Academia’s Data Privacy Dilemma
The regulatory environment for colleges and universities is becoming more complex. Due to the volume and nature of sensitive data, new privacy laws can present substantial compliance risks to the higher education sector.
One such new law is Title 10 - Governmental Procedures Subtitle 13A - Protection of Personally Identifiable Information by Public Institutions of Higher Education
In this case, this law only applies only to higher education institutions in Maryland. However, could this new regulation be a sign of more to come?
My thoughts are in line with the views shared in this EdTech magazine article. This new law may lead other states to enact their own rules, which adds another level of complexity as data privacy laws vary from state to state. Furthermore, increased adoption of AI in higher education will only amplify privacy concerns
Therefore, it's a good risk management practice for executives and fiduciaries to gain insights into their institution's data privacy program functions now.
Strategy & Implementation - Ask the questions
The first question boards and fiduciaries should ask their leadership team: What strategies or frameworks are in place to mitigate data privacy concerns?
Privacy by Design is one such framework often touted in academia as a way to manage the risks of data collection, management, and storage. This framework integrates data protection and privacy considerations into “the earliest stages of processes and technical development.” Other strategies could be leveraging NIST or ISO/IEC 27701. Since Privacy by Design, is most often the answer, I will focus on this framework.
The next question is: How is this framework implemented and supported?
If your institution has embraced the principles of Privacy by Design, the adoption of this framework relies heavily on cross-functional partnerships. Unless your organization has a Chief Privacy Officer, the ownership and management of data privacy may lack a "home," so it will be critical to include stakeholders beyond the Information Technology and Information Security teams. Legal, Audit & Compliance, HR, Financial Aid, Research, and Risk Management can help champion data privacy efforts, policies, and practices across the institution. I will caveat that these leaders are already splitting their time on other efforts so to increase impact and efficiency, a best practice is to hire a Chief Privacy Officer.
Bridging the Gap
While implementing a framework is a solid first step, resources are needed to support and fund the program. It is also important to recognize that saying you have a framework is not the sole means of risk mitigation. As with all frameworks, there is a gap between how privacy is intended to be implemented in systems and processes and how it manifests in real-world applications. Here are several reasons for this challenge: (1) resource constraints, (2) competing priorities, and (3) technical challenges with legacy systems, just to name a few. This is where executives and fiduciaries can help bridge this gap and better support data privacy initiatives.
Ethical Concerns
I would also like to mention one other challenge in managing data privacy risk, which is more philosophical. This is how data is valued and viewed in the institutional culture. This comes down to understanding the answers to these two questions: (1) Does your institution value data for business insights over privacy goals? 2) Is your organization more "risk-taking "and would rather focus on only meeting the minimum regulatory requirements instead of embracing a comprehensive data privacy strategy?
Like most organizations, the answers to these two questions can present a potential conflict of interest when it comes to data privacy versus data monetization. Universities maintain large amounts of data on students, faculty, research, and operations. While the value of this data can benefit the campus community and mission, how it is managed or shared can also result in additional financial value to the institution. This leads to another risk. By focusing on economic gains from data monetization, institutions may increase their cyber risk exposure and negatively impact trust and institutional integrity, potentially resulting in reputational risk.
Bottom line:
The interconnectivity of data privacy, cyber and reputational risk cannot be underscored. As the regulatory landscape for data privacy shifts especially with the adoption of AI, institutions will continue to face challenges in safeguarding sensitive information while balancing competing priorities and resource constraints. Implementing frameworks like "Privacy by Design" can be a helpful approach, but it is not the sole remedy.
Building cross-functional partnerships, committing adequate resources, and, most importantly, securing support from leadership is essential to bridging the gap between theory and practice. Further, promoting a culture that values data privacy while embracing comprehensive strategies beyond minimum compliance will help build trust, integrity, and institutional resilience.
Thoughts?
What is next for data privacy in academia?
Other than Privacy by Design, what other frameworks could help mitigate academic data privacy risks?
Additional References:
