance and what we need is a mechanism to prevent or at least hinder the possibility of something like this happening again. We as a University community have the power to shape existing policy and law into almost any shape we want using existing forums such as the Staff Advisory Council, student government, faculty outreach programs, and even the internet. Lets use these forums to stop the University from digitizing signatures and photos and placing them side by side with social security numbers so that individual identities can be replaced with the click of a mouse or key stroke. Lets stop the University from attempting to force members of its community to do business or even sign forms that are inhabited by commercial vendors we have no wish to deal with. None of us are children on this campus and I'm quite certain that anyone who needs long distance service or banking priveleges can figure it out on their own without the guiding hand of the University and if they can't then perhaps they aren't ready for such services to begin with.
The following is a statement from Andrew Tubbiolo which presents to the UofA community recommendations to prevent things like this from happening in the future, with the hope that this becomes a stepping stone towards a real dialogue:
We work and study in an environmnet where computers play a promonant role. Recently, computers and their capabilities have been used to comprimise our privacy and expose us to fraud - all for a few dollars from a phone company and a credit union. On the flip side we have used those same capabilities to alert the campus community. We can go further and begin to get control of our personal information that the university has misused. Working with Terry Bressi, I have had the privilege of hearing some of the replies and phone calls that have rained in since the university's mistake was exposed. Most of those replies have focused on what must be done to fix this mess. Terry and I have talked this over and come up with the following recommendations.
1) Verified destruction of data bases in the possession of all non-university personal and origanizations.
2) Release of all personnel from contractual agreements imposed by the issuance of the CatCard(tm).
3) Cease recording digitized signatures and photos. It requires no leap of logic to imagine the univerity releasing our SSN's, signatures, and photos in some future repeat of this event.
4) Destruction of existing signature and photo databases.
5) Completely decuple SSN from all databases, except financial aid, and payroll.
6) Databases containing SSN's shall not be connected to the greater internet. They will lie on either a campus wide isolated LAN or lie behind a strong firewall.
7) No encoded SSN's on any cards, magnetic tape strips, chips etc.
8) Public apology with full admission of guilt. No spin doctors.
9) Mechanisms put in place to prevent compromise of our data in the future.
10) Unconditional issuance of CatCard(tm) ID's to those who can show valid faculty, staff or student identification.
11) Boycott the CatCard(tm) process until our conditions are met.
12) Let those responsible for this fiasco know what we feel. E-mail is fast, easy and cheap.
13) Write our government representatives.
Thank you for your time:
Andrew Tubbiolo
enigma@seds.lpl.arizona.edu