Protection of Graduate Admissions Data

September 14, 2018

UCLA Office of the Executive Vice Chancellor and Provost

To: Deans, Department Chairs, Vice Chancellors, Vice Provosts and Members of the Common Systems Group

Dear Colleagues:

Institutions of higher education are prime targets for cyberattacks, and UCLA is no exception. These attacks pose a serious risk to individual privacy and create substantial liabilities. We are morally and legally responsible to protect the data that we collect and maintain.

In some academic units, it has become common practice to bulk-download graduate applicant data from Graduate Division portals into local systems that have been customized to support faculty review and selection of candidates for admission. Many academic units do not purge out-of-date applicant data on a regular basis.

Several recent UCLA data breaches have revealed that these local systems present significant cybersecurity and privacy risks. The following steps are being taken immediately to reduce these risks:

  1. Social Security numbers will no longer be collected as part of the graduate application. The Graduate Division, IT Services and Financial Aid have identified other ways to link applicant information to the applicant’s Free Application for Federal Student Aid (FAFSA) for determining eligibility for need-based financial aid.
  2. Graduate Division and IT Services have continued developing Slate to support local admissions administration and faculty review. Unlike prior admissions platforms (Hobsons, DecisionDesk), Slate offers a feature-rich and flexible framework that can be adapted to support a wide range of admissions requirements and review processes.
     
    • Effective immediately, applicant file data will no longer be exported by the Graduate Division to local platforms and servers. Bulk, automated downloads will also no longer be supported. Department administrators will be able to manually export some applicant data as CSV or Excel files from Slate, but those exports will not include any fields containing personal or sensitive information. The entire application cycle, including faculty review and decision-making, will be managed within the Slate and Graduate Division environments.
       Pending assessment and certification of their data security environments, units that have been determined to have exceptional requirements for their supplemental application materials, combined with early deadlines, will be exempted from transitioning this year, but will migrate to Slate for the next reviewing cycle.
       
    • Recognizing that graduate programs employ a variety of workflows for reviewing applications, the Graduate Division has collaborated with department and school IT staff to implement a suite of reviewing configurations and options. If they have not already done so, departmental SAOs and IT support staff should contact the Graduate Division as soon as possible to identify the review process that will most closely meet their needs. The workflow options will continue to be refined in future years.
       
    • Particularly sensitive information, such as responses to gender identity questions, is no longer included in PDF files generated by Slate.

In the coming months, IT Services will work with departments and schools and their IT staff to identify and purge old and vulnerable student data from platforms, servers and personal computers, and will promulgate standards for student data security, retention and routine purging.

I appreciate that protecting privacy and maintaining data security are challenging. Thank you for your commitment and compliance with best practices in this evolving landscape.

Sincerely,

Scott L. Waugh
Executive Vice Chancellor and Provost