Data Privacy in Higher Education
This blog post is part of a series discussing critical aspects of the Educause report “Top 10 IT Issues 2020: The Drive to Digital Transformation Begins.”
It’s been a long time since “privacy” just meant putting up a fence to keep nosy neighbors at bay. Today, when people speak of privacy, they’re often talking about data privacy. The reason is simple: more and more of what we do—both online and in the “real world”—can be transformed into data that is collected, analyzed, and sold. And in many cases, all of this happens without our permission.
The Role of Data in Higher Education
Educause listed “privacy” as its number two IT issue for higher ed in 2020 because of the vast amounts of data that higher ed institutions are able to collect from their students. If there’s to be any trust between students and their institution, school’s need to be able to answer basic questions like,
“What data is being collected?”
“Who has access to the data?”
“What measures are in place to keep it secure?”
The answers, unfortunately, aren’t always as clear cut as they should be.
Take the example of “gray data.” Many types of data are already regulated in some form. Laws like the EU’s General Data Protection Regulation (GDPR) and California’s Consumer Protection Act will almost certainly be followed by more rules and regulations surrounding the collection, storage, and sale of data. But in some cases, data still falls into gray areas. For instance, when a student uses their key card to swipe in and out of their dorm, that generates data. If the same key card is used for buying meals, to access the rec and other facilities, or to take attendance in class, then it could be used to track a student’s whereabouts with a frightening degree of accuracy.
It may not be illegal to collect such data, but that doesn’t mean institutions should be cavalier about doing so. As we’ve seen time and time again over the past decade, no organization—including the government and Fortune 500 companies—is immune to breaches of their security systems.
And once data has been compromised, there is no turning back the clock. Students can’t simply be reimbursed for their data once it’s been stolen.
Making Data Privacy an Institutional Priority
Institutions can begin safeguarding their students’ data by making privacy a priority at every level.
The hiring of a chief privacy officer is a good first step. Ideally, it would happen in tandem with the creation of a privacy board, the drafting of a crisis response plan for data, and a review of data storage and classifications. Most importantly, institutions need to be communicating clearly and regularly with students about privacy policies, simplifying opt-out processes, and generally working to sustain their trust.
Colleges and universities around the country are collecting unimaginable amounts of data from their students every year. To gain and keep the trust of their student body, they should begin to view themselves as stewards not just of their students’ educations, but of their data, as well.