Other Universities' Policies

To get a clearer picture of the state of Stanford's computer and network related privacy practices and to devise possibilities for where Stanford could go in the future, we took a look at several other universities' privacy policies, including Cornell University, Dartmouth College, MIT, University of Texas-Austin, and University of Washington. By gaining more insight into possibilities that Stanford may not have considered or may have rejected, we hope to be able to either suggest enhancements to Stanford's policy or be able to appreciate it more fully.

First we examined MIT's policy (http://web.mit.edu/policies/11.0.html).  MIT's policy outlines in great detail the rights of students/staff/faculty to obtain and review information stored about them. In addition, it describes that the right of an individual whose information is being gathered includes knowing the purpose of the collection and that the information may not be used for anything else. It also defines the situations in which consent is not needed to share information and talks about MIT's compliance of FERPA.  In general, MIT's policy seems conservative and the intended audience seems to be fairly technologically savvy.

Then we looked at University of Texas-Austin (http://www.utexas.edu/policies/privacy/).  Their policy seems to be written for the average technologically savvy person. It discusses information gathered by web servers, cookies, public forums, on-line surveys, and e-commerce. The policy states the University's compliance with FERPA and the Texas Public Information Act in regards to sharing student information. It states that the goal of the privacy statement is:  1) to educate users about privacy issues and 2) to inform users about specific privacy policies and guidelines employed by the University of Texas-Austin.

In comparison, MIT is much more detailed and meticulous about outlining the uses of private information and the situations in which it will and will not be shared. MIT also outlines the rights of users to view and review (update) information about themselves, and in what situations permission is needed to share that information. MIT's policy does not focus nearly as much on explanations to the average technologically savvy person or on information gathered through the Internet such as web logs or cookie usage.  In contrast, University of Texas-Austin has more of a general umbrella statement in which they say that they are compliant with FERPA and the Texas Public Information Act. University of Texas-Austin focuses more on explaining concepts of web logs, cookies, public forums, and other Internet-related ways of gathering information than on the actual student records or student web space. No detail is included regarding student rights and when permission is needed to share private student information. MIT also focuses on student information and records while University of Texas-Austin is general and focuses more on Internet information.

The question of detail in a privacy policy depends on what is deemed appropriate for the institution. In some cases it is best to be vague to allow more university discretion on how to handle situations. In other cases, students/staff/faculty may want to have documented policy outlining when and how privacy can be compromised. A policy can be legally binding, thus care must be made to straddle this line carefully.

Dartmouth College seems to take a similar approach to that of University of Texas-Austin's.  Darthmouth's privacy policy (http://www.univco.cornell.edu/policy/ASI.html) focuses on the online aspect of privacy and security.  There is lengthy discussion on what constitutes a safe password, what fair use of the computer network is, as well as discussion on use of university resources and a brief treatment of intellectual property. Dartmouth’s policy does not focus specifically on student records, but rather on ensuring that students are aware of the security and privacy risks of using the Dartmouth computer networks and how to mitigate those risks as much as possible.

Cornell University has yet another slant on its privacy policy (http://www.univco.cornell.edu/policy/RR.for.html and http://www.univco.cornell.edu/policy/ASI.html).  Cornell has an entire office devoted to forming policies governing different aspects of university life.  The closest document they have to an online privacy and security policy are policies entitled “Retention of University Records” and “Access to Student Information”.  Both are very well structured and easy to navigate with a table of contents that links to subsections of the document. Each of them states what the policy is, why they have the policy, who is affected by the policy, as well as procedures that are related to the policy.  Cornell seems well aware of the issues and claim that they are fully FERPA-compliant. Questions ranging from who has access rights to data   to what procedures one should follow to modify records are clearly addressed in the policy.  The policies are very comprehensive and detailed in their presentation, attempting to draw out as many scenarios and guidelines as possible to avoid ambiguity and uncertainty.

Perhaps the most brief and direct privacy policy comes out of the University of Washington (http://www.washington.edu/computing/rules/privacy.html). The legal specifications for when University accounts may be legitimately compromised through inspection or monitoring were carefully listed.  This type of statement is also found in many other schools’ statements, but Washington’s statement was easy to find off their website and clear as to what University responsibilities were.  There was also a counterpart section that detailed what responsibilities students had for maintaining their own protection.  This serves as a warning for students to be protective of their own data.