Community

Disable Contact for Esri Access (FERPA Compliance)

1024
4
02-15-2022 12:16 PM
Status: Open
Labels (3)
ChrissyRothgeb
by
New Contributor III

A few years ago when Esri made it possible to enable Esri Access at the organization level for ArcGIS Online, I was overjoyed! That is, until I found out that a new directive in the form of FERPA compliance was going to cause an issue for us.

Specifically, the bill states that full name and email address are not allowed to be disclosed to an outside organization except for the expressed purpose of the service without the student's written consent. Details are in the links at the bottom of this post.

According to the notification when enabling Esri Access:

ChrissyRothgeb_0-1644955078864.png

 

As this means that Esri could contact our student for anything beyond information directly relating to our use of the service (access to Esri Training), we would need the written consent of each student, basically making the ability to set it as a default invalid.

I have spoken to other universities, and while they do not feel this is a problem, our university legal department has made clear this is indeed in conflict with FERPA and we cannot enable this feature. It seems to me that even if this is not a problem with other universities, it would be for grade school systems that maintain organization accounts and wish to use Esri Access.

What I would like to see is, at minimum, the ability to disable this contact functionality for organizational accounts with Esri Access at an organization level. I think our legal department would be even happier if no personal data was shared between the Esri and Org accounts beyond login.

I don't know if this is possible, but that seems like the only way we can enable this feature. Until then, I'll keep inviting students to join our org with a Public account of their choice, and them getting confused which account to use when. At least in this way the student decides whatever information they chose to disclose and not the university, taking the onus off us.

References:

 

Tags (2)
4 Comments
ReinaCMurray
by
‎02-24-2023 09:29 AM

@ChrissyRothgeb-- we haven't noted this as an issue at our institution (although I'm now afraid to ask). One thought, could the "Access Notice" settings in AGOL count enough as "written consent"?

Right now in the org settings, it's just an enable/disable option, but what if there was the option to customize/write your own access notice?

ReinaCMurray_0-1677259610835.png

 

ChrissyRothgeb
by
‎02-24-2023 11:57 AM

I will check with Legal, but I seem to recall their concern about forcing it in such a manner, plus drawing attention to the issue. Still, if it can be done through approval, I'm all for it. Having students create Public accounts and understanding how to juggle them is frustrating.

ChrissyRothgeb
by
‎02-27-2023 11:33 AM

Actually, I went into the Org Settings, and that warning is no longer presented when attempting to enable Esri Access org-wide... 

ChrissyRothgeb_0-1677526276437.png

Does anyone know if this has changed? What information is automatically shared between the ArcGIS Online org accounts and Esri proper when this is enabled? How are communications from Esri and sharing to third-parties handled? This may change everything for us, or nothing. Thanks!

ChrissyRothgeb
by
‎02-28-2023 11:43 AM

Okay, apparently there is simply no warning for Esri Access enablement as a New Member Default. Enabling Esri Access on an individual account still generates the warning.

I went digging a little, and if you have Esri Access enabled on your ArcGIS Online org account, under your account's user settings (https://<org>.maps.arcgis.com/home/user.html#settings ) you'll find:

ChrissyRothgeb_0-1677612233962.png

The "Manage email from Esri" section is missing for org accounts without Esri Access enabled.

That "Set email preferences" button takes you to the same place that you get from your My.Esri.com profile overview to "Manage Mail and Email Preference" (https://www.esri.com/en-us/manage-subscriptions#/😞

ChrissyRothgeb_1-1677612481351.png

By default, when I enabled Esri Access on my own org account, it was automatically signed up for:

  • Product News, Updates, and Announcements
    • ArcGIS AppStudio
    • ArcGIS Earth
    • ArcGIS Insights
  • Customer Resources, Training, and Events
    • Esri User Conference
    • Regional and Industry Events
    • Training Opportunities
  • Industry Newsletters and Webinars
    • National Government
    • Science

While I have no problem getting those emails myself (they seem quite useful), the automatic marketing to org accounts is what prevents us from turning on Esri Access as a New Member Default.

So what I guess I'm asking for is a way to default opt-out org accounts from Esri marketing (and sharing with 3rd parties should Esri also do that). Given you still have to specifically acknowledge the agreement with Esri's Community, and your account can't just be looked up by anyone, I think that would be sufficient to protect us from violating FERPA.

One final note, FERPA is a Virginia, US thing. I don't know if something like it exists for other states or nationalities, but it's quite possible this has a fairly limited scope. That said, I can't imagine the EU with its privacy concerns doesn't have something against it.