August is Data Protection, Privacy, and Student Agency month here at WCET. This month we’ve set our focus for events and resources on the importance of cybersecurity and data protection. Today’s post, from WCET’s own Rosa Calabrese, zeros in on the importance of ensuring data security and privacy for our students and staff.

Continuing this theme, we’ll be releasing (exclusively to our members) a WCET Closer Look on these topics plus hosting a WCET member-only Closer Conversation later this month (Protecting Privacy in a Digital World, August 25,12:00 PM – 1:00 PM MT).

Enjoy the read,

Lindsey Downs, WCET


Privacy and Information Security

I recently graduated from a master’s program where I completed an MS in Technology, Cybersecurity, and Policy. To share elements of what I learned during my program, I authored several other posts for Frontiers about important aspects of cybersecurity, such as bias in technology, information security, passwords, and phishing.

In this post, I want to dig into the topic of data privacy, which is both closely linked to, and distinctly separate from, many other topics around information security. Data that is breached (an all too common event in higher education today) because it is not adequately secured can pose major privacy issues for people whose data winds up on the dark web. However, privacy risks also emerge when excessive data is collected, when individual data is identifiable, and when data is shared between multiple parties without the permission of the individual (even if the data is not breached).

Privacy is a concept that exists outside of technology. It was discussed well before the invention of modern tech and the practice of big data collection. For example, before data collection became what it is today, privacy existed in the sense that citizens could keep their lives private from the government. However, there were perhaps fewer risks in those days, and fewer ways that privacy could be violated.

Today, privacy is more important and less accessible than ever before because of the way that our lives are tracked online through the websites we use, the information we voluntarily put online, our geolocations, and all the other data that is collected, traded, and sold between multiple corporate and government entities. 

Privacy and Why it Matters

Have you even been told (or even said yourself) that we shouldn’t mind that our information is tracked or huge amounts of data are collected because we have nothing to hide? Why does it matter if your information is tracked and collected?

Three security cameras on a building.
Photo by Arno Senoner on Unsplash

This argument seems to be losing some popularity as the risks become clearer and the enormous number of threat actors becomes apparent. However, apathy resulting from helplessness in the face of large data collection and few privacy regulations is still quite common.

Essentially, with an infinite number of potential actors and an ever-changing view of what information is meaningful and why it matters, the need for privacy is only becoming more important. Government regulations and policing practices create privacy risks that may disproportionately impact some groups of people, such as immigrants, individuals seeking transgender healthcare, or people accessing abortions. While some privacy risks are greater outside of higher education, many of the risks of privacy are equally important within this industry and pose a significant threat to students. Higher education officials must do their best to support and protect students from experiencing harm due to a failure to protect privacy now or in the future. It is our responsibility to protect our students’ data, but also to teach students how to care for their own privacy.

Institutions are obligated by law to meet certain data protection standards, such as those related to FERPA and HIPAA. As relevant, institutions sometimes need to meet locational privacy policies as well, such as GDPR (when students in the EU are being served).

However, beyond the requirements stated in law, there is much more that institutions can do to support their students, promote privacy for all, and ultimately foster institutional trust.

Data Points, Data Processing

To understand data privacy, it is first important to understand the types of data that can be collected, as some data is more sensitive than others.

Personally identifiable information, or PII, is information that can identify individuals. PII includes social security numbers, of course, but also includes things like names, addresses, birth dates, email addresses, phone numbers, and biometric data. Data that does not need to be connected specifically to an individual can be collected without PII and be anonymized to maintain privacy.

Another important element of privacy relates to how data is processed. Multiple data sources about an individual are often tied together or compiled in a way that creates a large treasure trove of data on each person. On the web, this can be done through cookie trackers, for example, which tie together an individual’s browsing data from many places. Institutions can also compile many data sources on an individual, especially if students are required to use many different systems that are all tied to them through their institutional email or student ID.

When PII gets into the mix of compiled data then even less sensitive and specific data points can become identifiable to an individual as well. As a result, data collection becomes riskier for the individual as more pieces of data about them are collected and compiled together. Even if one data point, like say an assignment grade or a username on an elearning platform, is not personally identifiable, it could become personally identifiable if it is tied to other data that includes PII.

A final important topic around data collection is the question of when and how data is destroyed (“Destroyed” being the more adequate term that “deleted” as data that is deleted can sometimes be recovered, so sensitive data must be completely destroyed to absolutely prevent future access). There are several important questions to ask about institutional policies around the destruction of data, such as:

  • How long after a student has graduated, transferred, or left an institution is their data destroyed?
  • What data continues to be kept after a student has left and for what purpose?
  • Could the data that remains after a student has left be anonymized? (This might be useful if past student data were used to inform algorithms or institutional statistics but don’t need to be associated with an individual anymore).
  • What are your institutional or organizations policies and procedures for record retention?

Privacy Threats

"PRIVATE" sign on a door.
Photo by Dayne Topkin on Unsplash

Students, staff, and faculty alike can face many harms when their data is not kept adequately private. While institutional data often revolves around students, employees such as faculty and staff can be vulnerable to data collection and as a result, privacy threats, that come from their employment data. One of the most obvious risks to all people at an institution is that their data (including PII) could be breached in a cyberattack, and that their personal information subsequently arrives on the dark web, creating continuous potential problems related to identity theft. However, private corporations, government entities, law enforcement, other higher education institutions, and potential employers can all play roles in creating harm for students and employees whose data is not protected.

