SHADES OF GRAY: THE EVOLUTION

OF DATA PRIVACY STANDARDS IN

HIGHER EDUCATION
By Merritt Neale and Matthew Tryniecki

In today’s highly connected higher coming in at numbers one and two, respectively.
Over the last decade, the trend toward
education institutions, there is
technology-enabled “smart” campuses brought
increasing emphasis placed on with it heightened scrutiny around the ethics
information security and data and strategy of using student data appropriately.
privacy. While the two are inherently To create formal guidelines for educational
linked, they aren’t one and the same. institutions, the federal government passed
the Family Educational Rights and Privacy
Information security focuses on the prevention Act (FERPA) in 1974, but in today’s climate,
and recovery of data breaches; privacy deals more most experts agree it is outdated and must
with the applications of personal information, and be revamped to keep pace with a constantly
laws or institutional ethical standards that govern evolving industry.
how it is used. To date, a fair amount of focus and
investment has been made to better understand Since 2013, 41 states have enacted more than
the intricacies of information security, but despite 120 supplemental laws. But even these legislative
this, the privacy landscape in higher education is advancements struggle to keep pace with the
still relatively unexplored. current rate of technological innovation, driven by
rising adoption rates of artificial intelligence and
data analytics tools, which often render potentially
successful strategies null and void before they can
Privacy: Safeguarding ever be executed.
institutional constituents’
privacy rights and Data is the lifeblood of any higher education
institution’s strategic planning activities, providing
maintaining accountability both evidence of success and justification for
for protecting all types of new initiatives. And colleges and universities are

restricted data leveraging this information to make improvements

in nearly every area of the institution, including
classroom and online learning, recruitment,
— EDUCAUSE, 2019 IT Issues retention, donor engagement, physical building
controls and much more. But this wealth of
data is a double-edged sword: on one side, the
In a 2019 EDUCAUSE study, higher education virtuous applications of data that improve the
leaders identified privacy as the third most critical student experience; on the other, the potential for
IT issue facing the industry, with related concerns unethical, ill-advised or unlawful use of personally
around information security and student success identifiable information (PII).
SHADES OF GRAY: THE EVOLUTION OF DATA HURON | 2
PRIVACY STANDARDS IN HIGHER EDUCATION

Ed Tech and Big Tech members of their community as part of their daily
operations that fall outside of the research realm.
Higher education’s increasingly common Some data may still be formally regulated or
partnerships with third-party vendors and big governed, but the challenge is that often it is not.
technology (e.g., Amazon, Facebook, Google, etc.)
further complicate the matter. The involvement For instance, consider the myriad data collection
of these companies exposes institutions to public points encountered by college or university
scrutiny, fueled by several recent, high-profile students on an average day. Getting home late
violations, as well as ambiguity in terms of who is from a night out, a student may use a campus ID
responsible for what happens to harvested data. card to enter her dorm. The next morning, feeling
pangs of hunger, she uses her dining plan card
Shadow IT, smart campuses, the internet of to pay for breakfast at the cafeteria. Later, she
things and further proliferation of third-party reserves a conference room for that afternoon’s
systems pose a new set of questions at the organic chemistry study group session. After
intersection of privacy and civil liberties, ethics, classes are over, she heads to the soccer field
ownership and autonomy. where her performance is tracked by an athlete
data management system. And at each stop
Take, for example, the public outcry over the throughout the day, automated license plate
Facebook data sold to Cambridge Analytica, a reader (APLR) technology tracks where her
political consulting firm that allegedly used the vehicle is parked. Multiply these interactions by
information to target American voters in the 2016 thousands of students, and one gets a clearer
presidential election. The blowback from this picture of the sheer amount of daily data being
scandal has caused leaders in nearly every industry collected by these institutions.
to pause and consider the ethical implications of
data collection and its potential uses. Some states
are even getting in on the action, with Vermont
Data Collected on the Average
and others approving legislation that governs the Student on a Typical Day
sale of citizens’ personal data.
Automated License Plate Technology
Higher education leaders should be mindful of Tracks Location of Student’s Vehicle
how these types of third-party platforms are used
and take initiative to proactively educate students,
faculty and staff on what is being collected and
Campus ID Card Used
how it may be leveraged.
to Enter Dorm

There’s No Black and

White in Gray Data Dining Plan Card Used to
Pay for Breakfast
Although there is an abundance of ethically neutral
or potentially positive uses of students’ personal
information, there are at least as many gray areas
System Used to Reserve
not covered by current legislation, where leaders
Conference Room
are being forced to make difficult decisions.

