[unisog] Freedom of Information Act

Jim Dillon Jim.Dillon at cusys.edu
Mon Sep 8 22:47:03 GMT 2003

I agree in part - change is needed, but it's in understanding the whole scope of privacy, particularly the forces driving all this current regulation/legislation.  We have a state law that requires minimal collection and distribution of data, and it includes name and address in the sensitive class.  This law applies as well as FERPA.  The out given by FERPA is closed by state law in CO. It makes any discussion of "directory information" reasonably useless, as compliance is required by both - directory information is an allowance, not a requirement of FERPA (you can define it, you aren't required to have some, at least that is my read...)

I believe you have to look at privacy conservatively.  OPT in, not out, by default.  Treat anything identifiable as secret, minimize collection and distribution to the point it hurts, at least just a little.  You are then probably coming close to meeting the requirements of a lot of the privacy rules.
My opinions only...

Best regards,


Jim Dillon, CISA
IT Audit Manager
University of Colorado
jim.dillon at cusys.edu
Phone: 303-492-9734
Dept. Phone: 303-492-9730
Fax: 303-492-9737

-----Original Message-----
From: Chris Stoermer [mailto:stoermer at unt.edu]
Sent: Monday, September 08, 2003 12:14 PM
To: unisog at sans.org
Subject: [unisog] Freedom of Information Act


An email came through the other day that had one of my alternate addresses as the delivery address.  After doing a little snooping, I found that our email addresses are part of "directory information" covered in the FIA.

In light of all the security concerns we have with viruses, would any of us agree that the definition of "directory information" needs to change?

I have already written my reps.  I even sent a message to "Homeland Security".


More information about the unisog mailing list