UC Berkeley Academic Senate Committee on

Computing and Communications (COMP)

October 15, 2004

Subj: Concerns about the data stewardship standards

The Data Management, Use, and Protection provisional policy was discussed at the COMP meeting on Oct 14, 2004. We are positive about this policy, believe it is appropriate and necessary, and commend the Council’s efforts to achieve balance between privacy and security concerns and the usability and invasiveness implications of these policies. The following is a list of issues and concerns that were raised in our discussion, and we look forward to discussing them with you further:

  1. The policy document is long and detailed, and therefore we are skeptical that all affected employees will read it (like faculty PI’s) in its entirety. Specific suggestions:

A. More use of diagrams and pictures that capture the relationships you describe abstractly.

B. A series of role-based documents that extract and compact and simplify the relevant aspects of the policy for particular job titles. In particular, our concerns as faculty are the responsibilities of faculty PI’s and graduate student researchers—it is difficult to surmise what is relevant to us, and what is not.

  1. As a general comment we found the sections specific to research data and survey data somewhat vague and incomplete. A number of issues are not tied down, like privacy of human subjects, what constitutes campus owned data (for example in joint research with other institutions), how this relates to separate standards that may be promulgated by funding agencies, and so forth. We are wondering if standards in this area should be done by, or in cooperation with, appropriate authorities or committees in the Office of the Vice Chancellor for Research?
  1. We have specific concerns about sensitive data in the context of classroom teaching. A widespread practice is to send data files (e.g. Excel) as attachments to email messages among instructors and teaching assistants. This may not meet your standards. In this area, it seems that the only practical approach is to provide online systems that include appropriate protections (e.g. the Sakai gradebook project), make them available, and then mandate their use. How can standards be imposed in the abstract without some practical means of implementation? We are wondering if standards in this area should be done by, or in cooperation with, appropriate authorities or committees in the Office of the Vice Chancellor for Undergraduate Affairs?
  1. The document asserts the need for secure computing environments for sensitive data, but does not elucidate any specific standards of security. For example, if a machine satisfies the minimum standards for security, is that sufficient? If not, what additional measures are necessary?
  1. Moving forward, we believe that not only policies are needed, but also step-by-step instructions and the promulgation of best practices. We are wondering what you have in mind for this?
  1. Specific concerns:

A. Requirements for backups, and security of backups (multiple copies, access, geographical diversity, etc?)

B. What does the “data dictionary” mean exactly in a research/survey context? How can we train thousands of faculty and graduate students create such a thing?