Privacy and Organizational Analytics

min read

Michael Corn, Deputy CIO, Brandeis University

The floodgates are opening on organizational analytics and I worry that privacy is going to drown in the deluge. By organizational analytics, I'm referring to using the techniques of data mining and big data to look at ourselves, both operationally and from a mission perspective — how our students are doing, how effective our teaching is, and how our administrative support of the mission intersects with outcomes. This includes everything from fundraising to successfully competing for grants.

Usually discussions of analytics begin with student outcomes or advising systems. (If you haven't seen it yet, there was a fine summary of the risks related to IPAS systems, including privacy concerns, coming out of a one-day EDUCAUSE summit on the topic last year.) Much of the conversation around student outcomes focuses on student activity while interacting with campus learning management systems (LMSs). Everything from page views to time spent logged into the system is fair game.

However, once we start exploring the idea of data analysis and open the door to "user in system" interactions, it's easy to imagine other data sources beyond the LMS. Why not library borrowing patterns from circulation records? What if we looked at the overall pattern of network activity — are underachievers spending more time on Netflix than overachievers? If we're going to develop systems that recognize at-risk students, it seems like we might need to develop baselines for an entire range of interactions with our university ecosystems.

How about faculty effectiveness? Surely there is at least a loose coupling between student success and the quality of instruction. It's well understood that students will find their own pathways to useful online material; perhaps we can monitor network usage during lectures to see which instructors are captivating their students and which are driving them outward.

Perhaps this is far-fetched, another crazy idea, say like capturing the metadata for every cell phone call for the entire country. Yet technology and the lure of big data analytics are compelling precisely because they make what seems like a crazy idea completely achievable.

The position I want to argue for here is not that we shouldn't pursue these opportunities — they are exciting and highly rewarding — but that we must recognize the significance of the privacy concerns, which shouldn't be casually dismissed under the banner "Don't worry, we'll anonymize."

We should avoid falling into the trap of believing that our community members are used to or already have traded their privacy for services such as Google or Facebook. I can't imagine a more inaccurate and corrosive attitude towards students and student privacy.

The well-known Pew study from 2013 found that teens actively engage in curating their privacy using the tools provided to them on social media sites. While many (if not most) millennials, who were born digital, were using these services before being capable of understanding the privacy risks, the instinct for privacy seems innate (or not?). Even in the highly permeable world of social media we value our privacy and are active agents in maintaining it.

However the relationship between the average consumer of social media and cloud services is radically different from that of a student to a university.

Google is an instructive example. Google offers you a host of free services, from the ubiquitous Gmail to unlimited storage. Google defines the Silicon Valley boom, the 21st century gold rush. Of course, when we all initially flocked to Google, we were generally unaware of the information-for-service transaction occurring. It's not even clear that Google itself fully understood the extent of what it had forged; users were merely targets for advertising. Indeed, how many of us gave talks six or seven years ago where we felt compelled to inform people that "you are the product"?

The effect of naively diving into Google's services may have been an inadvertent loss of privacy, but I think it's disingenuous to say that people consciously traded their privacy for these services. It would be more accurate to say that individuals have a dual relationship with Google and privacy. On one hand, they (increasingly) understand and manage their visible privacy — how their friends, colleagues, and the public interact with their information. On the other, they have a more nebulous relationship with Google itself in that the data mining activities are generally invisible to the user.

As institutions of higher learning, we enter into a kind of pact with our community. The vast amount of confidential information we collect in the administration of the educational mission will only be used in advancing that mission. Yet despite remaining true to that, we must avoid the dark side of the force. Even when used for powerful and effective management of our institutions and in support of student achievement, a few core privacy principles need to be established early in any analytics program. I would encourage every member of our community to celebrate Data Privacy Month by discussing privacy with regard to your organizational analytics program. An excellent starting point is the material available on the EDUCAUSE Data Privacy Month page

An organization's posture towards privacy says a lot about an organization's health. Transparency and respect should be cornerstones of our higher education community.

© 2015 Michael Corn