In an article in the Berkeley Technology Law

Journal, Christine L. Borgman described gray Performance Tracked by Athlete
data as the data that universities collect about Data Management System
SHADES OF GRAY: THE EVOLUTION OF DATA HURON | 3
PRIVACY STANDARDS IN HIGHER EDUCATION

While the data collected can be helpful when community and the public at large in a dynamic
developing a student success strategy, it can also conversation about privacy, real progress
be potentially problematic given the implications can take place.
of tracking individual students wherever they go
on campus. To be truly successful, these administrators need
the tools and sponsorship to create practical
Gray data challenges can even impact students’
guidelines and policies that can translate into daily
post-graduation prospects. Consider the difficult
practices and procedures.
position of athletic administrators determining
whether to share a promising student athlete’s
But CPOs should not be the sole arbiters of an
history of serious head injuries with professional
institution’s privacy policy. They must be willing
league recruiters.
and able to bring in other internal and external
The use of gray data may conflict with campus experts to help them make informed and educated
privacy standards and notions of academic decisions. At the same time, they must also be
freedom. But with little to no formal guidance viewed as a valuable, accessible resource for
on these types of scenarios, institutions are often stakeholders across the institution.
left to determine the ethical path forward on
their own.
Privacy Governance Boards

Building the With the goal of promoting a balance of

perspectives from across the institution, formal
Infrastructure for privacy governance boards are essential to

Data Governance the ethical review and adjudication of complex

information and data management matters. These
To meet this challenge head on, institutional
committees are typically composed of a mix of
standards, policies and guidelines should be
knowledgeable faculty and administrators, while
collaboratively developed by a diverse and
some integrate students as well.
representative group of stakeholders with broad
expertise in student privacy and data protection.
The University of California Los Angeles (UCLA)
This collaboration occurs within a well-defined
has its Board on Privacy And Data Protection,
governance structure, with clear roles and
while the University of Chicago looks to its
responsibilities, and defined outcomes.
Data Stewardship Council for guidance.

To that end, over the last few years, there has

In combination with an institution’s privacy office,
been a marked increase in colleges and universities
these boards can help demystify the niche student
recruiting for chief privacy officers (CPOs) and
privacy and data protection concerns inherent in
instating campuswide privacy governance boards.
the daily operations of colleges and universities.

Chief Privacy Officers

The Future of Privacy
Often relegated to a back-office role on the
information security team, effective CPOs in Higher Education
transcend this classification by becoming a visible In the future, higher education leaders will
campus ambassador, able to build positive working continue to grapple with new challenges and gray
relationships with diverse stakeholders across all areas regarding student privacy. In addition, there
areas of the institution. When a CPO is allowed will likely be an upsurge in state legislation — with
to be forward-facing, engaging the campus California’s Consumer Privacy Act leading the way
SHADES OF GRAY: THE EVOLUTION OF DATA HURON | 4
PRIVACY STANDARDS IN HIGHER EDUCATION

(set to take effect January 1, 2020) — as well as

increased rigor around enforcing existing federal Steps for Improving Your
laws like FERPA, the Health Insurance Portability
Institution’s Management
of Data Privacy
and Accountability Act (HIPAA) and Europe’s
General Data Protection Regulation (GDPR).
Consider the following steps to get started on
With an uptick in these formal regulations will improving your data governance:
come additional ambiguity as prevailing laws • Get familiar with existing laws
already contradict each other in some cases; some (e.g., HIPAA, GDPR and the California
require the long-term storage of data while others Consumer Privacy Act, to name a few).
mandate concepts like the GDPR’s “right to be
• Conduct an asset inventory to identify
forgotten,” wherein consumer information must be
where the institution is storing personal
erased if requested.
information as part of its operations.

Today, most institutions are just beginning to • Assess the institution’s potential risks
invest in the resources required to respond related to data privacy to help prioritize
effectively to these developments. Privacy offices, opportunities for improvement.
while increasingly common in higher education, • Clearly define ownership for key
are still relatively rare. And those that are in place privacy areas to ensure role clarity
are often understaffed and mired in everyday and effective execution.
activities, including breach response, contract
reviews and compliance activities.

Likewise, data governance boards are

increasing in number, yet many still struggle
to make a significant impact on institutional
Key Takeaways
policies. Driving consensus across a wide range
of stakeholder groups is a difficult task, often Think differently.
pitting faculty against administration, but In light of the many gray areas related
leaders have a moral, ethical and professional to student privacy, consider whether the
responsibility to find common ground for the establishment of a privacy office and
greater good of the institution. other governance constructs would help
your institution navigate this ambiguity
Forward-thinking institutions will embrace this more effectively.
new frontier in higher education by building a
robust infrastructure to support ethical data Plan differently.
usage, privacy education and innovation. Ensure your governance structure supports
diverse stakeholder participation in the review
and adjudication of complex privacy matters.

Act differently.
Empower your privacy office and/or data
huronconsultinggroup.com governance board to create supplemental
© 2019 Huron Consulting Group Inc. and affiliates. Huron is a global consultancy and not a CPA guidance and policies to cover gray
firm, and does not provide attest services, audits, or other engagements in accordance with
standards established by the AICPA or auditing standards promulgated by the Public Company
Accounting Oversight Board (“PCAOB”). Huron is not a law firm; it does not offer, and is not
data concerns.
authorized to provide, legal advice or counseling in any jurisdiction. Huron is the trading name of
Pope Woodhead & Associates Ltd.

19-1975