Data privacy has been a top IT priority in higher education for years. But protecting personally identifiable information (PII) is becoming more challenging as education grows more digital. And the rise of strict new privacy laws all around the world is making the task much more complicated – and the stakes much higher – for many institutions.
Here are just a few significant examples of how privacy laws are affecting IT in higher education. Though these laws may not apply to your institution, they are likely to serve as models for similar laws in the future – so the challenges they’ve been creating are still worth learning from.
Data Storage Restrictions
More and more governments are introducing legislation that dictates where their citizens’ information can be stored. More specifically, they forbid citizens’ PII from being transferred to other countries.
The Freedom of Information and Protection of Privacy Act (FIPPA) in British Columbia, Canada is one example. This provincial law requires public bodies (including colleges and universities) to take all reasonable measures to safeguard PII against unauthorized collection or use. This includes prohibiting them from storing any private data in servers located outside of Canada.
This restriction makes it tricky for academic institutions to license some cloud-based software. Cloud service providers often offer little control over where the data they collect is stored or how it is transferred. And yet, cloud software is increasingly integral to education, particularly in the age of remote learning.
This puts school IT teams in an awkward position – balancing their obligations under law with the need to equip their students with the best tools. It also creates extra complexity and considerations IT must take into account when implementing cloud integrations.
Even institutions that don’t have to worry about where user data is stored must be very careful about how they collect that data. This is particularly true where laws prohibit organizations from gathering user data without those users being informed of and consenting to the collection.
The EU’s infamous General Data Protection Regulation (GDPR) contains such a clause. Article seven of the GDPR stipulates that any organization seeking to collect an individual’s data must have that individual’s consent to do so. This consent must be informed, meaning the individual must be aware of who is seeking their data, what data they mean to collect, and for what specific purpose.
This, too, has complicated the use of cloud software in education. Several cloud products offer a user sync tool to easily provision access across an organization. However, this involves pulling user information from the organization’s directory to the cloud – without those users’ knowledge or consent.
This practice risks running afoul of the GDPR. However, for many schools, the only other option is to manually provision and deprovision users on an individual basis. And at large colleges and universities, where eligibility for software can change every time a students’ course load does, this can be an enormous burden on already-overworked IT teams.
Confusion Over Applicability
It’s not just specific clauses from privacy laws that complicate things for schools (though many do). Ambiguity over when and to which organizations laws apply can also create complexity, pitfalls, and risk.
The California Consumer Privacy Act (CCPA) is a perfect example. On the surface, it seems to exempt most colleges and universities, as they are generally considered non-profit organizations. However, this is not true of all higher-ed institutions. Private universities that meet the CCPA’s requirements regarding revenue and the quantity of data they handle are considered businesses and subject to the CCPA.
Even non-profit institutions in California can’t ignore this law. These schools all work with many for-profit third parties that process student data to provide all kinds of services – from learning management systems, to user authentication, to online software stores. To what degree these service providers are subject to the CCPA depends on how those parties use the data they’re entrusted with and the language of their contract with an academic institution.
In short: deciphering when, to whom, and to what degree the CCPA applies can be a maze. It’s important for all schools in the state to familiarize themselves with the law even if it theoretically doesn’t apply to them. These schools must also be very careful when assessing and negotiating contracts with service providers to minimize their exposure to CCPA-related risk (as well as risk to their students’ data).