Harms against the individual that emerge from loss of privacy can include loss of employment opportunities, loss of money, or legal repercussions. Alternatively, individuals may experience poor mental health or compromised relationships. The harms can be mild or severe; and they can potentially follow individuals for years. Once privacy is lost, there is little that can be done to repair the damage that has been done.

Privacy First

There are a lot of data already being collected and stored by institutions. In some ways, it can feel like the situation is already out of control. However, there are many things that institutions can and should be doing to repair their management of data privacy if it is not already under control:

  • Audit current systems of data collection, processing, and retention to figure out how data is being handled presently.
  • Create guidelines for handling data privacy in the future, including how to manage data that has already been collected that prioritizes a privacy-first model. No need to start from scratch; you can draw inspiration from preexisting privacy frameworks such as the one created by NIST.
  • Provide information for students, faculty, and staff to read through and consent to about how data is collected, processed, and destroyed. (For example, individuals could be required to either opt-in (ideal) or opt-out of data collection after they have read about how data is handled.)
  • Create guides for the evaluation and adoption of third-party systems that will handle student data to ensure that external tools preserve data privacy.
  • Plan to audit data practices again in the future, check back with individuals, and modify policies as needed. Privacy is constantly a work in progress!
  • If funds are available, hire individuals to privacy related positions to guide privacy efforts.

Ultimately, individuals need to have more authority over their own data, how it is used, and when it is destroyed. Protecting this right can be advantageous to institutions of higher education as well because doing so will promote trust and create ongoing secure relationships between current and former individuals with the institutions themselves.

Rosa Calabrese

Senior Manager, Digital Design, WCET


303-541-0219

rcalabrese@wiche.edu

Subscribe

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 2,542 other subscribers

Archive By Month

Blog Tags

Distance Education (342)Student Success (315)Online Learning (242)Managing Digital Learning (241)State Authorization (230)WCET (223)U.S. Department of Education (215)Regulation (212)Technology (169)Digital Learning (165)Innovation (125)Teaching (121)Collaboration/Community (114)WCET Annual Meeting (106)Course Design (103)Professional Development (101)SAN (101)Access (100)Faculty (90)Cost of Instruction (89)Financial Aid (84)Legislation (83)Completion (74)Assessment (69)Accessibility (68)Instructional Design (68)Open Educational Resources (68)Professional Licensure (66)Accreditation (65)COVID-19 (64)SARA (64)Credentials (62)Competency-based Education (61)Quality (61)Data and Analytics (60)Diversity/Equity/Inclusion (59)Research (58)Reciprocity (57)WOW Award (54)Outcomes (47)Workforce/Employment (46)Negotiated Rulemaking (45)Regular and Substantive Interaction (43)Policy (43)Higher Education Act (41)Virtual/Augmented Reality (37)Artificial Intelligence (36)Title IV (36)Practice (35)Academic Integrity (34)Disaster Planning/Recovery (34)Leadership (34)State Authorization Network (33)Every Learner Everywhere (31)WCET Awards (31)IPEDS (28)Adaptive/Personalized Learning (28)Reauthorization (28)Military and Veterans (27)Survey (27)Credits (26)Disabilities (25)MOOC (23)WCET Summit (23)Retention (22)Evaluation (22)Complaint Process (21)Enrollment (21)WICHE (18)Correspondence Course (18)Physical Presence (17)System/Consortia (16)Cybersecurity (16)Products and Services (16)Blended/Hybrid Learning (15)Forprofit Universities (15)Member-Only (15)WCET Webcast (15)Digital Divide (14)Mobile Learning (14)NCOER (14)Textbooks (14)Consortia (13)Personalized Learning (12)Futures (11)Marketing (11)Privacy (11)STEM (11)Prior Learning Assessment (10)Courseware (10)Teacher Prep (10)Social Media (9)LMS (9)Rankings (9)Standards (8)Student Authentication (8)Partnership (8)Tuition and Fees (7)Readiness and Developmental Courses (7)Graduation (7)What's Next (7)International Students (6)K-12 (6)Lab Courses (6)Nursing (6)Remote Learning (6)Testing (6)Proctoring (5)Closer Conversation (5)ROI (5)DETA (5)Game-based/Gamification (5)Dual Enrollment (4)Outsourcing (4)Coding (4)Security (4)Higher Education Trends (4)Mental Health (4)Fall and Beyond Series (3)In a Time of Crisis (3)Net Neutrality (3)Universal Design for Learning (3)Cheating Syndicates Series (3)ChatGPT (3)Enrollment Shift (3)Minority Serving Institution (3)Nontraditional Learners (2)Student Identity Verification (2)Cross Skilling/Reskilling (2)Virtual Summit (2)Department of Education (2)Higher Education (2)Title IX (1)Business of Higher Education (1)OPMs (1)Third-Party Servicers (1)microcredentials (1)equity (1)Community College (1)Formerly Incarcerated Students (1)Global (1)Compliance (1)