As the number of data breaches that occur increases, data privacy efforts continue to ramp up across higher education institutions. In 2018 alone, there were 1,100 data breaches and over 561 million compromised consumer records. Of those breaches, nearly one million compromised records were associated with schools and institutions. In an effort to improve data security, universities will continue to rely on technology and user practices to keep data safe from hackers, and regulations like GDPR and the California Consumer Privacy Act of 2018 could lead to federal legislation in the US, necessitating innovation in higher education data privacy.
Here are some things to consider for your organization’s privacy plans:
Data Minimization and Privacy by Design
Privacy should be considered throughout the entire process of building your online programs. Developed by Ann Cavoukian, PhD, Privacy by Design has 7 foundational principles:
Privacy should be proactive, not reactive.
The maximum degree of privacy should be provided by default (meaning no action is required by an individual – if they do nothing, their privacy is still intact).
Privacy should be embedded into the system design from the start and be integral to that system without reducing system functionality.
Full-functionality should be maintained. It’s possible to provide both security and privacy.
End to end security should be in place, ensuring data are securely retained and then destroyed at the end of the process.
Operations and activities should be visible and transparent both to users and providers.
Above all, Privacy by Design is user-centric.
Vendor Selection Criteria
It’s imperative for organizations to select the right third-party vendors, especially considering that some of the highest profile data breaches in the last few years have been the fault of a third-party partner. The first step is to decide what your minimum security standards are. After those have been determined, create and put into place a policy which outlines those standards and a set of minimum requirements for your organization’s needs. Once you have a good policy, you can begin seeking out vendors, sending them questionnaires, and gathering information such as whether the vendor has a disaster recovery plan and their own clear security policies.
Maintaining Data Security while Respecting Privacy
Often organizations think that controlling access to data or simply removing identifying information (such as names and phone numbers) is enough to keep that data private. Unfortunately that’s just not the case. There are better ways to protect privacy – the best possibly being the use of statistical methods to synthesize data so that it can still be a valuable asset while being protected.
In addition to collecting and keeping only the data you need and making sure you have a disaster and recovery plan in case of a data breach, these additional methods can make the process of keeping your students’ information safe even more thorough and effective.