Navigating data privacy in the higher education ecosystem
The need for academic institutions to become data privacy advocates is paramount. Over the past 24 months, higher education institutions have accelerated digital transformation initiatives. While that transformation has been underway for some time, the pandemic quickened the pace and pushed data privacy and security among administrators’ top concerns. Institutions and their technology providers suddenly have access to much more detailed data about their students and their activities in education technology solutions.
This more detailed digital footprint of students is an opportunity to use it for the benefit of students, but it also raises concerns that institutions need to proactively address. On the one hand, the enhanced data sets have allowed institutions to better support students in the pandemic, for instance by identifying and reaching out to students who may need more support. But with more data also comes a deeper responsibility to use this data appropriately.
Despite popular belief to the opposite, studies show that the “digital natives” who grew up with digital technology do care about the privacy of their data. Just as they are expecting their institutions to provide them with best-in-class technology, they also expect leadership in data privacy and security.
As colleges and universities continue along their transformation journey, transparency, effectively assessing risk, and following new legislation will be critical in creating a culture of data privacy and security and determining which technology solutions will ensure data is appropriately used and protected.
The value of transparency
Recent reports suggest that 71 percent of students surveyed believe they should have the right to control how their colleges use data about them. In addition, less than half of students said they trust the technology platforms their schools use for remote learning to protect personal information. To assuage their wariness and build trust, institutions should operate with transparency regarding data utilization among students and faculty.
When implementing a new education technology solution, institutions should also consider working with their vendors to provide students and faculty with visibility into the technology, what kind of data it is collecting and for what purpose. This establishes trust with not only the student and institution, but also the vendor. Data-driven insights, personalization and data privacy do not have to be incompatible. Where institutions and vendors use privacy by design approaches and transparency as part of the process, they can go hand in hand.
The power of vendor risk assessments
Maintaining a vendor risk assessment process should be an important pillar of an institution’s data privacy and security programs. It helps identify current and future vulnerabilities with technology and integration access points. When deciding which new technology solution to adopt, assessing the platform’s capabilities and the level of security and data privacy it can offer is a vital part of the selection process.
One method schools can use when assessing vendor risk is the Higher Education Community Vendor Assessment Tool (HECVAT) created by EDUCAUSE’s Higher Education Information Security Council (HEISEC). The HECVAT is a questionnaire framework specifically designed for higher education to measure vendor risk and is used by more than 150 colleges and universities. A risk assessment tool like this can help institutions perform a comprehensive review of the vendor solution and capture any potential issues.
The ever-changing regulatory landscape
Institutions should take the necessary steps to proactively strengthen data privacy and security as new laws and regulations continue to emerge to address security and data privacy risks.
Following the lead of California, more and more states are implementing or considering consumer privacy laws in the absence of a federal consumer privacy law. Several states are also deliberating strict security control requirements for cloud services under the StateRAMP certification scheme. StateRAMP is an organization developing a standardized approach to the security standards required from service providers offering cloud solutions to state and local governments.
But privacy teams at institutions that offer courses to a global audience also need to keep an eye on international developments. Following the EU General Data Protection Regulation, more and more countries have implemented data privacy laws with extra-territorial effects that could apply to U.S. institutions. Institutions with robust privacy programs that remain agile will be well-prepared to adapt to changing regulations as they emerge.
There are many components that make an academic institution successful, but one of the most integral parts to sustaining a quality and trusted educational experience for all is ensuring data privacy and security remain a focal point. The future of what the pandemic holds for education remains unknown and there will be more challenges to address, but by leveraging robust technology, solid internal data privacy and security practices, and partnering with trustworthy vendors, institutions can ensure that their most valuable information is safe and secure so students and faculty can rest assured their data is in good hands.