Security

Protecting Both Privacy and Security in Higher Ed

Partnerships between privacy and security offices help colleges leverage and protect data without compromising confidentiality.

Amy Burroughs

Amy Burroughs is an award-winning writer specializing in journalism, content marketing and business communications.

In higher education, it’s almost impossible to talk about information security without discussing privacy, and vice versa. In fact, Gartner’s list of the top security and risk trends for 2020 included the ascendance of privacy as an independent discipline. Security and privacy are distinct problems, yet tightly interrelated — a realization that’s changing how colleges think about both.

In the process, institutions are focusing on another key principle: transparency. As privacy programs mature, one best practice that has emerged for colleges is to be up front about the data they collect.

The University of Michigan is leading those efforts with ViziBLUE, an online portal that tells students about the university’s use of myriad data types, from academics to Wi-Fi locations.

“You should be fully informed on what information we’re collecting on you,” says Ravi Pendse, Michigan’s Vice President for Information Technology and Chief Information Officer.

ViziBLUE, which debuted in January 2021, is a campuswide initiative, developed with the help of student interns, panel discussions and focus groups. The first version covers student data, and a staff and faculty version also is planned, Pendse says.

“This interface is going to continue to evolve because more and more new data is going to come in, and other data might get deprecated,” he says.

Transparency is essential because unless students understand how institutions use their data, it’s difficult to trust their stewardship, says Kathe Pelletier, director of the Teaching and Learning Program at EDUCAUSE.

“Increasing transparency around the use of student data can address this lack of understanding, trust and confidence,” she says. “Institutions can inform students about what data is being collected from them and how that data is being stored, used and protected; allow students to update their own data on demand; and provide students with the option to opt out of sharing at any time.”

MORE ON EDTECH: FERPA expert shares four key considerations for online learning data privacy.

The Shifting Higher Ed Privacy Landscape

At 62 percent of institutions, privacy efforts are directed by a dedicated office or chief privacy officer. The remainder place privacy under the responsibility of CISOs or similar roles, according to research from EDUCAUSE. Regardless of structure, however, the pandemic brought new pressures to bear on everyone.

“The pandemic escalated conversations about privacy, and we needed to evaluate those and provide guidance to our colleagues at a faster pace,” says Ann Nagel, the university privacy officer and associate vice provost of privacy at the University of Washington.

Remote learning via videoconferencing raised questions about recordings, sensitive discussions and vendors’ regulatory compliance. Online proctoring has encountered resistance among students and privacy advocates. Campus reopenings introduced new debates about symptom trackers, testing programs and contact tracing.

The University of Pennsylvania’s Office of Audit, Compliance and Privacy “was definitely playing an integral role in terms of making sure we balanced personal privacy and keeping the Penn community safe,” says Scott Schafer, the university privacy and institutional compliance officer at Penn.

DIVE DEEPER: COVID-19 has altered student expectations for data privacy.

Finding and Fixing Privacy Risks

Privacy programs follow many of the same principles that guide security efforts: educate the community about risks and best practices, inculcate a shared responsibility to protect data, and develop a culture that infuses awareness and knowledge throughout operations.

“Privacy and information security are unique disciplines that have an overlapping interest,” says Nagel, who served as the University of Washington’s associate CISO before establishing the privacy office in 2017.

Like CISOs, privacy officers must consider data from every angle: at rest and in transit, on-premises and in the cloud, on campus and remote.

At Michigan, that’s where solutions such as CrowdStrike and Virtru come into play, says Pendse. The former provides cloud-native endpoint security, and the latter supports end-to-end encryption for files and email. Michigan augments a layered approach with two-factor authentication and special precautions for sensitive digital properties.

“We have to be right 100 percent of the time,” Pendse says of the university’s data protection strategy. “There is no room for error here.”

We have to be right 100 percent of the time. There is no room for error here.”

Ravi Pendse Vice President for Information Technology and Chief Information Officer, University of Michigan

Penn’s program, established in 2001, is one of the oldest in the country. Its priorities include assessing privacy risks in academic research and business operations and developing and implementing risk mitigation strategies. Doing so requires intentional, cross-campus partnerships, says Schafer.

“That’s really the success of any privacy program: leveraging and building universitywide partnerships, where people who are working on privacy issues in different parts of the university have a way to get together to discuss those common challenges and come up with common solutions,” he says.

The CISO is Schafer’s closest working partner, both in practice and in policy. Privacy and security staff, together with purchasing colleagues, developed the Vendor Management Improvement Initiative, which addresses security and privacy controls and contractual
provisions for new vendors that handle Penn’s data.

Security and privacy risk assessments are essential whenever institutions deploy new solutions that require data access, says Brian Kelly, director of EDUCAUSE’s cybersecurity program. To help, EDUCAUSE has created a new Vendor Risk Assessment Program and leverages the Higher Education Community Vendor Assessment Toolkit, developed with colleges and privacy leaders.

In other cases, collaboration can ensure that IT solutions meet the needs of both areas. “For instance, their security monitoring tools are very powerful tools, but there are personal privacy considerations there in terms of web traffic and different things, so we really work together on that,” says Schafer.

A Proactive Approach to Privacy at the Beginning

Over time, privacy efforts have become more proactive, particularly during the creation of new data initiatives. “We are much more involved now at the front end of the data lifecycle,” Schafer says.

At the University of Washington, conversations about privacy have become more complex over the past four years, particularly as laws and technologies have evolved. Both areas — legal and technological — pose challenges for privacy professionals, says Nagel.

“They’re looking at the interoperability of the evolving laws and regulations and the privacy implications of evolving technologies, when the laws may not be able to keep pace with the technology,” she says.

Building a cohesive approach to privacy has required strategic, tactical and cultural shifts, says Nagel. Often, that means helping constituents advance their initiatives while making sure privacy is addressed.

“It’s a balancing effort,” she says. “You’re looking at the benefits and the impacts for the institution as well as for the individuals, and hopefully you find the right balance for everyone involved.”

At Michigan, Pendse uses the analogy of a three-legged stool, resting on the pillars of data governance, data privacy and transparency, and data use and analytics. “All three things have to be in balance to have robust and appropriate data-informed decision-making,” he says.

Nick Hagen