| History of this app | All | - Discuss the issues related to students using the public APIs with identifiable student data for application development. Currently the API implementation group is providing technical oversight to the GoGaucho app developers. More students are submitting requests to use the student APIs. Student APIs are using the Google Oauth, so students can see only their own data after the sign up with NetID through google.
- There are two issues
- Are we in violation of FERPA if we release student data without student consent, to students, who are not student employees
- Who will oversee the technical implementation to make sure that secure practices are followed and student data is not at risk
- Notes:
- Anthony - Do we have the right to release the student data?
- Anthony - Concern that we are providing them with student data and we don't tell the student what they are giving consent for
- It is a ferpa violation and we are not storing a record when a record was released
- Sara - it was a good intention, but it is not feasible from policy point of view
- Sam - Need to define how to enable it
- Jennifer - we need some entity that oversees the student development
- Need to oversee the policy side of it, ferpa issues, retention issues
- Anthony - if we solve the Ferpa issue, the security is not an issue for Reg as we transfer the responsibility to the student
- Sam - there is a consensus that there needs to be some entity that the student needs to affiliate with in order to get access to this data and an agreement to what they can do or not.
- if we want some logging then we can ask that. we can provide an API for people to deposit records when collecting consent
- Sam - what if there is a body in SIST or ETS that is the owner of all requests and is the approving body?
- Seth
- it is not that SIST is not providing the functionality that is needed by students, the gogaucho app provides campus-wide functionality that is shallow but wide.
- there are other APIs, not just the ones provided by SIS&T
- GOLD allows students to manage their records, sign up for classes, where GoGaucho provides wide variety of information
- Anthony - if AS is the owner then tracking of release is easy, if we can find a structure where the university owns the app.
- Sam - What if there is an organization that you join that provides oversight
- Diana - if students can find a person or org to oversee it then they can go forward
- Shea - what is the violation cost?
- Anthony - there is not preset dollar amount. It is case per case.
- it is not millions of dollars
- Sam - there will be an investigation, it will look into the structure we have put in place. If we have an agreement that student developers sign and reasonable coding standards for the security that they need to provide. Not too different than other apps we develop.
- ferpa doesn't make distinction between what type of data we expose, grades are the same as schedule of classes
- What if students find someone that is willing to take them on - to oversee their application development
- If the entity is not owning the app, we need to collect the Ferpa consent
- Steven - the API team is running into an issue with volunteer time and if we have a position to oversee these it will be great
- Jennifer - can we do a similar model as the devise approach with student fees?
- Can it be an OSL organization? - the OSL orgs are not affiliated with the university. It has to be AS app.
- Currently with GoGaucho any work done in a course it is owned by the students. University cannot own it
- Sam - not sure we need the two paths. Shea's approach of university getting who signs the app into the app store
- Be affiliated with AS group - a first step
- Seth - all APIs or sensitive only?
- Sam - sensitive only
- Do we want Nancy Hamill to weigh in?
- Steven - some students will push back on signing off the app to the university
- Jennifer and Shea - then they can't have this data
- Sam - there is liability with us owning the app - we need to keep it forever, there are expectation, etc.
|