Exploring Higher Education Privacy
Society has struggled to catch up to the world-changing impact of the global interconnection of systems and information. As usual, technology change spawned a subculture of language, interaction, commerce and content. The designers of the Internet as well as early personal computing envisioned a world where a coterie of researchers would freely pass information between universities and thinktanks with minimal friction. The operators and users relied upon the goodwill of each player, and for a time, the Internet was a utopia in every sense of the word.
The rapid commoditization of technology changed the trickle of new users to the Internet to a stream and then eventually a flood. And, in any given social construct, we experienced the rise of individuals and businesses who take advantage of the freedom and openness of the net for their own purposes, altruistic or otherwise. As more businesses placed transactions on the web, more personal information floated around.
Now institutions of higher education are looking at regulations which include draconian penalties for failure
New forms of crime were now extant. Hacking for fun and profit grew. Simple exploits were eventually monetized and ultimately taken over by multinational players as well as nation-states. Entire industries arose to deal with the problems. We now have the anti-virus industry, we have the credit check industry, and so on. Inevitably, governments are drawn in because of both a need and desire to regulate.
Perhaps surprisingly, many people do not care about their personal information floating around the web. In fact, the blithe unconcern about the amounts of very personal information they have spewed onto the social sites is by turns amazing and horrifying. Aside from the concerns about having decades of personal history readily minable, this presents a trove of easy targets for identity theft and other crimes.
Many people are concerned about who the custodians of personal information are and where it is stored. They recognized that businesses and other organizations don’t understand or don’t care about the security of their client or customer information. Governments on both sides of the Atlantic began addressing the issue in the early 1990s, but the rapid development of the web has placed everyone in catch-up mode.
Colleges and universities in the United States have been subject to both HIPAA and FERPA regulations for years. These laws governed the management of patient health data and student records but were limited to that. Over the past couple of years individual states in the US began developing more comprehensive privacy regulations, and in May of 2018 the EU GDPR (General Data Privacy Regulation) went into effect. The US Federal Government is now studying various solutions that would supersede and harmonize the state regulations.
Check Out : Top EdTech Startups
So, now institutions of higher education are looking at regulations which include draconian penalties for failure. Small schools would be at risk of going out of business if they were hit with an enforcement action. The sense of panic is evident as people scramble to remediate their exposure.
Some have dodged the issue because they have no students from the EU, or any business presence there. Others are waiting for the American court system to sort out what, if any, legal liability applies in the case of students who travel to the United States from the EU for education. Everyone should understand that the federal government will soon have something to say about this, whether or not the state where a school is located has developed regulations.
Throughout the panic, fear-mongering and debate, I think we are missing the point. For centuries colleges and universities have operated under the doctrine of en loco parentis. Simply put, these institutions are expected to be the adults in the room. Students place their trust in their college for a solid, practical education, and expect to be safeguarded from threats while on the campus. This extends to the personal information necessary to provide that education.
By definition, personal information is owned by the individual. Colleges and Universities may be the custodian of such information, but they do not own it. There is a clear moral obligation towards the proper stewardship of this information. The reason all these laws and regulations are appearing is because we have not done a good job with this. Generally speaking, of course.
Since complaining, ignoring or otherwise sidestepping our obligations will not ultimately make the problem go away, we need to deal with it. Because we have had years of experience in dealing with HIPAA and FERPA issues, higher education institutions are starting out ahead in this marathon. We should have already implemented necessary security. Payment Card Industry (PCI) rules have forced us to pay attention to financial information.
Many of the regulations, the GDPR in particular, have included the right to be forgotten. Upon request, we would be required to delete personal information about the requesting individual. This becomes a thorny issue because of legal and educational requirements for retaining certain information. People are still thinking this through, and I’m not sure where it will ultimately lead.
Finally, we need to remember our mission. We cannot adequately serve our students if we cannot protect them from malicious players. We must provide the sense of security and comfort so that they know that whatever else happens with their personal information, their college will not be the culprit.