Context: On November 18th 2015, the Graduate Center’s Legal Counsel Lynette Phillips, and the IT point-person for FOIL requests Matt Liston held an open info session on how the NYS Freedom of Information Law can impact student data and emails.
Here are the main points that were brought up during this info session:
- Who can FOIL whom?
As per the law, anyone can submit a FOIL request for any paper or electronic data that is “kept, held, filed, produced or reproduced by, with, or for” a state agency, including data created by the use of state equipment or resources. Since the Graduate Center is a state agency and maintains information in both paper and electronic format, that data can be subject to a FOIL request by anyone.
- What type of data is subject to FOIL requests?
Any recorded data that is maintained by the Graduate Center, on GC servers and GC-provided desktop or mobile computing devices, is subject to FOIL requests. Data from any time can be subject to FOIL requests. However, student records are protected by FERPA (the Federal Education Rights & Privacy Act), and thus are usually not disclosed. Other disclosure exemptions apply to personnel and medical records, intellectual property and research products.
- How are FOIL requests made?
FOIL requests come into the GC from a variety of sources, and should be immediately sent to the GC’s office of legal counsel. Counsel will determine if the request is specific enough and whether any disclosure limitations apply. The request is then handed over to GC IT if any recordable electronic data is requested.
- What electronic data is ‘recordable’?
Most data associated with a GC user account is recordable. This includes, but may not be limited to: email, any data on the U drives, and web browsing history (not on public computers).
- Is student email subject to FOIL requests?
Yes. However, since most student email is now housed on third party Microsoft servers, and not at GC servers, it is not considered ‘kept or held by or for the agency’, so is not subject to production under FOIL. However, student email is still subject to legal subpoena.
- Does the GC monitor student activity on school computers?
It was made clear that absent an alleged violation of law, CUNY policy or evidence of network interference, the GC does not monitor individual activities on school desktop and mobile devices, servers or networks. The details of when IT may monitor an individual’s computer use are spelled out in Article 4.13.3 of CUNY’s Policy Manual. See http://policy.cuny.edu/manual_of_general_policy/article_iv/policy_4.01/text/#Navigation_Location. However, in most cases where an investigation is requested, IT can monitor an individual account only after consultation with and concurrence by legal counsel, the President and the Chair of the Faculty Senate.
Summary: Any electronic data or files on GC servers, GC supplied desktop and mobile devices, or GC network is vulnerable to a FOIL request. Student email hosted by Microsoft (@gradcenter.cuny.edu) is not vulnerable to FOIL. Student data on GC servers (U Drive) or stored locally on University desktop or mobile devices are subject to FOIL. Web browsing history is subject to FOIL unless it resides on a non-public computer. As of today, no FOIL request has involved a GC student’s electronic data.