May 21 2019

Protect Student Data Privacy and Security After Graduation

Retention schedules, cloud storage and research data complicate student data privacy initiatives.

The more information that colleges have about their students, the better able they’ll be to help these learners succeed and graduate — and then apply those insights to benefit future classes too.

But all that knowledge comes with a big responsibility to keep student data secure and private. Graduation is an ideal opportunity to assess what to discard, what to keep and how to protect it.

Consider a learning management system, for example, which has both personally identifiable data and metadata. 

“That metadata can include how long you’re reading something or where your mouse is going,” says Sara Collins, policy counsel for the Future of Privacy Forum’s Education Privacy Project.

Both the data and metadata are valuable for research, such as understanding how students interact with the LMS, the impact on academic performance and where there’s room for improvement. 

“Some faculty may not want to get rid of that for a while,” Collins says.

MORE FROM EDTECH: Check out some of the ways universities can use data to support student success.

Access Control Tools and Policies Support Student Data Privacy

The declining cost of on-premises and cloud storage makes it cheaper and easier than ever for faculty and staff to save that data, including as rouge IT projects — hence the importance of educating faculty and staff about the risks and responsibilities that come with data ownership, including how to store it securely and when to purge it. 

An identity and access management system can help by ensuring that only authorized individuals can view graduate data, and that they can access only the specific sets that they need. 

An IAM system can be particularly valuable when disparate databases have different retention schedules. For example, some states require institutions to store health records for decades, while federal regulations necessitate storing graduates’ financial data for the better part of a decade.

“You may have to keep financial data on students who have graduated five to eight years out to make sure you have your backup information in case you get audited by the federal government,” Collins says. “So, the retention schedule for all this is incredibly different.” 

When creating retention policies and procedures, it’s important to explain how everyone benefits, even in ways they might not have considered. One example is configuring the IAM so that, for instance, the financial aid office can’t access graduates’ mental health records. 


The number of student data privacy laws passed in 40 states since 2013

Source: Future of Privacy Forum, “The Policymaker’s Guide to Student Data Privacy,” April 2019

“This is the kind of project where you have to get buy-in from all the different data owners, so they understand that you’re not taking away something they need to do their jobs and that it’s there to protect them so they don’t inadvertently violate someone’s privacy,” Collins says. 

Some students go on to graduate school at another institution, while others may return years or decades later because they want to change careers. Either way, The California State University’s Graduation Initiative 2025 aims to provide them with convenient access to their data. 

“It’s aimed at how we’re helping students move more effectively not just through the system but with support post-graduation,” says Ed Hudson, CISO of The California State University. “Most of our approaches are oriented around the student still being able to access certain resources post-graduation so they can get transcripts, pay fees and stay in contact.”

CSU — which confers about 126,000 degrees annually — also has a primer to help faculty and staff understand records retention and disposition schedules and policies. It also follows the International Organization for Standardization/International Electrotechnical Commission standard 27001:2013.

“That’s our systemwide information security framework,” Hudson says. “We also treat some data in accordance with the National Institute of Standards and Technology when it’s appropriate, particularly the personally identifiable information: Social Security numbers, credit card numbers, driver’s license, financial data, healthcare.”

As a public institution, CSU also follows California’s Information Practices Act.

“That outlines what we have to do to protect data and when we have to notify an individual that there’s a breach,” Hudson says.

MORE FROM EDTECH: See how universities are addressing student privacy and data protection.

Cloud Storage and Research Data Pose Additional Privacy Concerns

Another rogue IT risk is when faculty members sweep data, such as student research, into a separate storage account because they’re concerned about losing it after those students graduate. In the process, it’s possible that unrelated personal files also could get swept up

These sweeps can be a byproduct of policies that automatically purge new graduates’ data from college-provided cloud storage services such as Box and OneDrive. To avoid such problems, the University of Pittsburgh gives new graduates a checklist for securely closing down their accounts.

“If they have things in Box, we ask them to remove them, because when their account is terminated, they cannot get access to them anymore,” says CISO Joel Garmon.

However, students’ data isn’t purged the moment they graduate. It remains stored and locked for a period, so that if faculty members need it, IT can provide access before it’s deleted.

“For example, if they were co-authoring a paper, and they need certain data, and the principal investigator wants data that the graduate or grad student had, we can go get that,” Garmon says. “But we prefer that graduating students proactively do this: Remove what they need and give it to whoever they need to.”


Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT