Data Privacy Reforms
Legislative activity surrounding data collection and protection have become more common in the US following the passage of General Data Protection Regulation (GDPR) in Europe. The GDPR aims to give control to individuals over their personal data and has served as an inspiration for other privacy acts such as the California Consumer Privacy Act (CCPA). This law allows any California consumer to demand to see all the information that a company has saved about them, as well as a list of all third parties that that data is shared with.
The International Association of Privacy Professionals (IAPP) reports that state-level momentum for comprehensive privacy bills is at an all-time high after the CCPA passed in 2018, however the US lacks data privacy legislation at a federal level. While data privacy regulation reform is promising, there appear to be voids in reform efforts specifically pertaining to higher education institutions. This article will explore some of the obstacles that higher education institutions are experiencing and argue for increased institutional scrutiny to protect student data privacy.
FERPA
The Family Educational Rights and Privacy Act (FERPA) was adopted in 1974. FERPA governs the maintenance and disclosure of student records. FERPA applies to all educational agencies or institutions that receive federal education funds directly, via grant, or indirectly through students, such as when students are awarded federal financial aid. FERPA applies to “education records.” Education records must consist of some personally identifiable information captured by various ranges of media and maintained by the school Although FERPA does govern directory information, schools may release such information without consent as long as adult students have been notified and have not objected.
Innovative Uses of Student Data
Drew Harwell of The Washington Post reports that colleges are turning students’ cell phones into surveillance machines, tracking the locations of hundreds of thousands. Harwell reports that short-range phone sensors and campus-wide Wi-Fi networks are empowering colleges to track hundreds of thousands of students more precisely than ever before and that dozens of schools now use such technology to monitor students’ academic performance, analyze their conduct or assess mental health. This type of data collection raises many questions, such as: Does this fall under FERPA guidelines or is it a nuanced approach that is only shared internally? Is student location data considered to be “educational records” protected by FERPA? Are the vendors who are providing the tracking software university employees or third-party contractors? Fortunately, many universities are now recognizing the challenges and risks to protecting data and are hiring dedicated privacy staff.
Designating a Chief Privacy Officer
The trove of data being acquired requires management and governance to comply with law and to meet stakeholder expectations. Privacy risk may materialize as bad publicity as well as lawsuits and administration’s time and energy being spent on incident response. From a privacy perspective, leading schools are realizing that new technology and the new privacy landscape requires proactively managing student data. Sydney Johnson of EdSurge reports that there has been a shift in the for-profit higher education sector in regards to designating chief privacy officers (CPO), (especially within the last two years), and that this shift is largely due to the regulatory changes involving the CCPA. Additionally, EdSurge reports that while the number of CPO’s has slowly increased over the years, it is still far more common on campuses to have someone in the CISO role. Privacy advocates stress that both are often necessary in today’s tech ecosystem. Why is it important to have a CPO? Schools that fail to comply with FERPA risk losing federal funding. While CCPA will not be driving privacy regulations at non-profit universities, for-profit universities do fall under these guidelines. These new regulations serve as a sign of increasing public privacy awareness and of new privacy rules to come.
Vancord can help! By engaging Vancord to perform a privacy risk assessment or act as a virtual privacy office, we can help your administrators and faculty protect student privacy rights and maintain FERPA regulations by being on the leading edge of data privacy and protection in 2020.
