OIS: FAQs: Protecting Electronic Grade Information

1. Summary

This document explains the rules regarding the secure storage and transmission of electronic student grade information, and how University users can comply with those rules.

Electronic grade information is confidential information per federal and state law (see "Discussion of the Rule" below).  Therefore, users in possession of electronic student grade information must encrypt that information when it is:

  1. stored on either a) any portable device (laptop, tablet, phone, or flash drive) or b) any non-state owned computer (e.g., home computer, Google, Dropbox), or;
  2. transmitted over the Internet.

Acceptable methods for transmitting electronic grade information:

  • Blackboard
    • Have students log into Blackboard to retrieve their grades.
    • Use Blackboard’s “messaging” feature (not Blackboard’s email feature).
  • via Internet Email ONLY IF:
    • You use secret codes for students instead of their real names and send all grades to all students in class OR
    • You encrypt the file containing the grade information.

Acceptable methods/locations for storing electronic grade information:

  • In Blackboard;
  • On a University-owned desktop computer;
  • On a portable or non-state owned computer ONLY IF:
    • The device has whole-disk encryption enabled and/or;
    • The file containing the grade information is encrypted.
Here is a flowchart showing the decision tree for storing electronic grade information.

2. Discussion of the Rule

Texas state law TAC 202.1(3) defines confidential information as “[i]nformation that must be protected from unauthorized disclosure or public release based on state or federal law (e.g. the Texas Public Information Act, and other constitutional, statutory, judicial, and legal agreement requirements).”

FERPA is a federal law that protects student grade information from unauthorized disclosure and public release.  Ergo, student grade information is confidential under Texas state law.

Texas state law TAC 202.75(4)(A) states that “[c]onfidential information that is transmitted over a public network (e.g.: the Internet) must be encrypted.”  Texas state law TAC 202.75(4)(C) states that “confidential information must be encrypted if copied to, or stored on, a portable computing device, removable media, or a non-agency owned computing device.”

3. Frequently Asked Questions

Q: What is whole-disk encryption? A: For storage on a portable or non-state-owned computer, an alternative to encrypting individual files is to encrypt an entire hard drive aka “whole disk encryption.”  With whole disk encryption, any file stored on that disk is automatically encrypted.  Windows comes with a free whole disk encryption program called BitLocker; OS X comes with a program called FileVault.  Most University-owned Windows laptops already have BitLocker turned on, so you can safely store grade information on these laptops without encrypting individual files. If you are unsure whether your University-owned laptop has Bitlocker turned on, please call the IT Department at x2692.

Q: How do I encrypt individual electronic files? A: Many common programs, such as Microsoft Word and Excel, offer the ability to encrypt the documents and spreadsheets you create in them.  For example, in Microsoft Excel, you choose Home > Prepare > Encrypt.  Also, there are free encryption programs that you can download from the Internet.  You can use these programs to encrypt/decrypt any kind of file.  The IT Department has been evaluating several of these programs and currently recommends MEO from NCH software.  This program is simple, free, and works with both Windows and OS X systems.   The only downside of MEO on Windows systems is that the program installs various placeholders for other free NCH programs, which can show up on your Start menu and genuinely make a nuisance of themselves, but they are easy to delete.

Q: Can I transmit unencrypted grade information to a student’s Islander account? A: No. You’d think so, because the Islander system is on state-owned computers.  However, Islander provides its users with the ability to forward any incoming mail to an external mail account, e.g., gmail or hotmail.  Thus, if you send unencrypted grade information to studentX@islander.tamucc.edu, it's possible that student X forwarded that account to studentX@gmail.com.  Thus, any information sent to the Islander account is now going over the Internet, which is prohibited.

Q: Can I transmit unencrypted grade information via Blackboard?  A: Yes, but you have to be careful.    Blackboard offers two ways to transmit information to people: email and "messaging."  Email is a traditional email service that actually sends the entire message to the recipient.  In contrast, messaging stores your message on the Blackboard servers and transmits only a notification to the recipient saying that a message is waiting for the recipient on Blackboard.  The recipient then needs to log into Blackboard to get their message.  Unencrypted grade information can be communicated via the messaging function, whereas such information cannot be sent via Blackboard's email function.

Q: Can I store my unencrypted grade information on cloud storage services like Google Docs and Dropbox?  A: No. Because cloud storage services are non-state-owned computers, you may grade information on cloud services only if it is encrypted.  None of the major cloud services encrypt, so it's up to you to encrypt.  So if you keep your gradebook in an Excel spreadsheet that you want to copy it to your USB thumb drive (a portable device) or to Google docs (a cloud service), then you must encrypt it.  

Q: Can I stored my encrypted grade information on cloud storage services like Google Docs and Dropbox.  A: Yes.  Watch out, however, if you are using the web to create the document, not just store it.  For example, Google has a full suite of online programs for creating word processing documents and spreadsheets.  There is no way to encrypt these documents online.

Q: Can I transmit my unencrypted grade information using secret codes instead of student names?  A: Yes, as long as 1) the secret code is truly random, 2) the code for a given student is known only to the given student and yourself, 3) all grades are sent to all students, and 4) the listing of all grades is itself totally random, i.e., not sorted on some public information like last name.

Q: Can I request that that students use their Islander email account when corresponding with me?  A: You can certainly ask, and you can make a policy that you will not answer student-related questions in email unless it is from the student’s Islander email address.  However, there is nothing that IT can do with technology to force students to communicate with you only by Islander.

Q: When I send an email to “All Student Users” in Blackboard, does this go to their Islander email, or can it go to another email address?  A: It can go to another address.  The default is the student’s Islander address, but students can go in and change that value.

Q: Do I have to protect all grade information, or just the final grade in a class?  A: All grade information.

4. For Further Information

Please contact the Office of Information Security: ois@tamucc.edu.