Not Sure If They're Invading My Privacy or Just Really Interested in Me

min read

An analysis of 2019 ECAR student and faculty data reveals that neither faculty nor students have a strong understanding of how their institution uses their personal data; faculty have less confidence in their institutions' abilities to safeguard private data than students do.

male and female figures in jacket and tie each looking through binoculars at the reader
Credit: Alexandr III / Shutterstock.com © 2019

Got data privacy? Um, maybe not.

Recent news has brought attention to the widespread misuse of users' personal data on a popular social networking site.1 Given that Facebook has more than 1.59 billion daily users (that includes you, Mom and Dad!),2 we should all be concerned about data privacy. And when we wax nostalgic about the innocence of early social media networks such as Myspace (we miss you, Tom!), we are reminded that even back then, we shared a lot of personal data, someone had to curate it, and sometimes they didn't do such a great job.3

Privacy means "safeguarding institutional constituents' privacy rights and maintaining accountability for protecting all types of restricted data."4 In 2018, the FBI issued warnings to higher education institutions about attempted hacks of online payroll accounts.5 Although data breaches in education account for a smaller proportion of all reported breaches than those in sectors such as business, health care, and government, private data are clearly now a commodity.6 Indeed, privacy came in at number three on the 2019 EDUCAUSE list of top 10 IT issues, and it's the number two issue for 2020, right behind information security strategy. Faculty and students need to be concerned about what is being collected and how it is being used.

The current generation of students, Generation Z, appears to be more concerned with data privacy and security than Millennials are.7 For example, members of Gen Z more frequently adjust privacy settings on their mobile devices and social media accounts than Millennials do.8 What are the implications of Gen Z's perspectives on information security and data privacy at a time when institutions are seeking to leverage data analytics to improve student success?9 Meanwhile, faculty data are used for employment, human resources (HR) records, and institutional analytics. What are their perspectives on the collection and use of private data?

We surveyed these two important groups of institutional IT end users—faculty and students—and examined their knowledge and understanding of institutional policies and practices surrounding the use of their personal data, as well as their confidence in the ability of their institution to safeguard personal data. Students reported a reasonably high level of confidence in their institution's ability to protect their data. However, we found that faculty and students alike generally have low understanding of how their personal data are used at their institution.

A majority of faculty (60%) understand relevant policies surrounding data use, storage, and protection (see figure 1). When faculty start to contemplate what's going on with their personal data, their understanding gets murkier. Less than half (44%) understood what personal data their institution collected on them, and even fewer (24%) understood how their institution used their personal data.

Bar chart showing the percentage of faculty respondents who disagree vs agree with each statement. I understand relevant university policies about data use, storage, and protection. Over 50% agree.; I understand what personal data my institution collects about me. Agree and disagree are about equal.;  I understand how my institution uses the personal data they collect about me. Over 50% disagree.
Figure 1. Faculty understanding of institutional data policies, collection, and use

Given that faculty are somewhat puzzled about what personal data are being collected and how those data are being used, it is perhaps not surprising that their confidence in whether personal data are being safeguarded is shaky. Since 2017, faculty confidence in their institution's ability to safeguard their own personal data, student data, and research data has declined. There was a 21 percentage-point decrease in confidence in institutional information security practices and a 17 percentage-point decrease in confidence in their institution's ability to safeguard research data (see figure 2).

line graph showing the percentage of faculty respondents who agree to each statement in 2017 vs. 2019.  All statements had a lower percentage agreeing in 2019.  I understand relevant university policies about data use, storage and protection.; I have confidence in my institution's ability to safeguard student information.; I have confidence in my institution's information security practices.; I have confidence in my institution's ability to safeguard my personal digital information.; I have confidence in my institution's ability to safeguard my research data.
Figure 2. Faculty understanding of and confidence in institutional policies and practices concerning data and security, 2017 to 2019

These declines are disconcerting since faculty attendance at institutional security training increased between 2017 and 2019, suggesting that training alone is not enough to instill confidence or understanding. That said, if faculty are attending more training than in previous years, they might have greater awareness of data security issues and therefore might be more skeptical about personal data security in light of society's increasing concerns regarding personal data.

A strong majority of students (70%) were confident in their institution's ability to safeguard their data (see figure 3). However, when looking at knowledge of institutional use of personal data, less than half of students (45%) thought they benefit from the collection of their personal data for purposes such as improved services and advising; similarly, just 44% said they understand how their institution uses personal data. This lack of knowledge might be particularly relevant for institutions that use advising technologies or analytics for student success. Gen Z views data sharing as transactional, and they expect something of value in return.10 Although students have confidence in their institutions, this is only part of the security equation for Gen Z. It might be in institutions' best interests to communicate what is being collected and how it can benefit students, particularly if schools want to leverage student data to improve student outcomes and services.11

Bar chart showing the percentage of student respondents who disagree vs agree with each statement. I have confidence in my ability to follow my institution's information security policies and procedures. Over 50% agree.; I have confidence in my institution's ability to safeguard my personal data. Over 50% agree.; I have confidence in my institution's ability to safeguard my personal digital information. Over 50% agree.; I have confidence in my institution's information security practices. Over 50% agree.; I benefit from my institution's privacy and security policies. Over 50% agree.; I understand relevant university policies about data use, storage and protection. Over 50% agree.; I benefit from my institution's collection and use of my personal data. Less than 50% agree.; I understand how my institution uses the personal data they collect about me. Less than 50% agree.; My institution's privacy and security policies impede my productivity. Nearly 50% disagree.
Figure 3. Student perspectives on institutional data policies, collection, and use

