To track where data resides in each of these repositories, the University of Hawaii conducts an annual personnel survey that the state requires by law. “It’s not an easy task,” Ito said.
McKay also emphasized the importance of conducting annual surveys and assessments, which can help institutions understand which laws and regulations are applicable to them and how to remediate concerns.
Considering the complex nature of privacy and security laws, McKay recommended hiring a third party if an institution doesn’t have in-house expertise. “If you don’t have someone with expertise in that area, it makes a lot of sense to get help,” he said.
In fact, Portland State worked with a consulting firm to conduct gap assessments. “We continued to work with the consultant, who helped us actually execute remediation. It was a great choice for us. It really enabled us to get the project done,” he said.
TAKE CONTROL OF RISK: Get guidance on continuous compliance posture monitoring from CDW.
What a Data Governance Framework Should Cover
Once an institution understands where its data lives, it’s time to figure out how to manage that copious amount of data.
“You have to know who’s accountable. Who’s responsible for that data?” Ito said. “You must be able to categorize it and make sure it’s in accordance with record retention laws.”
To ensure effective and secure data management, the University of Hawaii has created a comprehensive data governance program. According to Ito, a good data governance framework should define how data is collected, stored and used. It should define who can access that data, when they can access it, and under what specific conditions.
A solid data governance program must also include a classification process and a record retention policy to make it easy to understand how long data can be kept.
And as universities and colleges outsource an increasing number of services to third parties, it is critical to have a vendor management process that can determine if service providers are protecting data in accordance with the laws and regulations that apply to your institution.
DIVE DEEPER: What's the difference between security, privacy and confidentiality?
The Future of Data Privacy and Protection
Until there is national privacy legislation that can serve as an umbrella, universities must regularly maintain and update privacy programs to ensure compliance with multiple state regulations and legislation.
McKay recommends creating a data protection officer position to manage issues, such as ensuring policies are GDPR-compliant, and handle personal data access requests.
As more states pass privacy laws, institutions should expect to see a growing number of students, faculty and staff sending data subject access requests, calling for universities to disclose the intended use of the personal data that it collects. “Folks whose data we have at our institution may say, ‘I want my data to be forgotten,’ or ‘I’d like to see a copy of my data,’ or ‘I’d like to know what systems my data is in,’” McKay said. “Those are the kinds of requests that a DPO will manage.”
In an EDUCAUSE session titled “Trust, Comfort, & Concerns: College Students’ Views of Data Privacy,” students expressed a similar desire for transparency and context in data collection practices. “I just want it to be very specific,” one student said. “‘Here we’re going to use your data for the betterment of the community. We can promise you that X, Y and Z aren’t going to happen.’”
Above all, institutions must be prepared to remediate. McKay recommends conducting data privacy impact assessments, which evaluate the risks and impacts of potential data leaks in various higher education systems. “As you bring on new systems, these impact assessments need to be done,” McKay said. “There’s ongoing care and feeding that is required for this overall process.”
Find more EDUCAUSE 2021 coverage, including interviews and advice from higher ed experts.