[teknoids] clinic student/faculty communications and confidential info.
covey at law.unm.edu
Fri Nov 17 17:57:08 EST 2017
We faced the same issues, so a lot of the notes below are what others have shared with us off list (thank you to our many previous sharers) or our team and clinic have worked out; some issues are a bit tricky, so posing those as questions in hopes this helps Courtney and anyone else who has to work with Clinic email:
* Apart from e-discovery, is your location subject to open records requests, and if so, depending on what is done over email, what would be open to those requests?
o If one was using a mechanism that wasn't 'university student email' -hmm, not sure what the ramifications are . . . .
* If the owner of an email account is not checking it/or is gone, and important content or an attachment are in it, can that content be retrieved? Quickly?
o If all the students CC a functional 'listener' address, or even set Reply To that address, that could capture the data for your clinic. There are other technical ways to capture email if you own your email system, or ask your provider for some sort of capture mechanism.
* If a student uses their device to access clinic email, can it be subpoenaed? Are there retention issues? And then there's texting, photos . . . . ay
* As Ken notes, there are likely a number of reqs to specify for any personal device - auto-lock, auto delete after x bad attempts, Antivirus, VPN, passcode length . . . . can they have cloud apps on that device?
* In terms of content, are certain data types like PHI banned entirely over email, whatever the device?
* Do they always have to CC a Clinic supervisor on their emails, or first get permission?
* Maybe your case management system has a good way to capture emails, though there are likely some procedurals related to that - the user may have to manually add emails to a case
* If using personal devices, do they need to sign an agreement to handle clinic email?
* Procedural - do students use a certain signature during Clinic, then adjust as they out process? Does an out of office need to be set to warn senders?
* Does a clinic need or want data loss prevention software that's not provided by the university?
* Is there a procedure if a device is lost or stolen?
* Are emojis admissible?
As Doug notes, I'd too argue there are many strong reasons to give clinic students separate accounts that can remain open at the clinic's discretion, and provide more controls than maybe what the university can.
Hope this helps!
From: Teknoids [mailto:teknoids-bounces at lists.teknoids.net] On Behalf Of Hirsh, Kenneth (hirshkh)
Sent: Friday, November 17, 2017 12:46 PM
To: Teknoids <teknoids at lists.teknoids.net>
Subject: Re: [teknoids] clinic student/faculty communications and confidential info.
A few thoughts:
1. Can you work with campus IT and the university counsel's office to examine the Google contract and determine whether they have any obligations to comply with clinic confidentiality requirements?
2. Clinic users, both students and faculty, could take the extra step of using an encryption product, such as Virtru<https://www.virtru.com/>.
3. Beyond the risk of interception during transmission or hacking of the Gmail message storage, students and faculty could be cautioned about the risk of loss at their device, such as when a notebook, tablet or phone is lost or stolen. The clinic could adopt a policy of requiring all to encrypt those devices, which is good practice anyway. Of course, encryption is not the be all and end all, but students, like attorneys, are required to take "reasonable efforts" to protect confidential client information, not superhuman effort.
ken.hirsh at uc.edu<mailto:ken.hirsh at uc.edu>
From: Teknoids [mailto:teknoids-bounces at lists.teknoids.net] On Behalf Of Courtney L. Selby
Sent: Friday, November 17, 2017 2:37 PM
To: Teknoids <teknoids at lists.teknoids.net<mailto:teknoids at lists.teknoids.net>>
Subject: [teknoids] clinic student/faculty communications and confidential info.
Our students retain their Hofstra email accounts, and access to the messages sent and received during law school, indefinitely following graduation. These student accounts are hosted by Google. Because clinic students communicate with the faculty regarding confidential matters related to clinic cases, we have some concerns about using student email accounts for clinic matters. We have requested that our clinic students receive university employee accounts to be used only for communications for the clinic. Unfortunately, under university policy we can't assign our clinical students employee email accounts (though we are still attempting to negotiate an exception).
Have any of you explored conducting faculty/student communications about clinical matters without the use of university student email? We use Time Matters in the clinic, but I am not sure that the platform provides for one-on-one discussion between a faculty member and a student in a way that could satisfactorily replace email.
Courtney Selby, JD, MLIS | Associate Dean for Information Services, Director of the Law Library and Professor of Law | Maurice A. Deane School of Law at Hofstra University Law Library
122 Hofstra University | Hempstead, NY 11549 | 516-463-5901 | lawcls at hofstra.edu<mailto:lawcls at hofstra.edu>
Not everything that can be counted counts, and not everything that counts can be counted.
- William Bruce Cameron
-------------- next part --------------
An HTML attachment was scrubbed...
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 2670 bytes
More information about the Teknoids