Opinion: Peering Through the Keyhole of Education Data Privacy

As we continue to embrace innovative technologies to interact in education, at our jobs and in play, ensuring we are in control of our data takes on increased significance. A data breach of a government agency can put top secret information into the hands of nefarious actors. A corporate data breach may result in loss of a company’s proprietary information and incur a huge financial cost. If our personal data is compromised, it can affect our current and future reputation, finances, health and much more.

DATA PRIVACY VS. SECURITY

The terms data privacy and data security are sometimes used interchangeably, and while there are similarities, these terms have important differences. Data privacy relates to personal data collected, stored and utilized by consent. Data security typically refers to how data is protected from unauthorized access, for example by a cyber attack or data breach.

In higher education, data privacy is particularly important to safeguard and protect employee information and student data. Failure to comply with privacy laws and regulations can result in substantial legal actions, sanctions, liabilities and penalties. One of the missions of the U.S. Department of Education is to protect student privacy and administer “student privacy laws such as the Family Educational Rights and Privacy Act (FERPA) and the Protection of Pupil Rights Amendment (PPRA) and provide technical assistance to help schools and school districts safeguard information about students.”

The data collected by colleges and universities can be substantial and include both personal and academic information, and demographic data such as age, race, gender and economic status. This data could also include behavioral, attendance, grades, activities and learning-engagement items.

On any typical day, institutions collect a wide assortment of data on students and staff. The day may start with an application remotely checking license plates in the college parking lot. Each time someone swipes their card to gain entrance to a room or pay with a dining card, data is being collected. Perhaps an instructor is checking the academic performance of a student, and a coach is reviewing the play execution of a football player. Or a student and parent are trying to pay a tuition bill online. Every minute, data is being collected, stored and shared in some way.

FINANCIAL DATA

In addition to protecting academic data, higher education institutions also need to safeguard the data of the financial services they provide through financial records, financial aid and tuition payments. This relates to the requirements of the Gramm-Leach-Bliley Act (GLBA) and the Federal Trade Commission (FTC) Safeguards Rule.

As explained by the consulting firm CliftonLarsonAllen, “Under the Gramm-Leach-Bliley Act (GLBA), organizations defined as ‘financial institutions’ must keep customer information secure and confidential. The Safeguards Rule, one of three sections of the GLBA, was updated Dec. 9, 2021. With this update, the Federal Trade Commission notes that an organization ‘engaging in an activity that is financial in nature or incidental to such financial activities’ is considered a ‘financial institution’ and must comply.” The National Association of College and University Business Officers (NACUBO) provides helpful informational resources about this topic on their Privacy and Data Security Resources site.

PROACTION

Today many colleges and universities are embracing and implementing predictive and prescriptive data monitoring and analysis of students. This data can be especially useful in improving a student’s academic performance and success. According to the Chronicle of Higher Education last fall, this predictive data provides “early alert systems that flag advisers when students show signs of dropping out. Faculty members can now evaluate and adjust their learning materials by tracking how often, and for how long, students engage with them in learning-management systems.” While these tools are extremely valuable, this provides yet another set of data which needs to be protected and monitored to prevent unauthorized access and dissemination.

It is also important to consider how college students view data privacy. Many of these students do not seem to trust their institutions with their data, or do not clearly understand how their personal data is stored, utilized or shared. In 2022, Educause conducted a survey of over 800 undergraduates in the United States which found “(o)nly about half of respondents agreed or strongly agreed that they have confidence in their institution’s ability to safeguard their personal data or that they trust their institution to use their personal data ethically and responsibly.”

While students are increasingly concerned about their personal data, some are not certain of the data privacy policies and practices of the institutions they attend. In a 2021 survey of 2,286 undergraduates conducted by the market research firm College Pulse, 51 percent of respondents were either not sure or not aware of their institution’s data privacy, and 69 percent were not sure they had the ability to set permissions for their college data.

There are several important steps college students can take to protect their personal data. While it may not be the most engaging information to read, it can be extremely helpful to review and understand a school’s data policy. This policy should include information about what types of student data it’s appropriate or unacceptable for them to collect, which third-party applications utilize student data, compliance protocols, FERPA policies, and whether or not school employees have required FERPA and data privacy training.

Other actions students can take include opting out of data-sharing requests, using approved campus Wi-Fi networks to access institutional resources, using a VPN whenever possible, and using strong passwords and changing them regularly. If their institution provides training or information on data privacy and cybersecurity, students should take advantage of it.

INSTITUTIONAL RESPONSIBILITY

For institutions, several things are necessary to best protect their data and its privacy. These objectives need to be part of an entire campus ecosystem, rather than the responsibility of a single department. Schools need to appropriately identify and classify all data, as well as sustain continual monitoring and threat detection. All data which is shared internally and externally through an institution needs to be secure, protected, encrypted, and associated with appropriate management rights. Regular external audits are needed to ensure institutions are following best practices and policies to protect all data.

The Student Privacy Compass, a website of resources that provide some helpful guidance regarding the attitudes of college students toward data privacy, recommends: “Higher education institutions should teach data privacy, ethics, and literacy courses to help students think critically about data privacy.” In addition, they suggest that institutions and technology companies inform end users how personal information is shared, and they propose additional research to study the attitudes, expectations and behaviors of college students regarding data privacy.

Certainly, school administrators and IT leaders must continue to peer through an ever-widening keyhole to see where the personal data is and how it can be best protected behind the door of cybersecurity. This is not a “one and done” practice, but a continuing, evolving process. Turning the key and locking our private data is only part of the story. We need to know what is behind the door, who has the key, and where the key is kept. As Judy Garland once said, “I’ve never looked through a keyhole without finding someone was looking back.” Hopefully, the only thing behind our door of private data is the data itself.