J. Trevor Hughes, President and CEO, International Association of Privacy Professionals
Lately, a slew of research has been released about how the public perceives the digital economy's impact on their privacy. Perhaps Pew's work has been most often cited: Ninety-one percent of Americans believe they've lost control over how their personal information is collected and used by companies; 64 percent think the government needs to do more to regulate the way advertisers use personal information.
Maybe it's easy for those in the academic world to look at those numbers and think, "I'm glad I'm not in the business world! Man, they've got some data privacy issues to sort through!"
Of course, those of you reading this blog are likely forward-thinking enough to realize this research is indicative of a broadening awareness of data privacy, an awareness that extends especially to a student population that's particularly savvy about the way their data is collected and handled. Just as brands around the globe increasingly factor privacy into their marketing plans, attracting consumers by building trust around the way their data is handled, so too should universities and higher education be broadcasting the message that you care about student data and are doing everything in your power to make sure it is collected and handled responsibly.
Signs reveal this isn't always the case. Recently, we at the IAPP ran across a story out of Clemson University, involving a Title IX training gone awry. Are you using a third-party entity to conduct a survey that collects hypersensitive data from your students? Better make sure that it's clear to students why the third party is necessary and that the third party is contractually obligated to collect and store the data in a way the university dictates.
Further, perhaps it's best not to use a unique identifier for sign-in when you're promising anonymity.
I think most university CIOs and CISOs are actively working to not be the next University of Maryland. No one wants to see their student data leaked across the Internet or to suffer the very real costs of a significant data breach. Further, the privacy issues involved in research seem to me to be well documented and understood in the university setting. De-identification is of the utmost importance. However, this idea of treating the student as a consumer, and understanding the ethics of data collection and handling in areas of student life, is a relatively new topic I see emerging with more frequency.
As people responsible for data understanding in the university setting, it's incumbent on IT departments to work with groups like Admissions, Student Activities, even the various student groups like the Outdoors Club or athletic teams, to ensure that they maintain trust with students regarding handling of their data.
Everyone nowadays wants to conduct a Facebook contest or create an app or field a survey. Usually, everyone's intentions are completely benevolent. But what happens when Admissions' cool new Facebook contest uses a plug-in that asks for access to the potential student's contacts? Do they think less of the university? What happens when the football team's app collects location data without asking? Are your alumni creeped out when they check their privacy settings and see you're collecting their data?
And, well, we know what happens when student life starts surveying young people about their sexual proclivities without making sure everyone's comfortable with the collection method.
Whether you're the CIO, the CPO, or just the IT staffer, making sure the correct privacy questions are asked from the outset of a great new idea means you're doing more than just making sure the university doesn't get into hot water. You're helping create value for the university by making sure the school is seen as one that understands the digital culture in which we live today and is taking steps to make that digital culture a safe and transparent one for the students who call that school home.
© 2015 J. Trevor Hughes