Data Privacy Must Be Default in Higher Ed

A recent report from IT research firm Info-Tech Research Group is urging higher education institutions to establish holistic and integrated privacy programs that embeds privacy by design principles into their business processes.

As higher education institutions have seen a growing demand for online and hybrid learning opportunities, this demand is accompanied by increasing pressure to protect the personal data of students on college networks.

The report – entitled Build Business-Aligned Privacy Programs for Higher Education Institutions – notes that of the biggest challenges to strengthening privacy practices at college campuses is creating a comprehensive, organization-wide data protection and privacy strategy, and communicating how data is being used.

However, many institutions have not properly implemented controls to grant access to the network. As a result, many documents and files that used to be locked in cabinets are often accessible, Info-Tech said. The report also explains that it often takes a long time to change and implement new privacy policies and procedures.

Alan Tang, principal research director at Info-Tech, noted that while some personal identifiers – such as email addresses – can be easily replaced, biometric information such as fingerprints and facial geometry scans are unique.

“Students are wary of privacy risks and value privacy protections. So should the leaders at education institutions,” Tang said in the report.

The report recommends that institutions adopt a “privacy by design” strategy, making privacy the default throughout the entire process of designing strategies for data governance, regulatory compliance, incident response, risk assessments, and other aspects of the institution’s data framework.

In addition, the report recommends that institutions create new data privacy policies that better define how data will be processed and used, and take steps to protect that information throughout the data life cycle.

Those steps include: minimizing what data is collected in the first place; providing privacy notices to people from whom it is being collected; setting limits on what purposes it can be used for; implementing security measures to control who can access it; having formal agreements for any sharing with third parties; and de-identifying or deleting data once it has served its purpose.

“With a veritable explosion of data breaches highlighted almost daily across the globe, and the introduction of heavy-handed privacy laws and regulatory frameworks, privacy has taken center stage. Students care about their data privacy, and this concern is increasing,” Tang said.

“As the general public begins to take back control over data privacy, so too should education institutions by taking a tactical, measurable approach to privacy and the business,” he urged.