Data Privacy Issues in Higher Ed
Management guru Peter Drucker is often quoted as saying, “If you can’t measure it, you can’t improve it.” I have long believed in this philosophy and work with my teams to make sure we are setting goals and measuring our success. While I think Drucker was right, he lived and worked in a much different time. His time was before the days of “big data” and computing solutions that could collect and analyze mountains of data in seconds. Today we use these solutions and then make critical decisions based on our interpretations of the data we get back. Because of this, some argue that information is the most valuable commodity in our economy today. While we still have to measure what we do, we need to be more careful on two fronts: privacy and how we use the data to drive performance.
As I write this article, it’s October, which happens to be National Cybersecurity Awareness Month, so I have spent a lot of time thinking and talking about security recently. While security and privacy are separate things, they are often considered together. So this month, I want to think about privacy and how it relates to the AV world in higher education. Next month we will think about how we use data to drive performance.
Higher education differs from the corporate world in that some particular laws and expectations surround the privacy of both students and faculty members. The primary law that we deal with in higher education is FERPA (Family Education Rights and Privacy Act). This law is intended to protect the educational records of students. The “educational records of students” can be rather vast. Most schools protect everything except what they consider to be “directory information,” such as student’s name, grade level, campus phone number, etc. However, students can require schools to keep that private. So, in some cases, an institution can not even verify the name of a student who attends the school. With faculty members, there are concepts of academic freedom and intellectual property. While protecting those concepts is not regulated, it is certainly the responsible thing to do.
As we collect data to improve our services, we need to ask ourselves some golden rules for collecting data.
- WHAT data are we collecting?
- WHY are we collecting that data (are we going to use it)?
- HOW are we going to use the data?
- WHAT rules and policies govern the collection and storage of data?
The first question varies from college to college, but here are some examples of the things that we may currently collect about faculty and students in higher education.
- Occupancy — how often and when a space is being used
- Frequency of tech use and what type of tech is being used
- Attendance records, polling data (via clickers)
- Video/Audio recordings
- Meeting details (Zoom)
- Device information when connecting wirelessly to resources
- Access to proprietary documents (PowerPoint, etc.) when preparing for presentations
- Interactions with digital signage
- Face recognition (which could lead to age, gender, physical size)
Second, take some time to think about why you are collecting this data. Is it intentional? Is it because the system was configured that way? Is it because you have no policy or procedure to eliminate the data? If you are intentionally recording this data, be sure you can document why. This is more for your internal usage. If you receive questions about privacy, you will want to be able to detail what data you are collecting and why. Thinking of these questions ahead of time may also be a tool you use to share what you’re collecting with your clients. A clear public statement helps to ease suspicions, allows people to ask informed questions and helps them make informed decisions about their behavior.
If the collection of the data is not intentional, then you should make an effort to stop collecting it. Unintentional data collection can happen if you have systems or software set up by default because they perform logging. Get into these systems and turn that logging off, and remove any existing logs. Additionally, you should have policies that determine the length of data storage, and procedures in place to make sure it is removed after those dates pass.
We now know what data we are collecting and why. We next need to think about what we are doing with the data. We often consider data private when it can be matched up with people and behaviors. So, if you are using this data to evaluate people or processes, you should tell those people you are evaluating them. If you are using it to make future decisions about installs, such as what equipment to install, or how people use the equipment, it should be made known. If any of the data is being sold or released to outside parties, it should be known. (This includes integrators who may be providing remote services.)
One of the challenges that we face when we consider privacy is that we can not always know how others will use information. While we may think that most of this information is entirely harmless, and poses no risk or violating anyone’s privacy, other people may be able to use the data in ways we have not considered. Therefore, a thoughtful and proactive approach helps us protect our customers and their privacy.