Institutional leaders should emphasize that cybersecurity practices are more than a list of rules to be followed and should explain how these practices benefit the entire campus community.12 Emphasizing the importance of student data privacy, several states have passed privacy laws that protect students' personal data. Between 2013 and 2018, a total of 35 state laws were passed that prohibit institutions of higher education from selling student data or that protect privacy and property rights to electronic communications.13 As organizations of all kinds collect ever larger amounts of personal data about users, and as data breaches (inadvertent and malicious) continue to threaten the exposure of those data, these laws will likely become more ubiquitous; as more legislation is enacted, institutions ideally will communicate to students and faculty how these laws protect privacy. Moreover, institutional data security might become as much of a selling point for students as is a seamless Wi-Fi network. As a new generation of faculty is hired, they will likely share students' views on personal data. Higher education should plan accordingly to address privacy concerns.

IT departments need to facilitate a culture of security by ensuring understanding and confidence in their institutions' security practices.14 Faculty confidence is concerningly low. And both faculty and students lack a comprehensive understanding of how their data are being used and protected. Talking to the campus community about compliance sends the message that following policies is important. Communicating to faculty and students that their data are being safeguarded can contribute to a culture of cybersecurity on campus. Ensuring that faculty and students understand what personal data are collected, how they are collected, and how they are safeguarded can reinforce the importance of institutional cybersecurity. Got data privacy? Institutions need to let you know if you do.15

Editor's note: The original version of this blog post contained errors in the data and figures and in the interpretation of the data. The current version corrects those errors, and the text has been revised to reflect those corrections.

For more information and analysis about higher education IT research and data, please visit the EDUCAUSE Review Data Bytes blog as well as the EDUCAUSE Center for Analysis and Research. For more on information security governance, compliance, data protection, and privacy programs, please visit the EDUCAUSE Review Security Matters blog as well as the Cybersecurity Program page. Access additional information security and data privacy resources through the Awareness Campaign page.

Notes

  1. Davey Winder, "Facebook Privacy Update: Mark Zuckerburg's Response to Cambridge Analytica Scandal One Year On," Forbes, March 19, 2019.
  2. Facebook, Company Info, accessed September 19, 2019.
  3. Niraj Chokshi, "Myspace, Once the King of Social Networks, Lost Years of Data from Its Heyday," New York Times, March 3, 2019; Tom Anderson was the founding president of Myspace.
  4. Susan Grajek and the 2018–2019 EDUCAUSE IT Issues Panel, "Top 10 IT Issues, 2019: The Student Genome Project," EDUCAUSE Review, January 28, 2019.
  5. Federal Bureau of Investigation Public Service Announcement, "Cybercriminals Utilize Social Engineering Techniques To Obtain Employee Credentials To Conduct Payroll Diversion," accessed September 19, 2019.
  6. "Data Breach QuickView Report," Risk Based Security, Inc., November 2019.
  7. Seventy-seven percent of students surveyed for ECAR Study of Undergraduate Students and Information Technology, 2019 are members of Generation Z,  defined as those who are 22 or younger at the time of the survey. See Michael Dimock, "Defining Generations: Where Millennials End and Generation Z Begins," Pew Research Center, January 17, 2019, for information on defining Generation Z; Gina Pingitore, Vikram Rao, Kristen Cavallaro, and Kruttika Dwivedi, "To Share or Note to Share: What Consumers Really Think about Sharing Personal Information," Deloitte Insights, September 5, 2017.
  8. Ibid.
  9. Amelia Parnell, Darlena Jones, Alexis Wesaw, and D. Christopher Brooks, "Institutions' Use of Data and Analytics for Student Success," Results from a National Landscape Analysis (2018).
  10. See, for example, Goldie Blumenstyk, "Big Data Is Getting Bigger. So Are the Privacy and Ethical Questions," The Chronicle of Higher Education, July 31, 2018; From Innovation to Expectation — How M&E Leaders Are Responding to Gen Z, research report (Los Angeles, CA: EY Global Media & Entertainment, n.d.).
  11. Martin Kurzweil and Mitchell Stevens, "Setting the Table: Responsible Use of Student Data in Higher Education," EDUCAUSE Review 53, no. 3 (May/June 2018).
  12. Thomas Skill, "The Coming Generation Z Impact on Cybersecurity," Education Technology Insights, n.d.
  13. Amelia Vance, "Privacy Laws Protecting Student Data," Security Matters (blog), EDUCAUSE Review, January 29, 2018.
  14. See the Social Proof section of Jessica Barker, "The Human Nature of Cybersecurity," EDUCAUSE Review, May 20. 2019.
  15. Nathan Fisk, "Toward an Academic Culture of Security," Security Matters (blog), EDUCAUSE Review, October 10, 2016.

Joseph Galanek is a Senior Researcher at EDUCAUSE.

Ben Shulman is a Statistician at EDUCAUSE.

© 2019 Joseph D. Galanek and Ben Shulman. The text of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License.