The Evolving Landscape of Data Privacy in Higher Education
In the EDUCAUSE 2020 Top 10 IT Issues report, higher education technology leaders selected privacy as the second most important issue behind information security, signaling the growth of data privacy as a top priority over the past few years. We're entering a new frontier of privacy, with more questions and concerns arising surrounding gathering student data for contact tracing and analytics. At the same time, privacy professionals must balance their time and efforts to meet demands to manage compliance across campus operations as institutions work to adhere to the European Union's General Data Protection Regulation (GDPR) and other legal requirements and regulations. It is now more important than ever to examine the privacy landscape in higher education.
A growing number of privacy offices and full-time privacy positions are opening up across higher education institutions, but many institutions still have work to do in developing and/or improving their privacy policies and practices. In the summer and fall of 2020, EDUCAUSE and Huron partnered on a research project to learn from institutional privacy professionals about the current state of data privacy in higher education. In particular, this research explored the various ways data privacy is managed; examined recent privacy legislation and privacy issues that have arisen during the COVID-19 pandemic; and sought to uncover some of the biggest challenges and most promising paths forward for data privacy in higher education.
Through a survey of privacy professionals and in-depth interviews with more than twenty privacy leaders from a variety of higher education institutions—including research institutions, smaller colleges, and community colleges—the research summarized in this report provides a comprehensive and in-depth view across the current landscape of data privacy and highlights opportunities for improved practices and policies that may be available to higher education, technology, and privacy leaders.
Data privacy is still in a state of growth and evolution in higher education, and this study highlights ways higher education, technology, and privacy leaders can develop and advance their own privacy programs and policies. Efforts to move toward compliance with current and future privacy legislation can pave the way for additional discussions involving institutions' ethics and community principles. And as institutions build and define their privacy programs and further develop their resources and services, students, faculty, and staff will gain a better understanding of what data privacy means for higher education and how to incorporate that understanding in their work and interactions with each other.
- CISOs struggle to devote sufficient time to both privacy and security. Privacy duties are often added to the other job duties of an institution's chief information security officer (CISO), but these individuals can rarely dedicate more than a small portion of their time to building privacy programs. Institutions should aim for creating full-time privacy positions to manage the variety of privacy concerns that exist in higher education today.
- Contact-tracing data needs privacy attention. As institutions continue to collect and store personal data to ensure a safe and secure presence on campus, privacy professionals should be consulted to help institutions be transparent about their data processes and to ensure that individuals' privacy is safeguarded.
- The best approach to compliance is continuous improvement. New privacy laws and regulations continue to arise, and conversations need to take place to discuss proper data collection and use. A key factor in achieving progress and results for a privacy office is continually engaging in assessments and conversations with groups across the institution.
- Students are not well informed about how institutions use their data. In EDUCAUSE's 2020 student survey, about half of students said they don't understand how their institution uses their personal data. Institutions need to ensure students know their rights and can make informed decisions about the use of their data.
- Human resources are lacking for privacy offices. Additional staffing was the number-one resource desired by privacy professionals. Additional staff can enable more time for contract reviews, high-level privacy conversations, and the creation of more privacy resources and trainings for students, faculty, and staff.
Access additional materials, including an infographic, on the EDUCAUSE/Huron project research hub.
© 2020 EDUCAUSE. The text of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License.
Sean Burns. The Evolving Landscape of Data Privacy in Higher Education. Research report. Louisville, CO: ECAR, November 2020.