Feb 20 2020

To Better Protect Student Data, Know the Difference Between Security and Privacy

Understanding how security and privacy fit into data protection can help colleges and universities properly — and ethically — handle student data.

It’s no surprise that privacy ranked second on EDUCAUSE’s 2020 Top 10 IT Issues list.

With high-profile cyberattacks in the news and strict regulations on how higher education institutions should handle student data, it’s well understood that administrators and faculty play a critical role in protecting sensitive student information.

Part of that responsibility involves understanding the principles of security and privacy and how they relate to the collection and use of data in higher education.

Doug Welch, chief privacy officer at Baylor University, and Jon Allen, Baylor’s CISO and interim CIO, focused on this matter during a session at the 2019 EDUCAUSE Conference last October. As the two presented on building strong privacy programs on college campuses, they distinguished between efforts to secure data and keep it private.

Security and privacy are two different concepts — even if they’re often discussed as if they are interchangeable. Allen boiled it down to this: While security can exist without privacy, privacy isn’t guaranteed if institutions don’t have the right security protocols in place.

And with the European Union’s General Data Protection Regulation and an expanding set of similar U.S. state laws pressuring institutions to improve how they handle and protect student data, it’s even more imperative for educators and administrators to have a clear understanding of these interrelated concepts and their role in data protection practices.

Yet for many in higher education, the line between security and privacy is still blurry. That needs to change.

MORE ON EDTECH: Find out why higher education organizations are pushing for change in data security regulations.

The Difference Between Security and Privacy

Security and privacy go hand in hand when it comes to protecting data. Institutions can’t start developing strong data privacy policies without security controls that can safeguard that data against threats such as email hacks and breaches.

But what’s the real difference between the two? Security involves using technical and physical strategies to protect information from cyberattacks and other types of data disasters. That includes preventing unauthorized access or accidental corruption of data and maintaining its integrity.

Privacy is concerned with protecting the rights of individuals and ensuring they have control over their personal data that institutions may use. It involves defining and creating procedures and policies that best guide how data is collected, stored and used, as well as whom it can be shared with.

VIDEO: Watch experts discuss the questions higher education IT leaders should be asking around security.

Balance Security and Privacy for Optimal Data Protection

It’s important for institutions to balance these two concepts today. More than ever before, colleges and universities rely on data collection to inform student success initiatives and develop personalized services such as financial support and student life programs. In fact, 49 percent of U.S. colleges and universities have data analytics initiatives underway, according to a 2018 white paper by Ovum.

But Big Data comes with big responsibilities beyond that of having the technical infrastructure and tools that make data analytics possible. As the value of data increases, so do information security risks. To mitigate those, campuses have to tighten their cybersecurity measures, which should also prompt on-campus discussions about related privacy measures.

For example, as schools like Syracuse University and Virginia Commonwealth University began to use phone sensors and Wi-Fi networks to monitor student performance and behavior, some campus community members expressed immediate concern. They felt that this breached students’ privacy and digital rights and undermined their independence.

That’s why it’s necessary for higher education communities to have continuing conversations about handling student data in an ethical and responsible way. As Baylor’s Welch noted, an emerging best practice is to establish a separate privacy program led by a privacy officer who can monitor and advocate for data privacy compliance, training and enforcement.

Layering transparent policies about data collection, access, monitoring and sharing with security systems is also key to upholding stakeholder trust. Meanwhile, campuswide training on data privacy for staff, faculty and students can educate them on data management risks. They can also learn about state and federal laws such as the Family Educational Rights and Privacy Act and understand security protocols such as different forms of encryption and authentication.

By recognizing how security and privacy work together, along with being transparent about student data, colleges and universities can develop best practices for data protection while keeping their students’ best interests in mind.

This article is part of EdTech: Focus on Higher Education’s UniversITy blog series.

 

Lucy2014/Getty Images