Privacy concerns still not put to rest

Wildcat File Photo Arizona Daily Wildcat

Anyone with access to the university's Student Information System can access students' grades, class schedules, financial aid status and Social Security numbers, which in turn can unlock everything from tax records to medical records. This information cannot be legally released by the university.

The University of Arizona came under fire last month when it released student and employee Social Security numbers to MCI Telecommunications Corp. and Saguaro Credit Union in an effort to streamline the implementation of the UA's new identification card.

"This 'innocent mistake' by the university is no small matter," Benjamin Peddicord, an electrical engineering sophomore, wrote in an e-mail message to a privacy concerns listserv. "I believe that if students realized just how much can be done with a Social Security number, reaction to this CatCard would be much stronger."

On Wednesday, UA President Peter Likins appointed Mely Tynan, vice provost for information technology, to lead a new Information Security Council and safeguard student and employee information.

Likins said yesterday he is realizing that keeping confidential information secure in the UA's computer systems is a major issue.

University Attorney Mike Proctor said the CatCard has brought many privacy issues to light. He said the UA needs to train as many employees as "humanly possible" on aspects of privacy and employees need to understand that private information is "almost sacred."

"I find it hard to believe people feel they can release all students' information. We need to have a heightened awareness of privacy issues," Proctor said.

"People need to all be participants in privacy issues, as individual members," he said. "If they see something that is not right they need to contact people who are able to do something about it."

About 1,500 UA employees - including some student employees - have access to information in SIS, said Jack Farrell, the UA's registrar.

SIS is a computer database that contains student information for the Financial Aid, Bursar's, Admissions and Registrar's offices. It is based on nine-digit student identification numbers that are usually the same as students' Social Security numbers.

The unauthorized release of UA basketball player Miles Simon's academic records in October also raised questions about the security of students' educational records.

The Family Educational Rights and Privacy Act prohibits the release of personally identifiable academic records, excluding directory information and records released for educational purposes authorized by federal law.

But someone within the university released Simon's grades to the Kansas City Star. Although university officials investigated the disclosure, they still are not sure how the information got out.

"No one was reprimanded. We could not determine who leaked the information," Proctor said. "We did do (FERPA) seminars for both departments where this could have happened."

When employees need SIS access to perform their jobs, their supervisors must request access for them, said Chris Escobar, senior office specialist in the Registrar's Office.

After access is granted, information on how to utilize the system, along with basic navigational terms, is mailed to the employee.

Information regarding FERPA is included in each packet. All employees are expected to read, sign and send back a statement confirming they have read the information, said Mari Jo Widger, instructional specialist in the Registrar's Office.

"The issue of FERPA lies with each department; the (access) responsibility relates to what you do," Widger said. "In our department we do train people on what kind of information they can give out."

Because training is geared toward individual positions within departments, SIS and FERPA instruction is separate, Widger said.

"Your access to the SIS system is unique to you," said Mary Salgado, applications analyst in the Registrar's Office. "It is reviewed when you need more access, and it is given with a password."

SIS has several different levels of security, said Mike Torregrossa, coordinator of student information and integrated data systems.

"SIS runs on an IBM mainframe system," he said. "I've never heard of anyone cracking the system. It is very secure."

To safeguard the system, employees are given an SIS password, which is changed every 45 days. If an employee attempts to enter the system with an invalid password more than six times, the employee's access is revoked, Torregrossa said.

He said the system also tracks any changes made to information.

"We do delete access to people and we do watch out for people not using the system properly," Salgado said.

Employees who use SIS without a legitimate educational purpose, as defined in the university's FERPA policy, can face repercussions, Farrell said. Violations, he said, are reviewed on a case-by-case basis.

"I have honestly been impressed with the great number of people who use SIS and the small amount of problems," Salgado said.

Torregrossa said the UA is looking into purchasing a new SIS system to do away with using Social Security numbers as identification. The biggest barrier, though, is funding.

"A new system would take advantage of the new technology that is out there that allows separate student identification numbers instead of using Social Security numbers," he said.