Privacy and Data Security in Higher Education
Daniel Solove
Professor, GW Law School + CEO, TeachPrivacy + Organizer, Privacy+Security Forum
I was recently interviewed in HR Horizons, the magazine of the National Association of College and University Business Officers (NACUBO) on the topic of privacy and data security in higher education. Here are a few excerpts:
What is the difference between data security and data privacy, and what risks do each pose for a college or university?
Data security involves everything you need to know and do to secure the data you have and produce. This includes technical safeguards you should have in place such as firewalls, virus protection, and password controls. It includes processes for monitoring access to data. And it also includes physical controls, such as policies for data destruction like document-shredding programs. Data security officers most often have a technical background and operate from within the IT unit of a university.
Data privacy is rooted in policy concerns and may be handled within an institution's legal or compliance office to ensure that people are aware of the laws and privacy risks related to the handling and dissemination of personal data. The personal data at stake at an institution of higher education includes not only student data, but also employee, alumni, donor, and vendor information.
Privacy and security go hand-in-hand. To use an analogy, you can create the world's toughest safe (security) but if people give out the combination (privacy), then security is thwarted. Both privacy and security are ways of protecting data. Neither is effective without the other.
How well are colleges and universities protecting privacy and data security?
Higher education has made great strides with data security over the past decade. The biggest remaining gap to fill, in my view, is in training. So much of data security involves human behavior, and one of the most powerful tools to affect human behavior is education.
While many other industries have extensive education and awareness programs relating to data security, higher education is only starting to dip its toe in these waters. I hope that soon higher education will be a leader in data security training because higher education is founded upon the philosophy that education can solve problems and improve outcomes.
Privacy protections have been slower to develop in higher education. Currently, only a handful of institutions of higher education have a privacy officer. A privacy officer's job is to make sure that laws are complied with and that risks are mitigated, in part by ensuring that all institution and department policies are up-to-date and that people are appropriately trained in connection with the information they access and handle. The privacy officer is an essential component in the compliance programs of many businesses and nearly all financial institutions and health institutions. I predict that in next 5-10 years, most colleges and universities will have a privacy officer because privacy is so complicated that it demands the attention of a full-time employee.
For more, read the full piece at HR Horizons.
Daniel J. Solove is the John Marshall Harlan Research Professor of Law at George Washington University Law School, the founder of TeachPrivacy, a privacy/data security training company, and a Senior Policy Advisor at Hogan Lovells.
Secretary at CSRI-SARI, Tamale
10 年This is very satisfaction because with the wide knowledge of this article, one can gain a lot wisdom from this and could even up grade it by creating a new ideas from this topics created above. Thanks for introducing this page for us to lean more and develop our areas of studies.
Cybersecurity Author, Expert & Keynote Speaker | as seen on 60 Minutes & Anderson Cooper | Data Privacy | ID Theft
11 年Daniel, how refreshing to have an expert like yourself describe the inter-related role of privacy and security in such a simple, useful way (safe & combo). I know that both concepts are frequently misunderstood, and therefore easily ignored. You and I met at the Harvard Privacy Symposium years ago, and I have enjoyed reading your books and articles ever since. As testament to your point (that universities are discovering the importance of training on these topics), I point to a six-campus awareness event about cyber security hosted by the University of Massachusetts Office of Information Technology and University Information Technology Services. I was proud to be part of that event, and part of your conversation. https://www.oit.umass.edu/news/2013-10-15/john-sileo-speak-privacy-identity-theft-th-1024-3-pm
Technical Account Manager | SaaS | Cybersecurity | Cloud Solutions | AWS, APIs, HTML, CSS, JS, MySQL | Customer Success & Technical Support
11 年Thanks. It was a very beneficial article. We too are working on providing training to colleges and universities on cyber security and making them updated about the recent hacking techniques and security alerts.
Channel Director -U.S. East @ Foresite Cybersecurity Helping clients to minimize cyber risk and ensure data protection compliance.
11 年Very timely article. Our firm is launching a Managed Security Service that can be tailored to aggregate alerts for internal staff so they are made aware of potential threats and can react to alerts in real time. But because so many clients don't have full-time IT security professionals on staff, they can also choose to have our team address the threats.
Registered Nurse Consultant at Aspire Living & Learning
11 年I agree more institutions need a privacy officer "full time". With all the hackers out there it is real easy for secure information to be compromised. The real question is, what does a University do once they learn personal information has been compromised without there consent.