Managing Student Information in an Evolving Privacy Landscape

3/10/2020 12:00 PM

Everyone who uses their phone to scan Craigslist ads, check their favorite online news source, browse social media, book Airbnb lodging, or request an Uber has consented to a privacy policy for each of those sites or apps. But according to a Deloitte survey, 91 percent of people consent to terms and conditions without reading them. For people ages 18-34, that rate climbs to 97 percent.

Why is this? Do we not care about our data? Do we trust the corporations that collect it? Are we bewildered by the lengthy legal jargon that comprises most privacy policies? Or do we just value technology above our desire to protect our most sensitive personal information? Whatever the reason, it’s clear that most of us are willing to check the consent box without fully understanding what we’re signing away.

First steps toward privacy protection

The debate over privacy in the electronic age isn’t new, and the first regulatory steps have already become law. After years of preparation, debate, and approvals, the General Data Protection Regulation (GDPR) became EU law in May 2018. In June 2018, California passed the California Consumer Privacy Act (CCPA), which mandated a January 1, 2020, compliance deadline.

The passage of the GDPR and the CCPA have significantly changed the privacy landscape. While they differ significantly, both pieces of legislation have the same goal: to protect consumers’ personal information and address concepts such as rights of access, portability, and data deletion. We’ll dig into both of these regulations in greater detail in a subsequent TouchNet blog post.

For now, it’s important to know the privacy-protecting effects of the GDPR and the CCPA reach beyond the borders of the EU and California. Here’s a snapshot of how both pieces of legislation define personal data:

  • The CCPA defines personal information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
  • According to the GDPR, Sensitive Personal Data is “data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health, or data concerning a natural person's sex life or sexual orientation.”

How privacy laws impact your campus

On any given day, colleges and universities collect data through authorized payments and transactions such as tuition payments, alumni donations, event registrations, clinic visits, and more — all of which feed into Student Information Systems. Then there are campus vendor sales, credential swipes, point-of-sale devices, and other data sources, which depending on the solutions in place may be feeding additional personal information into the system. What responsibility do schools have for handling and securing this information?

It’s important to remember that aside from personal information, other information gathered may also be governed by various regulations. For example, vendors like TouchNet use student card data, such as payer name, address, associated student ID, etc., to authorize payments and refunds. Because we focus on payments, we must follow the card brand and PCI regulations that mandate data retention for payments. Both students and administrators need to understand what private information must be maintained to deliver the expected services and remain compliant in an ever-growing field of regulations.

Proactive data management is the best policy

Schools also need to keep in mind vendor evaluations are an ongoing process. Understanding how vendors collect, manage, and store information is critical to ensuring privacy standards are met. Between protecting the data the school itself collects and having a crystal clear understanding of what data vendors collect and how they use it, data management of personal information is a formidable task.

For now, the EU and California have blanket privacy legislation protection; many state schools must also comply with privacy legislation specific to their state. With still more states considering legislation, does it make sense to maintain separate privacy policies, or to apply GDPR- and CCPA-level protection to all personal information collected on campus? That’s a timely question that universities should ask — and make sure campus vendors answer — sooner rather than later.