The Evolving Landscape of Data Privacy in Higher Education

Promising Practices

Education and awareness are key. When trying to reach students, faculty, and staff across a decentralized or siloed institution, finding ways to educate and raise awareness of privacy across the community is essential.

Institutions need to ensure students know their rights and can make informed decisions about the use of their data. One of the easiest and most direct methods is to integrate privacy and security training into student orientation each year. As privacy legislation and institutional policy continue to evolve and grow, students will need to be updated. Additionally, the privacy professionals we interviewed recommended that institutions prioritize making privacy training and other campus-wide privacy resources available on demand in a centralized location.

Make an effort to be seen as an enabler, not a blocker. Privacy professionals commonly reported having to work hard to change the minds of other institutional members, such as researchers, data analysts, or faculty, who tend to see privacy and privacy professionals as a roadblock in the path to the work they want to get done. As mentioned previously, it is important to have conversations with these members and work with them to help them better understand how privacy considerations can help everyone involved.

Privacy professionals should also work to ensure that supporting resources are in place before releasing new privacy policy. Having those resources in place can help provide departments or staff with the tools they need to adapt to the new policy and meet any new requirements. This can take the form of a website with supporting documentation and suggestions, or on-demand training that staff can access to help them accomplish any requests or conditions from the new policy.

Another way privacy professionals increase privacy discussion and awareness across their institution is by creating structures to address both operational and strategic privacy questions. One recommended approach is the creation of a privacy and data protection board to set strategic direction and guide operational policy development and management decision-making. Such a board should be filled with faculty, administrators, and even students to provide a wide range of input on values and ideas. The creation of a structure like this can show how privacy is crucial to the well-being of campus community and culture while also forming a thoughtful approach to privacy and managing data protection needs.

Standardized risk assessment helps everyone. Both new and old privacy offices in higher education will need to conduct privacy and security risk assessments, both within an institution when people and offices are working with PII and with outside vendors and third-party solution providers that also require data access to fulfill their services. With this need in mind, EDUCAUSE has developed the Higher Education Community Vendor Assessment Toolkit (HECVAT) with the help of numerous institutional members and privacy leaders. The toolkit provides a questionnaire framework specifically designed to measure vendor risk, including privacy-related questions to ensure that solution providers have the proper policies in place to protect institutional information and PII.

From the solution provider side, once they complete the HECVAT, they can share their score in REN-ISAC's Community Broker Index, and that assessment can be accessed and used by multiple institutions, easing the process of procurement and approval for all parties. And after solution providers have gone through the HECVAT process once, they will be able to more easily answer common questions about their data needs and policies in the future.

Connect to the privacy community. The higher education privacy community is full of passionate and engaged people who believe in the value that privacy can bring to higher education institutions. These are people who put in time and effort to create resources that they will share freely, have discussions, and offer guidance based on their experience and expertise. Reaching out to other members of the community can help save time and resources that might be spent re-inventing what someone else has already created and shared. For example:

  • The University of Michigan has made a number of privacy resources accessible to the public and will be fully releasing its dashboard for students' personal data, based on the current easy-to-use guide ViziBLUE, in January 2021.
  • Ann Nagel at the University of Washington has put together a useful website explaining her institution's approach to privacy.
  • The University of Pennsylvania maintains a website offering user-friendly information and guidance on privacy practices, policies, and tips.

These are just a few of many resources available online from institutions that have spent years developing their privacy programs and policies. Privacy professionals may want to consider connecting with other institutions and privacy professionals within state or regional borders, as these peers will have experience dealing with the same local laws, in addition to experience working within similar community cultures and contexts. The California State University system, for example, has a large privacy group that meets regularly to discuss recent and upcoming privacy issues that pertain specifically to their state context and needs.

EDUCAUSE also maintains two privacy community groups that connect privacy professionals and focus on privacy issues and challenges in higher education: the larger Privacy Community Group that anyone can join, and the invitation-only Higher Education Chief Privacy Officers Community Group.