Colleges and universities collect and analyze student data to better serve them. However institutions need to be aware of new regulations that are affecting the ways this personal data can be handled. New regulations in the European Union are already impacting higher education institutions that recruit and enroll EU citizens, and more domestic legislation regarding data protection is likely in the near future. These regulations, as well as a shifting mindset about data privacy, are bringing on an urgent need for U.S.-based colleges to redesign their data collection and sharing processes to ensure they safeguard student information.
New Data Privacy Laws
You might have read about GDPR, which stands for General Data Protection Regulation. Although this European Union data privacy regulation went into effect in May 2018, many U.S. institutions are still working out how to comply with the law, which strictly protects the personally identifiable information (PII) of EU citizens and EU residents. If your institution currently markets to potential students who are EU citizens or residents—or intends to do so in the future—it must be GDPR compliant. Penalties are quite high for non-compliance.
Compared to Europe, the U.S. attitude toward data privacy and management has been rather relaxed. Things like cookies in web browsers and marketing emails are fairly common and taken in stride. But the introduction of the GDPR is a much-needed wake-up call for institutions to finally identify exactly what kind of student data is being captured, how it’s being captured, who has access to it, and where it’s stored. In a time in which consumers are demanding more transparency, students will soon expect higher education institutions to be able to provide this information.
Although GDPR compliance can be an overwhelming process, understanding the ins and outs of this European regulation serves as necessary preparation for forthcoming data privacy laws originating within the U.S., such as the California Consumer Privacy Act, which takes effect in January 2020, and other impending federal-level laws. In addition, countries such as Japan, China, and Australia have amended data privacy laws as a method of strengthening them or have begun enforcing them more consistently.
Changing Public Opinion on Sharing Data
In the U.S. and around the world, serious cases of hacking by SQL injection and data-sharing scandals have unfortunately become more frequent, and consumers are frustrated to find out that companies they’ve long trusted share or even sell personal data.
A Pew Research Center survey from 2014 found that 91 percent of Americans felt they had “lost control over how personal information is collected and used by all kinds of entities,” while 61 percent of Americans wanted to do something more to protect their privacy.
Millennials and Gen-Z Are Savvy Consumers When It Comes to Cyber Risks
No wonder there’s been increasing pressure on U.S.-based institutions to be more accountable and transparent with the data they are collecting from students. It’s not just the computer science students—all students are incredibly tech-savvy now and realize that any personal information they offer to a university could be mishandled.
To gain the trust of current and potential students, your institution needs to invest the time and resources to put in the required safeguards to conform to new data privacy laws. Announcing this important update, on social media for example, shows students and their parents that your college is respecting the need for greater student data privacy and has taken a proactive approach to embrace fairness and integrity as an educational institution.
How Do Colleges and Universities Protect Student Data?
Although GDPR is aimed at EU students, U.S.-based students will also benefit when rigorous data protection at educational institutions becomes inherent by design.
Data collection and data sharing processes are complex, so it’s no surprise that over-sharing student data or unintentional sharing with outside parties is a common challenge for colleges. But to achieve GDPR compliance, your college will have to prove that it’s taken every step possible to secure student data privacy, from information in databases and paper files to hosted email exchange systems. That includes knowing exactly who has access to student data, whether it’s a vendor supporting the university LMS or a subcontracted content provider—and showing that these outside parties, if they do indeed require access, also have the same strict technical safeguards in place.
Is your college collecting especially sensitive information from students, like religious beliefs, health information, race and ethnicity, genetic information, or sexual preference? If so, you will be held to a higher standard by the GDPR.
It can be intimidating to make sense of GDPR, but if your college is already attuned to the requirements of FERPA (Family Educational Rights and Privacy Act), you will have a head start. There is a wealth of information about data privacy laws online at sites such as the UK’s Information Commissioner’s Office (ICO), Privacy Matters, and datonomy, as well as in books such as Preventing Data Privacy Disasters.
When you’re ready to get started, your college’s information security office will need to make a plan to assign resources and perform an inspection, such as a DPIA (Data Protection Impact Assessment), to do the necessary discovery work and uncover exactly how data is captured, transferred, stored, and accessed. You’ll have to document all data workflows, system integrations, and security protocols in place; identify gaps and risks to be addressed; make an audit of system permissions; and review contracts and policies. Once this is complete, you’ll be able to execute the necessary changes (and train staff to understand these changes) that will reassure your students that their personal information is in safe hands.
Want to know more about trends and research in higher education? Read more on our Resources page.