Data Security and Retention
Beginning in August 2013, the University switched from ID cards with just magnetic strips that must be reissued annually, to cards with embedded microchips that can be read by the appropriate scanners in real time, enabling authorization to enter campus facilities by students, faculty, and staff. As a person swipes his or her card at a reader, the date, time, location, and card ID number are logged, and the person's picture and name can be displayed on a monitor used by security guards at entry points.
Universities across the country are rightly concerned with the safety and security of their campus communities. One tool in ensuring campus safety is a system that allows security to know who is on campus at any given time, and that anyone admitted to campus is authorized to be there.
The new cards use a new iClass SE technology, which is not able to be copied nor altered. The ID card microchips are a passive system that can only be accessed by an iClass SE digitally signed reader-meaning a device specifically authorized to read Fordham-issued cards-when the card is placed less than 4 inches from the device.
(Technically, all wireless readers and cards transmit and receive on radio frequencies, and thus are "RFID" cards, but that designation is generally used in reference to an older generation of readers and microchips with weaker or nonexistent security protocols.)
Information technology security is not static: as the technology advances, so will efforts to compromise that technology. The University is committed to upgrading its technology as necessary to protect its data, and the data embedded in the ID cards it issues. The card readers Fordham uses, for example, are "upwardly compatible," meaning they can be upgraded to a newer protocol should the iClass SE protocol become compromised in the future.
The ID card stock is produced for Fordham University only, and requires two levels of authorization to purchase blanks. These controls assure that, as much as possible, the card stock will not be used to forge ID cards.
The automatically generated access logs are not fed into any other University data systems (i.e., Human Resources, Banner, Blackboard). Like all other data, the logs are protected, physically and electronically, from unauthorized access within and without the University. The logs are used in real time to authorize access to Fordham property, and retained for several months for diagnostic purposes, after which they are encrypted and archived on secure backup media. Fordham personnel do not have routine access to log data: it is treated with the same or greater level of confidentiality as other personal information Fordham retains in the course of normal University business, such as addresses, grades, and contact information. Under extraordinary circumstances, such as a criminal investigation, emergency, or disaster recovery, log data may be made available to Fordham officials and/or civil authorities.