“This is the kind of project where you have to get buy-in from all the different data owners, so they understand that you’re not taking away something they need to do their jobs and that it’s there to protect them so they don’t inadvertently violate someone’s privacy,” Collins says.
Some students go on to graduate school at another institution, while others may return years or decades later because they want to change careers. Either way, The California State University’s Graduation Initiative 2025 aims to provide them with convenient access to their data.
“It’s aimed at how we’re helping students move more effectively not just through the system but with support post-graduation,” says Ed Hudson, CISO of The California State University. “Most of our approaches are oriented around the student still being able to access certain resources post-graduation so they can get transcripts, pay fees and stay in contact.”
CSU — which confers about 126,000 degrees annually — also has a primer to help faculty and staff understand records retention and disposition schedules and policies. It also follows the International Organization for Standardization/International Electrotechnical Commission standard 27001:2013.
“That’s our systemwide information security framework,” Hudson says. “We also treat some data in accordance with the National Institute of Standards and Technology when it’s appropriate, particularly the personally identifiable information: Social Security numbers, credit card numbers, driver’s license, financial data, healthcare.”
As a public institution, CSU also follows California’s Information Practices Act.
“That outlines what we have to do to protect data and when we have to notify an individual that there’s a breach,” Hudson says.
Cloud Storage and Research Data Pose Additional Privacy Concerns
Another rogue IT risk is when faculty members sweep data, such as student research, into a separate storage account because they’re concerned about losing it after those students graduate. In the process, it’s possible that unrelated personal files also could get swept up.
These sweeps can be a byproduct of policies that automatically purge new graduates’ data from college-provided cloud storage services such as Box and OneDrive. To avoid such problems, the University of Pittsburgh gives new graduates a checklist for securely closing down their accounts.
“If they have things in Box, we ask them to remove them, because when their account is terminated, they cannot get access to them anymore,” says CISO Joel Garmon.
However, students’ data isn’t purged the moment they graduate. It remains stored and locked for a period, so that if faculty members need it, IT can provide access before it’s deleted.
“For example, if they were co-authoring a paper, and they need certain data, and the principal investigator wants data that the graduate or grad student had, we can go get that,” Garmon says. “But we prefer that graduating students proactively do this: Remove what they need and give it to whoever they need to.”