Clarification for our biggest Cloud concerns
I just got back from our annual Fall NWACC Conference held in Portland, OR. NWACC, Northwest Academic Computing Consortium, is a organization run by the IT leaders from most of the mid to large colleges and universities in the Northwest. We tried something different as is common for us, we invited our legal councils to attend and the focus of discussions centered around the common legal issues facing IT services in Higher Education. A big thank you to Tracy Mitrano, Director of IT Policy and of Computer Policy and Law Program, Cornell University, who helped put this all together.
The sessions dealing with Cloud services and more specifically legal implications that could be related to the outsourcing of services to Google were of great interest since we have recently moved all of our email to gmail. Steve McDonald, General Counsel, Rhode Island School of Design and Joe Storch, Associate Counsel, Office of University Counsel, SUNY System Administration, provided excellent insight for this issue. My major takeaway was that E-Discover is what you make of it. Yes there may be a situation down the road where you may not be able to provide historical documents that may be asked of you, but that is all. You are only required to provide what you can based on your business processes. In fact that has never been an issue for me, there is no reason to institutionally provide an email archiving solution.
The real elephant in the room is the issue of FERPA compliance if Google mines your data. I am not an expert on FERPA regulations, however, it has never appeared overly complicated. FERPA was designed to protect the student’s education records and status as a student. So I am still intrigued by why many institutions work so hard to show that there is a direct correlation to how Google’s data mining of our email could ever translate into a FERPA violation. Google is willing to promise that their process of data mining would never translate into such a violation. But they will not nor should they be required to eliminate all data mining, that is why their service exists. So I am perplexed as to why so much legal energy has been spent on trying to force Google to comply with this request. FERPA issues generally go back to people issues, so I will focus on those real risks. Plus, offering my institution the incredible value of the finest unified communication solution that money does not have to buy is far more important.
I appreciated the talk on Risk Assessment given by Tracy Futhey, Vice President for Information Technology and Chief Information Officer; Duke University, which helped me evaluate this Google outsourcing into my acceptable risk context. As I mentioned the value of the overall Google toolset justifies the decision. I now have greater control over these collaboration tools because of the commitment to tie it together under our email/account structure. I believe that by not offering this service I was actually promoting more risk because of the large number of faculty, staff and students who were using the same services with their personal Google accounts. My greater concerns are now for which Google services to allow and the education guidelines to provide for how to use them. Do these institutions working on the justification to move to the Cloud for email realize that by the time they solve all of their legal fears they will need to deal with the next battle that looms (Facebook email).