Research conducted by EDUCAUSE and supported by Huron highlights ways higher education, technology, and privacy leaders can develop and advance their own privacy programs and policies.
The recently released report The Evolving Landscape of Data Privacy in Higher Education presents higher education leaders with insights and recommendations on the shifting aspects of privacy, with a goal of enabling the creation of better privacy policies, practices, resources, and conversations.
Key Findings
EDUCAUSE and Huron collaborated on this research project, drawing results from a survey of privacy professionals conducted in August, the 2020 EDUCAUSE Student Technology report, and interviews with privacy professionals at more than twenty higher education institutions. The report highlights important findings related to the ways in which institutions manage and plan their privacy policies and practices, including a focus on how privacy is managed, privacy during the COVID-19 pandemic, and privacy awareness.
Privacy Management
Privacy is managed in a variety of ways and by a variety of people at higher ed institutions, but when privacy is added to other duties, it often doesn't receive sufficient time and resources.
With the implementation of the European Union's General Data Protection Regulation (GDPR) in May 2018, as well as the introduction in recent years of other privacy-focused legal requirements and regulations, the demand for and the number of privacy professionals in higher education has grown. Many institutions are adding privacy duties to the job description of the chief information security officer (CISO), but interviews revealed that many CISOs cannot dedicate more than 10% of their time to privacy concerns due to the demanding nature of their information security responsibilities.
Among privacy leaders, the most commonly reported responsibilities were privacy incident response (e.g., determining whether personally identifiable information (PII) was compromised, identifying where the policy and procedure failed) and the drafting and proliferation of privacy policies (see figure 1). But many other responsibilities are increasingly commonplace for privacy professionals.
Privacy during the Pandemic
Many privacy concerns have arisen in 2020 due to the COVID-19 pandemic and the shift to remote working and learning. Institutions need to make sure they have privacy policies and resources in place to help staff, faculty, and students.
In our discussions with higher ed privacy professionals, interviewees highlighted several areas in which privacy policies, practices, and resources are available across the institution:
Contact Tracing
- The collection of PII to mitigate health and safety risks as people return to campus
- Educating students, faculty, and staff on what data are being collected, how the data will be used, and how the data will be managed over time
- Student, faculty, and staff use of contact tracing/symptom tracking apps
Privacy in the Home
- Staff using personal devices that might be shared with other family members
- Overhearing private meetings due to space constraints in the home
- The use of listening devices in the home (e.g., Alexa)
Videoconferencing
- Student names, backgrounds, and faces being recorded
- "Zoom bombing" or other videoconferencing management issues
- HIPAA concerns arising from moving medical services and business processes online
- Privacy concerns of online proctored exams
Privacy Awareness
Students are not well informed about how institutions use their data, but key conversations and education can improve privacy awareness across the board.
Responses from the 2020 EDUCAUSE Student Technology report concerning student data privacy highlight a large gap of understanding that institutions need to bridge between student knowledge and administrative plans and policies (see figure 2). Students are not the only ones unaware of the workings of institutional data collection and use. Privacy professionals commonly reported having to work hard to change the minds of other institutional members, such as researchers and data analysts, who often see privacy concerns as a roadblock in the path to the work they want to get done. Focusing privacy policies, resources, and conversations on enabling and educating others can show how privacy is crucial to the well-being of campus community and culture.
How Can My Institution Use This Information?
If institutional leaders understand which privacy topics and concerns need more resources and effort, as well as the factors motivating those needs, they can better develop strategic plans for the road ahead. Since privacy needs and services are still in a state of flux across higher education, campus leaders can use these data to drive the creation of additional privacy resources and policies, as well as create conversations to raise privacy awareness across the institution.
To learn more about these and other findings, check out The Evolving Landscape of Data Privacy in Higher Education research hub.
For more information and analysis about higher education IT research and data, please visit the EDUCAUSE Review Data Bytes blog as well as the EDUCAUSE Center for Analysis and Research.
Sean Burns is a Corporate Researcher at EDUCAUSE.
© 2020 Sean Burns. The text of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License.