Addressing Information Security and Privacy in Postsecondary Education Data Systems

In August 2015 the Institute for Higher Education Policy (IHEP) convened a working group to discuss opportunities to develop targeted recommendations for improving the national postsecondary education data infrastructure¹ to ensure that students, policy makers, and institutions have the data they need to ensure positive student outcomes. What follows is a brief summary of the EDUCAUSE contribution to the IHEP series, Understanding Information Security and Privacy in Postsecondary Education Data Systems. You can read all contributions to the "Envisioning the National Postsecondary Data Infrastructure in the 21st Century" project here.

As IT leaders know, the data analyzed to obtain measures of student performance may come from a variety of data owners, including students, institutions, nongovernmental agencies, and state and federal actors; may reside in a number of IT systems controlled by these different entities (from institutional learning management systems to records maintained by the U.S. Department of Education); and may have varying levels of sensitivity (e.g., identifiable student-level data versus de-identified and aggregate data). Some of the data collected might be protected by federal and/or state law. Other data might not be protected by law but could be highly sensitive and embarrassing to the individual if shared or disclosed.

We need all these data, collected in a comprehensive and large-scale way, to address some of our most critical questions about how to ensure student success.² Yet every conversation about how this data can be used to improve student outcomes must also acknowledge the necessity of maintaining the privacy of students and their families and properly securing any data sets containing personally identifiable data. With thoughtful planning, comprehensive information security and privacy practices can be implemented within the national postsecondary education data infrastructure in a way that reduces risk, safeguards data, and ensures transparency, accountability, and trust throughout the ecosystem.

Information Security and Privacy Concerns

No matter the infrastructure architecture employed (options under consideration in this paper series include a single student unit level record system, or other federated options where a number of different IT systems are logically linked together), any national postsecondary education data system will be a large collection of data designed to provide useful and reliable information about postsecondary student success and outcomes. This big data collection introduces heightened security and privacy concerns that reduce to three overarching themes:

• Volume: the amount of data collected and the number of records collected about any one individual.
• Sensitivity: the level of discretion required in handling the data elements collected, and the potential variations between different systems.
• Access: who is permitted to look at big data collections (as well as the underlying IT systems) for the purposes of querying the larger collection.

These themes appear in many of the information security and privacy risks that IT practitioners will be asked to address in the national postsecondary education data infrastructure, such as:

• The volume of personal data collected and stored by multiple parties, and the sensitivity of such data as a whole
• The widespread availability of personal data collected and stored (and near-global availability through the Internet)
• The range of complex analytics that can be performed against the personal data collected and stored, and trends about individuals or groups that we can learn through such analytics
• Technological concerns in implementing security best practices in varied infrastructures with no common baseline configuration
• Complex and multiple data collection activities that users (i.e., students) are expected to participate in and understand
• Threats to data security and privacy from internal and external sources

These risks must be considered in context in order for any large data collection system to be effective. As IT leaders know, there is no one-size-fits-all formula that ensures the security and privacy of all data moving within an IT ecosystem. A holistic approach that follows information security and privacy best practices to reduce risk is essential. Organizations participating in the national postsecondary education data infrastructure must use a risk management methodology to discern between different types of security and privacy risks, assess their relative criticality, and develop a plan to address them in a way that makes sense for the underlying organization.

Recommendations

Providing reliable data to students, parents, administrators, faculty, policymakers, and others interested in student outcomes and ensuring the security and privacy of those data are not mutually exclusive. The following four recommendations work together to form a framework for ensuring effective information security and privacy protections within the national postsecondary education data infrastructure ecosystem:

1. Adopt a risk-based approach to understanding information security and privacy threats and vulnerabilities. Regardless of the national postsecondary education data infrastructure solution or its architecture, stakeholders must understand the information security and privacy risks that could affect any system's ability to provide stakeholders with the information needed to improve student outcomes. After practitioners have assessed the risks, they can apply information security and privacy controls to address that risk and to secure the IT systems, and the data within those systems, that constitute the national postsecondary education data infrastructure.
2. Establish and adhere to a baseline set of information security protections. These protections are necessary to safeguard the data collected, processed, stored, and transmitted within the national postsecondary education data infrastructure. If a set of standards is not otherwise required by state or federal law (for example, the use of NIST Special Publication 800-53 to implement controls to protect federal IT systems), then at a minimum the controls implemented must be based on the risks inherent in the different systems within the ecosystem.
3. Establish and adhere to a baseline set of privacy standards. Protecting student privacy within the national postsecondary education data infrastructure requires adopting a guiding set of privacy principles. Adopting these principles before a national effort is undertaken would provide the best privacy solution for students. At a minimum these principles should require that (a) individuals receive notice and provide consent before data are collected; (b) institutions and other organizations only collect the minimum data needed to answer the critical questions used to feed the key student outcomes measures; and (c) institutions and other organizations only use collected data for the purposes for which they were originally collected or for purposes otherwise permitted by law.
4. Implement a collaborative governance structure. A governance structure that ensures the data collected within the national postsecondary infrastructure supports the necessary measures and metrics and answers stakeholders' questions is essential. This governance structure can also be used to review the data available within the ecosystem and ensure its protection. In addition to defining data ownership and stewardship practices and advising on information security and privacy best practices and baseline requirements, a governance entity could consider how best to train users on these systems and communicate the benefits of concerted data sharing and analytics.

Students, institutions, and policymakers need better information about postsecondary education. Better data, retrieved through existing initiatives and future improvements, are required to provide the meaningful information about student outcomes that these stakeholders need most. In considering the optimal ways to meet these data needs, it is imperative that conversations include how to best protect student privacy and ensure the security of data used throughout the national postsecondary data system.

Notes

1. Here, the term "ecosystem" refers to the different national postsecondary education data infrastructure reform options and the underlying IT systems, including federal, state, local, and/or institutional, that exist to collect, store, transmit, and analyze data within and across each option.
2. See Maime Voight, Alegneta A. Long, Mark Huelsman, and Jennifer Engle, "Mapping the Postsecondary Data Domain: Problems and Possibilities," Institute for Higher Education Policy, March 2014; and Jennifer Engle, "Answering the Call: Institutions and States Lead the Way Toward Better Measures of Postsecondary Performance," Bill and Melinda Gates Foundation, February 2016.
3. Societal notions of privacy stem from the U.S. Constitution, particularly the Fourth Amendment, which protects individuals against unreasonable government searches and seizures. This notion is also present in federal laws that seek to place limitations on how government agencies can use data.

---

Joanna Lyn Grama is director of Cybersecurity and IT GRC Programs for EDUCAUSE.