Privacy and Information Security Guidance for Faculty
As the university conducts classes in-person and interacts with students and colleagues online or in a hybrid environment, our general privacy and information security requirements remain the same. However, with use of remote delivery software and technologies, protecting privacy and keeping information secure are even more critical.
For more information, a consultation, or for customized training, please contact Blanche Stovall or Clint Mixon in the Information Security and Privacy Office at ispo@newschool.edu.
Use of Email
- The New School-branded version of Gmail (accessed through MyNewSchool or mail.newschool.edu) is the official university email system. Google provides this version of Gmail to The New School under an end-user license agreement that includes special protections for information subject to the Family Educational Rights and Privacy Act (FERPA).
- Other email service providers, including Google’s consumer Gmail platform (@gmail.com), do not provide legal protection or accountability for New School administrative information, and they generally do not provide FERPA-required protection for student education records.
- Faculty and staff must use their official university email address for all university business related email. Faculty and staff may not automatically forward or redirect messages from an official university email address (containing @newschool.edu) to a non-university email address (containing anything other than @newschool.edu).
- The New School secure file transfer service (accessed via TNS SecureSend) is the official university system for sending Institutional Information Classified at Protection Levels PL-3 (such as N-numbers, education records and personal data/PII) and PL-4 (such as Social Security Numbers, Human Subject Research Data with individual identifiers, financial information, health information, payment card data). PL-4 information must never be sent through regular email; SecureSend must be used instead (see the Standard for Handling Institutional Information for details).
- For the complete policy on the use of email, see the Use of email section of the New School Acceptable Use Policy.
Avoid common email pitfalls!
- Sending an email to the wrong person–Always check the To: and CC: lines
- Sending an email with an attachment that contains personal data/personally identifiable (PII) or other sensitive data–double check attachments–any PII or other sensitive information should be sent via TNS SecureSend.
- Sending an email to a large group of recipients that contains an attachment with a large amount of personally identifiable or sensitive data–Reply to All emails should be the exception rather than a rule.
*Deliberate or inadvertent leaks of PII, PHI or other sensitive information are considered a reportable data breach under certain state and national laws. The New School must notify the impacted individuals and various US and foreign regulators in a timely manner to avoid possible fines and legal action.
Use of Cloud Storage
- The New School-branded version of Google’s G-Suite applications (accessible through MyNewSchool or {calendar, docs}.newschool.edu) is the official university general-purpose cloud storage and collaboration platform. Canvas and Starfish are the official university learning management systems and student success network, respectively. The companies offering these services provide them to The New School under end-user license agreements that include special protections for information subject to FERPA.
- The license agreements for other cloud storage and collaboration services do not provide legal protection or accountability for New School administrative information, and they generally do not provide FERPA-required protection for student education records.
- Commonly used services that do not meet FERPA required protections are:
- Adobe Creative Cloud, Dropbox.com, Box.com, Apple iCloud, Microsoft OneDrive, the consumer Google G Suite platform i.e. @gmail.com, FaceTime, WhatsApp, Skype, Microsoft Teams, and consumer Zoom accounts.
- New School faculty and staff may not use these services for New School administrative information or student education records.
- For a current list of authorized applications and service providers, please contact the Information Security and Privacy Office at ispo@newschool.edu.
- Note: The above prohibition does not apply to course materials unrelated to individual students, such as syllabi, lecture notes and presentations, class reading materials, etc.
- For the complete policy around the use of cloud services, see the Use of cloud storage and collaboration providers section of the New School Acceptable Use Policy.
- See Supported Systems for a list of systems that TNS supports and instructions on how to access them.
Recording Lectures, Seminars, and Studios
- Recordings should be made using the official New School-branded Zoom version which includes FERPA protections. You can access the New School-branded Zoom version on this page.
- Other virtual meeting applications should not be used, as they generally do not comply with the information security and privacy safeguards required by state, federal, international laws and regulations or university policies. .
- FERPA applies to all recordings directly related to a student. All recordings that will be kept as education records should be downloaded and stored in an appropriate “permanent” location. For assistance with finding an appropriate storage location please contact IT Central at itcentral@newschool.edu. Zoom is not a long-term storage platform as all recordings are automatically deleted from the platform 30 days after they are recorded.
- Recordings that will be shared with students, parents, or other instructors should be shared via Zoom (with appropriate access controls, such as a password) or by uploading them to Canvas. They should not be sent via email or shared via non-New School applications (including personal Google accounts).
- All recordings that are not being kept as education records should be deleted when no longer needed (no later than 30 days after the semester ends).
- Class recordings, including conventional audio/video recordings and recordings made by online web conferencing platforms, made for the sole use of the instructors, teaching assistants, teaching fellows, and enrolled students in a particular section or single course—that will be destroyed at the conclusion of the course—do not require consent from students.
- If classes are to be recorded for any purpose other than (or in addition to) making the session available to students in the class for instructional use, or if the recording will be kept beyond the end of the course, each individual student’s prior written consent is required.
- Recordings that are directly related to a student that will be kept and maintained as education records (e.g., recordings of performances or one-on-one sessions) and/or that will be kept for demonstration purposes, use in future courses, etc. require prior written consent from the student (or their parents).
- For more information on written consent please contact the Information Security and Privacy Office at ispo@newschool.edu.
- For more details on policies concerning recording lectures, seminars, and studios, see the Guidelines for Recording Lectures, Seminars, and Studios.
