Safeguarding Data Privacy for Students and Staff
Published by: WCET | 8/17/2023
August is Data Protection, Privacy, and Student Agency month here at WCET. This month we’ve set our focus for events and resources on the importance of cybersecurity and data protection. Today’s post, from WCET’s own Rosa Calabrese, zeros in on the importance of ensuring data security and privacy for our students and staff.
Continuing this theme, we’ll be releasing (exclusively to our members) a WCET Closer Look on these topics plus hosting a WCET member-only Closer Conversation later this month (Protecting Privacy in a Digital World, August 25,12:00 PM – 1:00 PM MT).
Enjoy the read,
Lindsey Downs, WCET
I recently graduated from a master’s program where I completed an MS in Technology, Cybersecurity, and Policy. To share elements of what I learned during my program, I authored several other posts for Frontiers about important aspects of cybersecurity, such as bias in technology, information security, passwords, and phishing.
In this post, I want to dig into the topic of data privacy, which is both closely linked to, and distinctly separate from, many other topics around information security. Data that is breached (an all too common event in higher education today) because it is not adequately secured can pose major privacy issues for people whose data winds up on the dark web. However, privacy risks also emerge when excessive data is collected, when individual data is identifiable, and when data is shared between multiple parties without the permission of the individual (even if the data is not breached).
Privacy is a concept that exists outside of technology. It was discussed well before the invention of modern tech and the practice of big data collection. For example, before data collection became what it is today, privacy existed in the sense that citizens could keep their lives private from the government. However, there were perhaps fewer risks in those days, and fewer ways that privacy could be violated.
Today, privacy is more important and less accessible than ever before because of the way that our lives are tracked online through the websites we use, the information we voluntarily put online, our geolocations, and all the other data that is collected, traded, and sold between multiple corporate and government entities.
Have you even been told (or even said yourself) that we shouldn’t mind that our information is tracked or huge amounts of data are collected because we have nothing to hide? Why does it matter if your information is tracked and collected?
This argument seems to be losing some popularity as the risks become clearer and the enormous number of threat actors becomes apparent. However, apathy resulting from helplessness in the face of large data collection and few privacy regulations is still quite common.
Essentially, with an infinite number of potential actors and an ever-changing view of what information is meaningful and why it matters, the need for privacy is only becoming more important. Government regulations and policing practices create privacy risks that may disproportionately impact some groups of people, such as immigrants, individuals seeking transgender healthcare, or people accessing abortions. While some privacy risks are greater outside of higher education, many of the risks of privacy are equally important within this industry and pose a significant threat to students. Higher education officials must do their best to support and protect students from experiencing harm due to a failure to protect privacy now or in the future. It is our responsibility to protect our students’ data, but also to teach students how to care for their own privacy.
Institutions are obligated by law to meet certain data protection standards, such as those related to FERPA and HIPAA. As relevant, institutions sometimes need to meet locational privacy policies as well, such as GDPR (when students in the EU are being served).
However, beyond the requirements stated in law, there is much more that institutions can do to support their students, promote privacy for all, and ultimately foster institutional trust.
To understand data privacy, it is first important to understand the types of data that can be collected, as some data is more sensitive than others.
Personally identifiable information, or PII, is information that can identify individuals. PII includes social security numbers, of course, but also includes things like names, addresses, birth dates, email addresses, phone numbers, and biometric data. Data that does not need to be connected specifically to an individual can be collected without PII and be anonymized to maintain privacy.
Another important element of privacy relates to how data is processed. Multiple data sources about an individual are often tied together or compiled in a way that creates a large treasure trove of data on each person. On the web, this can be done through cookie trackers, for example, which tie together an individual’s browsing data from many places. Institutions can also compile many data sources on an individual, especially if students are required to use many different systems that are all tied to them through their institutional email or student ID.
When PII gets into the mix of compiled data then even less sensitive and specific data points can become identifiable to an individual as well. As a result, data collection becomes riskier for the individual as more pieces of data about them are collected and compiled together. Even if one data point, like say an assignment grade or a username on an elearning platform, is not personally identifiable, it could become personally identifiable if it is tied to other data that includes PII.
A final important topic around data collection is the question of when and how data is destroyed (“Destroyed” being the more adequate term that “deleted” as data that is deleted can sometimes be recovered, so sensitive data must be completely destroyed to absolutely prevent future access). There are several important questions to ask about institutional policies around the destruction of data, such as:
Students, staff, and faculty alike can face many harms when their data is not kept adequately private. While institutional data often revolves around students, employees such as faculty and staff can be vulnerable to data collection and as a result, privacy threats, that come from their employment data. One of the most obvious risks to all people at an institution is that their data (including PII) could be breached in a cyberattack, and that their personal information subsequently arrives on the dark web, creating continuous potential problems related to identity theft. However, private corporations, government entities, law enforcement, other higher education institutions, and potential employers can all play roles in creating harm for students and employees whose data is not protected.
Harms against the individual that emerge from loss of privacy can include loss of employment opportunities, loss of money, or legal repercussions. Alternatively, individuals may experience poor mental health or compromised relationships. The harms can be mild or severe; and they can potentially follow individuals for years. Once privacy is lost, there is little that can be done to repair the damage that has been done.
There are a lot of data already being collected and stored by institutions. In some ways, it can feel like the situation is already out of control. However, there are many things that institutions can and should be doing to repair their management of data privacy if it is not already under control:
Ultimately, individuals need to have more authority over their own data, how it is used, and when it is destroyed. Protecting this right can be advantageous to institutions of higher education as well because doing so will promote trust and create ongoing secure relationships between current and former individuals with the institutions themselves.