Data privacy is a hot-button issue in higher education (like it is in many other industries currently). Some college and university administrators have first-hand knowledge or experience dealing with the Global Data Protection Regulations (GDPR) that went into effect in May 2018 and/or the California Consumer Privacy Act (CCPA) that went into effect January 1, 2020. But what does data privacy truly mean to administrators – especially in an age when it is common for personal information to be stored electronically?
Right to Be Forgotten
The ‘right to be forgotten’ is listed in Article 17 of the GDPR. It gives individuals the right to request that their personal data be erased, especially if the collection/processing of the data is based on consent and is being withdrawn.
However, it should be pointed out that the GDPR doesn’t require a business to automatically or absolutely remove personal data when requested. There are legitimate exceptions to these rules, such as regulatory and accreditation requirements, as well as financial transactions.
How it applies to higher ed
When it comes to data privacy in higher ed, there are two recurring statements I’ve heard on numerous occasions:
“Right to be forgotten cannot apply to US Colleges.”
“We have a regulatory requirement to keep student records in our systems.”
In the United States, there appears to be a sense that schools can require initial consent. This allows the school to use personal data in any way they choose. This can, and often does, include using the data in ways that were not disclosed to the student at the time of consent.
For example, if a former student were to ask to be forgotten, the Registrar would be justified in turning down the request for removing academic records. The justification for retaining personal data, such as name and contact information, is based on regulatory and contractual agreements. However, the school does not have any regulatory requirements that the student’s data be used in marketing campaigns and solicitations for donations. Nor are there any requirements in place for data from a person who started an application but never completed it – and never attended the school.
Consent, opt-in and opt-out mechanisms are another area of discussion that should have significant impacts on reporting and privacy functions. Many schools/companies make sure their websites or their data collection procedures document some sort of acceptance or acknowledgement that their data will be used for a specified purpose.
One concern with using “consent” as the justification for storing and processing a person’s personal data is that consent legally implies that they have the right to withdraw said consent. Do you have a mechanism to track who consented and when? If someone withdraws that consent, how do you notify everyone of the withdrawal?
Data privacy takes planning, forethought and flexibility to be effective. If there is a policy outlining how to respond to a request for data deletion, there is a greater chance that each request for deletion is handled consistently and with a specific reason.
In higher education, we need to step back, think and begin a dialog around the creation of a Privacy Inventory: a list of processes, procedures and data being touched by each department. While data at the institutional level is important, it’s just as important to look at an individual department and realize that their customers can be frustrated and concerned about their data privacy. (Given its responsibilities and the volume of data it handles, Institutional Research is probably the first department for which a Privacy Inventory should be created.)
As an institution, there should be someone who manages the risks, processes, and policies for the institution. All departments should be a part of this process. Every department at a school should really look at what personal data is being collected and used within their area of responsibility. This will then roll upwards, helping the institution identify everywhere that data is collected and used.
What should we ask?
When creating a Privacy Inventory, there are some basic questions that should be asked:
- Why is the data being collected?
- How long is it being retained?
- What is the legal justification for using it (Regulatory, Contractual, Consent, etc…)?
In the world of law and privacy there are rarely any absolutes. But there is one extremely pertinent question that should be asked about every piece of personal data an employee uses:
- After a person has notified the school that they want their information removed, deleted or at the very least not used for non-regulatory purposes, what would be your justification be for using it if asked by a judge in a court of law?
It should also be noted that identifying the academic and financial data that needs to be tied to a specific individual for regulatory and audit purposes is one of the most important factors when planning a Privacy Inventory. There should be a central policy, process or method in place for this identification.
The data privacy issue has presented higher education with an abundance of learning opportunities. As always, schools should be looking to learn better ways to utilize their data for better decisions. But maybe it’s time to sit down, plan for transparency, and begin to reflect on the bigger ethical questions. There are many legitimate reasons to collect, process, and use personal data. (Just as there are legitimate reasons to depersonalize, anonymize, and segregate data.)
The point of this blog isn’t to say we shouldn’t use personal data, but to better understand how we are using it. Organizations should be transparent and honest with consumers regarding their data and its uses. In the United States, most Americans don’t read privacy notices or even care that personal data is being used, until they find out that a company or school is misusing or selling their information. If you have a legitimate use for the data, be transparent and inform your customers how that data is being used (especially if the GDPR or CCPR applies to your institution). Even if you don’t believe it is a legal requirement for your institution yet, chances are it will be soon.
Avoid “Cross Contamination”
If you are required to keep personal data about a person for regulations, make sure there are controls in place that don’t allow others to use it. This is a must when departments use shared data sets, as with an ERP. The Department of Education says an institution needs to keep information about a student for official reporting and lawful processing. This can raise some legitimate questions, such as:
- How do we ensure that other departments don’t use that data for their own purposes?
- If an employee provides Veteran data as part of their hiring process, should the student support staff be allowed to contact them with veteran student-related communications after they’ve asked to be removed?
These are situations where, in the past, such complaints and questions have merely been annoying. But in the future, these could cost an institution money and/or reputation.
Know that, just because one department can show a Regulatory and/or Contractual justification to maintain that information, it doesn’t necessarily give other departments justification to view, process, or utilize that data. Similarly, once a student, applicant, parent or other individual notifies you that they “Do not want the school to retain, use, process their personal data or contact them about their personal data” the school must ensure that no departments share the person’s contact information with a third party marketing or media service.
Don’t Know What You’ve Got Until It’s Gone
Trust. It’s hard to get, but easy to lose. And it’s even harder to get back once it is lost!
Customers simply want institutions to do better when it comes to data privacy. What is “better?” First, it’s taking accountability when something goes wrong and data privacy has been violated. Then, it’s taking the steps to protect private data, ensure past mistakes are not repeated, and reduce the chances of ‘new’ mistakes occurring.
As a community, higher education needs to shift its way of doing things when it comes to data and data privacy. Institutions must put together a plan that shows how they use, track, and protect data – both at an institutional and departmental level. That plan must also include processes for dealing with ‘right to be forgotten’ and ‘consent withdrawal’ requests. It is an important responsibility for everyone at the institution to embrace.