© 2005 Vishant Shah
EDUCAUSE Review, vol. 40, no. 3 (May/June 2005): 70–71.
Classic Privacy Policies
Next-Generation Privacy Policies
State rules, regulations, and laws created in the past few years have forced educational institutions to upgrade their information technology policies. Thus, next-generation privacy policies are more detailed and longer, and they reference state laws. The information-gathering, information use, and cookies sections are more detailed and are joined by newer elements such as sections on information disclosure, retention, procedures for access and review, and confidentiality/integrity.
An additional element in the next-generation privacy policies is the information disclosure section, which explains the types of information that consenting users may voluntarily provide the educational institution when using its Web site. Users who complete a transaction, fill out a survey, request information such as a catalog, e-mail staff using a Web form, or sign up for a listserv are examples included here. These users usually provide personally identifiable information, and the educational institution pledges to use it responsibly to complete a user’s request. Again, users are reminded that this information will not be shared or sold to parties outside of the educational institution unless the institution is complying with law enforcement authorities. The Family Educational Rights and Privacy Act (FERPA), the USA-PATRIOT Act, and state open-records laws are referenced in the disclosure section as well.
Other elements of next-generation privacy policies include sections on retention, procedures for information access and review, and confidentiality/integrity. Electronic records and access logs created by Web sites are retained, maintained, and disposed of based on a retention schedule. Time periods are defined for keeping these records on servers, archiving them onto stable media such as CDs, and destroying the records. Procedures for information access and review spell out the rules for a user to request any personal information that has been collected. Usually a privacy compliance representative is named, and a time period to respond to user requests is given. This section also defines reasonable proof to verify user identity. Finally, the confidentiality/integrity section names who should handle the information collected and how it should be handled. Limiting access to the collected information and using authentication and encryption are specific steps identified here.
Public Policy Implications
Student financial information highlights some of the issues surrounding the public policy implications of privacy practices and policies. Since May 23, 2003, the Gramm-Leach-Bliley (GLB) Act has mandated privacy protection and the defense of customer financial information. College and university financial aid activities, such as administering federal student loan programs, fall under the act. Institutions protecting educational records in order to comply with FERPA also fulfill GLB privacy compliance but must meet additional requirements related to the safeguarding of student financial data.2 These requirements include developing an information security management program and providing privacy notices to customers. In December 2003, the Federal Trade Commission and other agencies requested public comments on how to improve privacy notices so that customers can better understand how their financial information is handled.3 Specifically, the agencies were looking for input on a model privacy notice that would be short and simple. Although the agencies have not yet reached a decision on model privacy notices, others are considering alternatives to current policy practices. Responding to recently approved European Union data-privacy initiatives, commercial Web sites are starting to develop shorter, modular privacy notices linked to longer policies.4 Educational institutions outline some of their privacy practices in FAQ lists and in training manuals for financial information staff, but surveys continue to show the importance of clear, concise privacy notices. Although not mandated to satisfy the GLB Act or FERPA, posting such notices on financial Web sites improves transparency and represents good information management practices.
1. Privacy and the Handling of Student Information in the Electronic Networked Environments of Colleges and Universities (Boulder: CAUSE, 1997), p. 4, http://www.educause.edu/ir/library/pdf/PUB3102.pdf.
2. "Colleges and Universities Subject to New FTC Rules Safeguarding Customer Information," NACUBO Advisory Report 2003-01, January 13, 2003.
3. Proposed Rules, "Interagency Proposal to Consider Alternative Forms of Privacy Notices under the Gramm-Leach-Bliley Act," Federal Register, vol. 68, no. 249 (December 30, 2003): 75166.
4. Jaikumar Vijayan, "Companies Simplify Data Privacy Notices," Computerworld, January 10, 2005, http://www.computerworld.com/databasetopics/data/story/0,10801,98812,00.html.