Report: Specific Steps Needed for Student Data Privacy

With growing student demand for online and hybrid learning options has come greater pressure to protect their personal data on college networks, such as health information or biometrics, a recent report from the IT research firm Info-Tech Research Group said. According to the "industry blueprint" report titled Build Business-Aligned Privacy Programs for Higher Education Institutions, one of the biggest challenges to strengthening privacy practices at schools and colleges is creating a comprehensive, organization-wide data protection and privacy strategy, as well as communicating how data is being used.

According to the report, some institutions have multiple IT departments and decentralized systems, which leads to “inconsistent policies and procedures.” It said students and faculty have been increasingly concerned about the use and disclosure of personal information to third parties without consent or prior notice, but that many institutions' privacy policies do not clearly communicate how institutions use data.

The report noted that many institutions have not properly implemented controls over access to the network, adding that many documents and files that used to be locked in cabinets are now often accessible to “almost everyone within the organization.” It also noted that it often takes a long time to change and implement new privacy policies and procedures.

“Students are aware of data protection risks and take privacy seriously. Some personal identifiers, such as email addresses, can be easily replaced. But biometric information such as fingerprints and facial geometry scans are unique,” Alan Tang, principal research director at Info-Tech Research Group, said in the report. “With a veritable explosion of data breaches highlighted almost daily across the globe, and the introduction of heavy-handed privacy laws and regulatory frameworks, privacy has taken center stage. Students care about their data privacy, and this concern is increasing … As the general public begins to take back control over data privacy, so too should education institutions by taking a tactical, measurable approach to privacy and the business.”

According to the report’s recommendations, organizations need to create new data privacy policies that better define how data will be processed and used, and take steps to protect that information throughout the data life cycle. For example, it suggests minimizing what data is collected in the first place, providing privacy notices to people from whom it is being collected, setting limits on what purposes it can be used for, implementing security measures to control who can access it, having formal agreements for any sharing with third parties, and de-identifying or deleting the data once it has served its purpose.

Repeatedly, the report urged "privacy by design" — making privacy the default throughout the entire process of designing strategies for data governance, regulatory compliance, incident response, risk assessments and other aspects of the institution's data framework.

Noting that 86 percent of data breach costs are associated with regulatory fines, the report noted that a robust privacy program can reduce the risk of regulatory compliance issues and resulting fines, as well as minimizing the institution's overall exposure to data breaches.