Oct 29 2021

EDUCAUSE 2021: What’s Next for Data Privacy and Security Laws?

Higher education CISOs prepare for future privacy and security regulations.

Following the footsteps of the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), multiple states and countries are currently preparing comprehensive data privacy and security legislation.

What steps should higher education institutions take today to comply with future legislation and regulations? At an EDUCAUSE panel on Oct. 28, Jodi Ito, CISO of the University of Hawaii System, Sean McKay, CISO of Portland State University, and Kirk Kelly, vice president and CIO of Portland State, gathered to share strategies and best practices for addressing future privacy risks.

Developing a Culture of Privacy

Over the past decade, many universities and colleges have formed a strong culture of security. But at those same institutions, there is only a nascent culture of privacy. “Privacy is a new domain that these regulations have brought to the forefront of our discussions,” said McKay.

To form a culture of privacy, he recommends that institutions actively think about compliance risks for current and future legislation: Does your university have a physical presence in states and countries with pending legislation? Is there a high percentage of residents in those states or countries who attend your institution? And does your institution have partnerships or enterprises in those places?

Watch EdTech's exclusive interview with Susan Grajek, discussing the top IT issues of 2022.

Although these are questions that CISOs and chief privacy officers should be asking themselves, “often, it’s a crisis that causes action to happen,” said McKay.

To create a culture of privacy, McKay recommends building a coalition of stakeholders that involves the Office of the General Counsel and the institution’s entire executive leadership, including both academic and business leaders.

Ito echoed the importance of getting leadership on board from the start. “Make sure that your institutional leadership, legal counsel and all the other functional areas are bought into this,” she said. “Otherwise, you’ll encounter a lot of pushback.”

A High-Level View of a University’s Data Inventory

Once CISOs receive leadership approval, the next step is to figure out where all the data resides.

To gain a better understanding of where data lives throughout its institution, the University of Hawaii maintains a comprehensive data inventory that tracks several data categories:

  • Institutional repositories applies to student information systems, personnel systems and data warehouses.
  • Research repositories cover human studies, social sciences and medical data. Although most medical data is de-identified, Ito warned some privacy laws could still apply.
  • Unit or departmental repositories deal with data that is usually the most difficult to document, drawing from international student programs, program applications and volunteer data.
Sean McKay
Often, it’s a crisis that causes action to happen.”

Sean McKay CISO, Portland State University

To track where data resides in each of these repositories, the University of Hawaii conducts an annual personnel survey that the state requires by law. “It’s not an easy task,” Ito said.

McKay also emphasized the importance of conducting annual surveys and assessments, which can help institutions understand which laws and regulations are applicable to them and how to remediate concerns.

Considering the complex nature of privacy and security laws, McKay recommended hiring a third party if an institution doesn’t have in-house expertise. “If you don’t have someone with expertise in that area, it makes a lot of sense to get help,” he said.

In fact, Portland State worked with a consulting firm to conduct gap assessments. “We continued to work with the consultant, who helped us actually execute remediation. It was a great choice for us. It really enabled us to get the project done,” he said.

TAKE CONTROL OF RISK: Get guidance on continuous compliance posture monitoring from CDW.

What a Data Governance Framework Should Cover

Once an institution understands where its data lives, it’s time to figure out how to manage that copious amount of data.

“You have to know who’s accountable. Who’s responsible for that data?” Ito said. “You must be able to categorize it and make sure it’s in accordance with record retention laws.”

To ensure effective and secure data management, the University of Hawaii has created a comprehensive data governance program. According to Ito, a good data governance framework should define how data is collected, stored and used. It should define who can access that data, when they can access it, and under what specific conditions.

A solid data governance program must also include a classification process and a record retention policy to make it easy to understand how long data can be kept.

And as universities and colleges outsource an increasing number of services to third parties, it is critical to have a vendor management process that can determine if service providers are protecting data in accordance with the laws and regulations that apply to your institution.

DIVE DEEPER: What's the difference between security, privacy and confidentiality?

The Future of Data Privacy and Protection

Until there is national privacy legislation that can serve as an umbrella, universities must regularly maintain and update privacy programs to ensure compliance with multiple state regulations and legislation.

McKay recommends creating a data protection officer position to manage issues, such as ensuring policies are GDPR-compliant, and handle personal data access requests.

As more states pass privacy laws, institutions should expect to see a growing number of students, faculty and staff sending data subject access requests, calling for universities to disclose the intended use of the personal data that it collects. “Folks whose data we have at our institution may say, ‘I want my data to be forgotten,’ or ‘I’d like to see a copy of my data,’ or ‘I’d like to know what systems my data is in,’” McKay said. “Those are the kinds of requests that a DPO will manage.”

In an EDUCAUSE session titled “Trust, Comfort, & Concerns: College Students’ Views of Data Privacy,” students expressed a similar desire for transparency and context in data collection practices. “I just want it to be very specific,” one student said. “‘Here we’re going to use your data for the betterment of the community. We can promise you that X, Y and Z aren’t going to happen.’”

Above all, institutions must be prepared to remediate. McKay recommends conducting data privacy impact assessments, which evaluate the risks and impacts of potential data leaks in various higher education systems. “As you bring on new systems, these impact assessments need to be done,” McKay said. “There’s ongoing care and feeding that is required for this overall process.”

Find more EDUCAUSE 2021 coverage, including interviews and advice from higher ed experts.

wildpixel/ iStock / Getty Images Plus