A current list of authorized applications and service providers will be provided in response to all requests sent to the Information Security and Privacy Office at ispo@newschool.edu.
CyberSecurity Threats and Tips
- Phishing emails remain the primary method for malicious actors to compromise people and their data.
- See if you can pass this Google Phishing Quiz.
- Think before U Click–When in doubt–Don’t Click.
- You can forward any suspicious emails to ispo@newschool.edu for our review.
- Ransomware is the biggest threat to you, our students, and the university.
- Keep your devices and applications up to date–Turn on Auto-update and select Auto Install.
- Maintain physical security of your devices, never let friends or family access the devices you use for work. If they must access the device, provide them with a guest account and limit the account's ability to download and install applications.
- Use strong passwords, or better yet, use passphrases of greater than 16 characters– something like ”MyD0gSk1PLoves$andwiches”.
- Lock your devices with a biometric signature (fingerprint), PIN or Pattern and set them to Auto-Lock after a short period of inactivity and be sure to lock them any time you aren’t actively using them.
- Free Public Wi-Fi sounds like a good thing but unfortunately it might come with a malware gift in the form of viruses, trojans, keyloggers that automatically download to your device when you connect.
- Avoid connecting to unsecured Wi-Fi connections as much as possible (having a password doesn’t mean it's secure).
- If you must connect, be sure that your Anti-Virus software is updated and actively protecting your device.
- Finally, be sure to use a VPN to protect your data from being intercepted and sold to criminals.
- Keep your data safe and secure.
- Encrypt your data whenever you can, especially when you download it and store it on a device.
- Most cloud based data storage is encrypted by default–TNS’s Google Drives are encrypted.
- Backup your data on a regular basis–an easy habit for TNS data is to back it up as part of your end of semester tasks; for personal data make it part of your New Year’s resolutions every year!
- Cyber threat actors may use generative AI in their attacks in the following ways:
- Writing AI-powered, personalized phishing emails.
- With the help of generative AI, phishing emails no longer have the tell-tale signs of a scam—such as poor spelling, bad grammar, and lack of context. With an AI like ChatGPT, threat actors can launch phishing attacks at unprecedented speed and scale while personalizing each one.
- A Chat GPT-powered bot could trick you or others into divulging sensitive information, such as login credentials or financial data.
- Deep Fakes: Many of the modern AI agents can create convincing imitations of human activities—like writing, speaking, and producing images—generative AI can be used in fraudulent activities such as identity theft, financial fraud, and disinformation.
- Cracking CAPTCHAs and password guessing: Used by sites and networks to combat bots seeking unauthorized access, CAPTCHA can now be bypassed by hackers. By utilizing AI, they can also carry out password guessing and brute-force attacks with much more success.
Use of generative AI
- Presume anything you submit or that is saved on your device or in your account could end up on the front page of a newspaper. Many AI agents' terms and conditions include permission for the agent to scrape your data to help train the AI. Be sure to read through the terms and conditions of whatever platform you join to see what data they collect, from your data submissions or questions and the data that they collect from your devices.
- The data you provide could be enhanced and used to build a detailed profile of you and your life.
- Your use of generative AI needs to be annotated in any products that you create for work or school. Check with your supervisor, department chair/director or dean to ensure you are citing your use of AI correctly and in accordance with university policy.
- If you would like to learn more about how to protect your and others’ privacy when using generative AI or other data processing apps, see Guide to Teaching and Learning Generative AI Security and Privacy or contact. ispo@newschool.edu.
Suggested language for Faculty to include in Course Syllabi
We recommend that all instructors include a message such as the following in their course syllabi if they intend to record any class sessions:
Some class sessions may be recorded for purposes of allowing other registered students who cannot attend at the scheduled class time to view the session at a later time. Recordings will only be accessible to the class instructor(s), teaching assistant(s), teaching fellow(s), and students in the class. All recordings will be destroyed at the end of the semester. Do not download recordings or share them with individuals outside the class. Doing so violates federal law as written in Family Educational Rights and Privacy Act (FERPA).
If you have concerns about participating in a recorded class, you should discuss this with the instructor and ask about options for participating in the class while opting out of the class recording.
If you prefer not to be identified during a class session, you may choose to (a) turn off your video, (b) change your name in the Zoom participants list, or (c) sit out the class and view the recording later. If you are sitting in the classroom during a session that is being recorded and you prefer not to be identified, you may choose to (a) sit outside the view of the camera and not speak or otherwise bring attention to yourself or (b) sit out the class and view the recording later.
We recommend including a message such as this regarding sharing student information:
You may work on group projects with other students or be asked to review or respond to their work. Other materials and activities may open up debate, argument, or spirited discussion; some classmates may volunteer sensitive personal information. Do not share others’ personal information, including class dialogue or performance, on sensitive topics outside of the course participants. Student work, discussion posts, and all other forms of student information related to this course should be handled with respect and remain within the interactions of this course. You may publicly post your own work, provided it does not violate the University Academic Integrity Policy or show responses to assessments. Public posting of group work requires consent from all group members. Research conducted as part of a class is subject to University research policies and may include sensitive information. Students may not share research information without permission from the instructor.
(revised July 26, 2024)
Additional Privacy and Information Security Information
- Information Security & Privacy Office (ISPO)
- Privacy & Information Security Training
- Acceptable Use Policy
- Data Privacy
- Information Security and Privacy Office (ISPO) website
Please contact Clint Mixon and Blanche Stovall in the Information Security & Privacy Office at ispo@newschool.edu for additional information.