The development of strong privacy policies is critical, and must extend beyond legal compliance. The expansion of grey data on campuses has created privacy questions that lawmakers have only begun to grapple with. Particularly in the U.S., the limited legal framework for data privacy leaves it mostly up to institutions to protect themselves and their stakeholders. To ensure that privacy policies address the needs of the community, they should be developed in consultation with the constituencies that will be affected (including but not limited to faculty, researchers, other staff, students, and administration).
There are several data privacy policy frameworks that can serve as a starting point. EDUCAUSE and NACUBO have made available a number of resources to academic institutions to structure their data privacy policies.1 In addition, Institutional Review Boards (IRBs) may be able to offer useful policies and practices that have been developed or adapted locally.
Some of the key strategic themes that can be covered in strong privacy policies include:
-
Banning any unauthorized release of any data on research activities to any third parties, including the government (in the absence of a court order).
-
Requiring any third party which receives or develops student or faculty data to obtain approval from the institution before entering into any agreement to resell or license the data (even in anonymized form), as well as notify the institution of any database breach or government request to obtain the data (with or without a court order). Faculty and students, in turn, should be notified by the institution of any of the above events.
-
Establishing a requirement to obtain student approval to maintain, beyond a reasonable period of time, data gleaned through the use of digital courseware and other services, including time and location of access, patterns of usage, and the learning profile of the students. Student approval should be necessary for the use of any data other than in the course in which the information was collected (for example, preventing student learning profiles to be transferred from one course to the next). U.S. institutions must ensure these requirements are updated to reflect all student data that may be collected, not just that narrowly defined by FERPA.
-
Ensuring students are adequately informed of the possible uses of data collected through digital courseware, access cards, library records, etc. before using these services. This is especially important where the use of a specific product, system, or tool is required for a student’s coursework or campus life.
-
Providing pathways for students to establish their own privacy preferences with digital services, particularly digital courseware. Students should be able to “opt- in” by category of usage (adaptive learning, usage logging, etc.) and the default position should be that digital courseware grants the same degree of anonymity as a print textbook.
-
Ensuring that any contract with a third party that involves the collection of student or faculty data clearly stipulates data use, ownership, and migration terms. Data and information provided, generated, derived, or otherwise created through any service should remain the sole property of the institution or students and faculty themselves, and all uses of this data should require approval. This includes the obvious steps of prohibiting the re-licensing or selling data, but also the use of the data (even if de-identified) in product development, marketing, or profiling.
