The Evolving Landscape of Data Privacy in Higher Education
Organizations today are accumulating larger amounts of information faster than ever. Through technology, organizations can utilize these volumes of data to enhance efficiencies and provide more informed decision-making capabilities. This growing dependence on technology has introduced a variety of advantages, but it also has meant additional risks to organizations. Learning how to mitigate those risks can put a company, agency, or institution (such as a university), in a position to thrive as it instills trust in the organization and its data protection practices.
Certain industries, such as higher education, are presented with unique challenges when collecting and processing data. Universities use technology for a variety of purposes, such as learning solutions, methods of communication, administrative processes, and research. As technology is increasingly embedded within higher education, universities are obligated to safeguard student information from both a technical and ethical perspective. By understanding trends in data privacy, addressing regulatory updates, and implementing certain privacy best practices, a university can effectively navigate the evolving data privacy landscape and proactively protect student information.
Emerging privacy trends
Higher education institutions have been developing internal technical processes, systems, and applications for years. During the development of any new technology, privacy by design must be considered a top priority to effectively protect personal information. Privacy by design is a set of leading principles that emphasize the importance of embedding data protection and privacy considerations into the earliest stages of data management processes and technical development. Privacy by design is most impactful when different parts of the organization are aligned. In higher education, key stakeholders across offices (e.g., information technology, security, compliance, internal audit) collaborate to ensure privacy protections are in place when handling student information.
Another benefit to incorporating privacy policies into process and technical development is that it improves the university’s cybersecurity defensive position. Security incidents are inevitable in some cases but acknowledging risk factors and planning for those incidents is crucial to limiting their impact. If properly prepared and secured, a university can prevent a security incident from escalating to a data breach. In higher education, universities mitigate the risk of a breach by implementing security measures to protect students’ personal information, arguably the school’s greatest asset. This emerging privacy trend reflects the importance of integrating privacy and security data protection methods and best practices to avoid detrimental data breaches.
Changes in privacy regulation
The U.S. has recently been advancing regulations to protect personal information and highlight the importance of data privacy. In lieu of a federally instituted, comprehensive data privacy law, individual states have begun passing varying versions of their own regulations to address privacy concerns and establish privacy rights and requirements. While most of these state privacy laws share similarities, there are certain exceptions that may present compliance challenges. Universities must now understand how these state laws apply and overlap with longstanding federal laws, such as the Family Educational Rights and Privacy Act (“FERPA”) and the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Even security standards, such as the Payment Card Industry Data Security Standard (“PCI DSS”), continue to evolve, with PCI DSS Version 4.0 effective as of March 2024. The difficulty of cohesively adopting the appropriate privacy provisions in response to these regulatory changes can be a daunting task for universities.
In addition to national privacy laws, there are also international privacy laws to consider, such as the European Union’s General Data Protection Regulation (“GDPR”), Brazil's General Data Protection Law (“LGPD”), and China's Personal Information Protection Law (“PIPL”). Addressing compliance across this evolving landscape can introduce complexities and challenges for organizations. For instance, higher education institutions may be faced with assessing their privacy posture and interpreting differing complex requirements to remain compliant with applicable laws. Internally establishing foundational privacy requirements allows these universities to remain more agile and responsive in the changing regulatory environment.
How do I assess privacy risk?
A privacy impact assessment, (“PIA”), is an internal evaluation that organizations conduct to identify and analyze privacy risks, controls, and mitigation efforts in systems and processes where personal information is involved. Following state privacy law requirements and GDPR guidance, an organization must conduct a PIA to address the impact of processing personal or confidential information. PIAs are typically performed before any processing has taken place—at the beginning stage of the initiative or when major changes are proposed to an existing initiative.
Higher education institutions complete PIAs to identify and mitigate risks to student information. These assessments enable privacy and security officers and process owners to categorize and document the potential impact to individuals. This is an important example of how these universities prioritize the security and protection of student information.
State and international privacy law groups have published high-risk activities that should be considered and addressed when performing a PIA. Some of these high-risk activities at a university could include:
- Processing sensitive personal information, including protected health information (“PHI”) like the data collected at student health centers.
- Targeted advertising.
- Profiling, such as monitoring and associating student behavior to academic success.
- Automated decision-making that could lead to legal consequences.
- Systematic monitoring.
- Processing a large volume of personal information, including research data.
- Cross-border (country to country) data transfers.
Higher-risk activities captured when conducting a PIA should be proactively addressed. In some cases, these high-risk activities may trigger a different type of privacy risk assessment: the data protection impact assessment (“DPIA”). The DPIA specifically involves instances of higher risks to individuals and should also be proactively utilized by universities. These internal assessments provide higher education institutions with insights that allow for better data protection and risk mitigation.
Privacy and data governance
In the U.S. and worldwide, many government entities now emphasize increased data privacy and security. As regulations governing privacy requirements continue to evolve, it is imperative that your institution stays aware of these changes and adapts its policies and procedures to ensure ongoing compliance. By emphasizing data governance and utilizing its principles, you can build a foundation for a secure framework and establish an effective privacy program. Data governance is essential to scaling a data privacy program across your university and enhancing data management processes. Data governance aligns strategy, data management, privacy, and compliance objectives to enable key stakeholders—while also protecting its data subjects.
With the rapid expansion of data collection by higher education institutions in recent years, understanding these data flows is more important than ever. A primary principle within privacy and data governance is documenting information transfers, the systems incorporated, and the third parties involved. By proactively managing these data flows, your institution can more comprehensively secure and protect personal information. A record of processing activities, (“RoPA”) is an efficient way to document and monitor these information transfers. RoPAs are even required by certain privacy regulations and can be a pillar to an effective internal privacy program.
- Identify benefits of processing personal information, but also evaluate the associated risks.
- Mitigate those risks by actively responding to new privacy regulations and incorporating secure and ethical data processing.
- Embed privacy considerations from the initial design phases of any activity processing personal information.
- Promote responsible data management by establishing a privacy program supported by effective data governance practices.
- Develop internal awareness, and document how your institution processes and protects information.
Privacy in practice: What’s next?
With changing regulations and a growing emphasis on effectively protecting personal information, addressing data privacy can seem like an ambiguous task. The first step to assessing these considerations is to perform a data privacy health check, which assesses the institution's compliance with privacy regulations and best practices. These assessments, whether internally or externally performed, can assist a university in identifying gaps in regulatory compliance, ineffective protection practices, or insufficient privacy controls.
The establishment of a formal privacy program also enables higher education institutions to ensure student information is protected and managed responsibly. A privacy program, led by a privacy officer, promotes internal policies and requirements that can minimize the risk of data breaches. The privacy program fosters collaboration and cohesion with the privacy officer, security, compliance, and other key stakeholders.
Protecting personal information is one of the biggest challenges for a university, and EisnerAmper professionals are experienced with helping clients identify risks that are specific to this industry. It’s important to proactively address changes to privacy regulation through privacy assessments, privacy program management, and the establishment of responsible data governance. As the privacy landscape continues to evolve, our team is committed to supporting your institution and its unique needs.
Explore More Insights
Comparing Fee-for-Service and Cost-Based Reimbursement for School-Based Medicaid ProgramsRead More
IRS Enforcement of Digital Assets is on the Rise | Tax Guidance and ExpectationsRead More
Receive the latest business insights, analysis, and perspectives from EisnerAmper professionals.