COVID-19 Has Altered Student Expectations for Data Privacy

Privacy-Enhancing Technologies Support Governance Plans

Privacy-enhancing technologies — or PETs — are helping a growing number of universities and colleges meet a higher bar for privacy. PETs are software and hardware solutions designed to maximize data usage without posing privacy and security risks.

The University of Michigan is one example of an institution that has made good use of PETs.

The university used PETs to launch an online portal called ViziBLUE, which shows students how their data is being used. The portal also provides guidance on privacy considerations. “We are using homegrown tools to provide access to this information by building integrations with other tools,” says Ravi Pendse, the university’s vice president for IT and CIO.

“For example, we have networking tools that collect Wi-Fi data. Those, in turn, interface with this portal to show when you connect to various campus buildings,” he says. “Similarly, ViziBLUE provides information about your interactions with the admissions system, with financial aid data and learning analytics data.”

MORE ON EDTECH: Here's 4 key questions to help you protect online learning data privacy.

PETs also offer data encryption, digital rights management and other features that support privacy governance. These tools are in compliance with student privacy laws such as the Family Educational Rights and Privacy Act (FERPA).

“PETs are not a single solution,” Kelly says. “They are one part of a solution you’re setting forth in your policy and your governance, and those privacy enhancing technologies are supporting that.”

Proactively Address Student Concerns About Data Privacy

What concerns do students have about privacy? How has the pandemic affected student data privacy expectations? Universities and colleges need to be aware.

When higher education transitioned to online classes, students formed new expectations for data privacy in schools. To build trust with current and prospective students, institutions must be proactive about communicating privacy rights and protections — and information on how their data will be used.

“When we shifted to online learning we had to engage with students and faculty to provide additional guidance,” Pendse says.

At The Ohio State University, freshmen can take a class to help them understand the stakes.

“We talk about privacy as a balance between the need to use personal information, the benefit you can get from that use of the personal information and the risks of using that information,” says OSU’s chief privacy officer, Holly Drake.

As colleges and universities manage vaccine administration and COVID-19 test sites, more concerns about data privacy will inevitably arise. “Students have to get tested for COVID, and they want to know who’s running this test and what they are doing with their personal information,” Drake says.

RELATED: Learn how higher ed CPOs and CISOs can boost student privacy.

Staying FERPA-Compliant in a Hybrid or Online Learning Setting

With the shift to online learning — and back to campus — some institutions may also need to revisit FERPA requirements. It is important to ensure FERPA security controls surrounding remote learning align with in-person practices as well.

“That’s something institutions want to think about,” Kelly says “Having a solid FERPA program sets them up for success with online or remote learning, as long as your institution is applying the FERPA standard consistently to everything that you’re doing, whether it’s on campus or online.”

The Rise of Privacy Boards and Chief Privacy Officers in Higher Education

To meet the rising challenges of student data privacy, a growing number of institutions are forming privacy boards and hiring chief privacy officers.

CPOs and privacy boards are especially critical now, as data-driven public safety approaches in higher education require thoughtful management.

“For those folks in public safety who have had access to that personal information — whether it’s camera systems, facial recognition or license plate readers — you’ll need to go back to your data governance policy to ensure that data privacy is being used appropriately,” Kelly says.

At OSU, Drake has a privacy governance council to help navigate such issues. “Those questions are bigger than just one role or one person,” she says. “If we wanted to change the governance process around the use of video, for example, it can’t just be what Holly thinks is right.”

DOWNLOAD THE WHITEPAPER: Overcome your compliance challenges.

Drake’s position was created just two years ago, as the university sought to consolidate student data from fragmented silos. As universities adopt more data-driven practices, this ongoing consolidation of data will require a higher level of oversight, she says.

“When we put it all together and start using it in new ways, that requires contemplative thought,” Drake says. “The privacy officer can pull the right people together and think about how to govern the data.”

Higher education institutions are seeing an increasing need for this kind of leadership.

“It’s evolving because of increasing compliance requirements, along with growing societal pressures and privacy concerns among individuals,” Kelly says. “It cannot be just an additional duty for the CISO. It’s all much more complex than it was a couple of years ago, and the chief privacy officers are really taking the lead on this.”