Got data privacy? Why campuses must explain when they do

Got data privacy? Um, maybe not.

Recent news has brought attention to the widespread misuse of users’ personal data on a popular social networking site.

Given that Facebook has more than 1.59 billion daily users, we should all be concerned about data privacy. And when we wax nostalgic about the innocence of early social media networks such as Myspace, we are reminded that even back then, we shared a lot of personal data, someone had to curate it, and sometimes they didn’t do such a great job.

Privacy means “safeguarding institutional constituents’ privacy rights and maintaining accountability for protecting all types of restricted data”.

In 2018, the FBI issued warnings to higher education institutions about attempted hacks of online payroll accounts. Although data breaches in education account for a smaller proportion of all reported breaches than those in sectors such as business, health care, and government, private data are clearly now a commodity.

Indeed, privacy came in at number three on the 2019 EDUCAUSE list of top 10 IT issues, and it’s the number two issue for 2020, right behind information security strategy. Faculty and students need to be concerned about what is being collected and how it is being used.

The current generation of students, Generation Z, appears to be more concerned with data privacy and security than millennials are.

For example, members of Gen Z more frequently adjust privacy settings on their mobile devices and social media accounts than Millennials do.

What are the implications of Gen Z’s perspectives on information security and data privacy at a time when institutions are seeking to leverage data analytics to improve student success?

Meanwhile, faculty data are used for employment, human resources (HR) records, and institutional analytics. What are their perspectives on the collection and use of private data?

We surveyed these two important groups of institutional IT end-users—faculty and students—and examined their knowledge and understanding of institutional policies and practices surrounding the use of their personal data, as well as their confidence in the ability of their institution to safeguard personal data.

Students reported a reasonably high level of confidence in their institution’s ability to protect their data. However, we found that faculty and students alike generally have low understanding of how their personal data are used at their institution.

A majority of faculty (60 percent) understand relevant policies surrounding data use, storage, and protection (see figure 1). When faculty start to contemplate what’s going on with their personal data, their understanding gets murkier. Less than half (44 percent) understood what personal data their institution collected on them, and even fewer (24 percent) understood how their institution used their personal data.

Given that faculty are somewhat puzzled about what personal data are being collected and how those data are being used, it is perhaps not surprising that their confidence in whether personal data are being safeguarded is shaky.

Since 2017, faculty confidence in their institution’s ability to safeguard their own personal data, student data, and research data has declined. There was a 21 percentage-point decrease in confidence in institutional information security practices and a 17 percentage-point decrease in confidence in their institution’s ability to safeguard research data (see figure 2).

These declines are disconcerting since faculty attendance at institutional security training increased between 2017 and 2019, suggesting that training alone is not enough to instill confidence or understanding.

That said, if faculty are attending more training than in previous years, they might have greater awareness of data security issues and therefore might be more skeptical about personal data security in light of society’s increasing concerns regarding personal data.

A strong majority of students (70 percent) were confident in their institution’s ability to safeguard their data (see figure 3).

However, when looking at knowledge of institutional use of personal data, less than half of students (45 percent) thought they benefit from the collection of their personal data for purposes such as improved services and advising; similarly, just 44 percent said they understand how their institution uses personal data.

This lack of knowledge might be particularly relevant for institutions that use advising technologies or analytics for student success.

Gen Z views data sharing as transactional, and they expect something of value in return.

Although students have confidence in their institutions, this is only part of the security equation for Gen Z. It might be in institutions’ best interests to communicate what is being collected and how it can benefit students, particularly if schools want to leverage student data to improve student outcomes and services.

Institutional leaders should emphasise that cybersecurity practices are more than a list of rules to be followed and should explain how these practices benefit the entire campus community.

Emphasising the importance of student data privacy, several states have passed privacy laws that protect students’ personal data. Between 2013 and 2018, a total of 35 state laws were passed that prohibit institutions of higher education from selling student data or that protect privacy and property rights to electronic communications.

As organisations of all kinds collect ever larger amounts of personal data about users, and as data breaches (inadvertent and malicious) continue to threaten the exposure of those data, these laws will likely become more ubiquitous; as more legislation is enacted, institutions ideally will communicate to students and faculty how these laws protect privacy.

Moreover, institutional data security might become as much of a selling point for students as is a seamless Wi-Fi network. As a new generation of faculty is hired, they will likely share students’ views on personal data. Higher education should plan accordingly to address privacy concerns.

IT departments need to facilitate a culture of security by ensuring understanding and confidence in their institutions’ security practices.

Faculty confidence is concerningly low. And both faculty and students lack a comprehensive understanding of how their data are being used and protected.

Talking to the campus community about compliance sends the message that following policies is important. Communicating to faculty and students that their data are being safeguarded can contribute to a culture of cybersecurity on campus.

Ensuring that faculty and students understand what personal data are collected, how they are collected, and how they are safeguarded can reinforce the importance of institutional cybersecurity.

Got data privacy? Institutions need to let you know if you do.

Written by EDUCAUSE Senior Researcher Joseph Galanek and EDUCAUSE Statistician Ben Shulman.

This article has been republished from EDUCAUSE Review under a Creative Commons license.

It has been adapted to suit U2B’s editorial house style. Readers may access the original version here.