For the past two decades, attention to privacy generally has focused on business or government. The nonprofit sector has faced little privacy scrutiny. Yet this sector has plenty of personal data and, based on my limited experience, plenty of bad or nonexistent privacy practices.
Among all sectors of the economy other than government, higher education includes what may be the most complex institution from a privacy perspective. A college or university has more relationships with more categories of individuals than nearly any other organization. Let’s count the ways.
We begin with students. The parents of students are another category, and the school’s interest in parents may arise from both financial aid and fundraising. Alumni are another set of individuals of interest to a university. So are donors, not all of whom are students, parents or alumni. The faculty constitutes another group, and other employees may need to be categorized separately. Teachers who make recommendations for applicants are yet another group.
Most schools also offer food services, provide housing, sell books and other items and engage in other personal-data-intensive activities. A school may provide health services to students, workers and others. Most customers for these products and services fall into one of the groups already named, but some do not. For example, anyone can buy athletic tickets or make a purchase at a college bookstore. Other categories include library users, Web site users and credit card buyers. Let’s not forget patients at teaching hospitals and subjects of clinical trials. Last on this long but still incomplete list are marketing prospects. Schools routinely troll for prospective students using marketing methods well known to readers of this publication.
Though not every identified category calls for a different privacy policy, there are personal information processing differences. Library users traditionally are protected by deleting usage records once books have been returned. However, universities keep records of student performance for long periods, if not forever. Another example: Schools investigate potential students and potential donors in very different ways.
A federal law sets some privacy standards for most schools, colleges and universities. The Family Educational Rights and Privacy Act sets standards for student records. FERPA does not cover records of faculty, alumni, donors or others with a relationship to a university.
So how well do universities address privacy? A new study comes from professor Mary Culnan, Slade Professor of Management & IT at Bentley College in Massachusetts. Ms. Culnan, a part of the privacy community for a long time, has made many valuable contributions. Her study is based on an analysis of the Web sites of the top 236 schools from the U.S. News and World Report 2004 list of best colleges. You can find the study, the Bentley-Watchfire Survey of Online Privacy Practices in Higher Education, at http://www.bentley.edu/news-events/pdf/Final_Report_040610.pdf.
This type of survey gives only a limited view of compliance with privacy principles, and it tells us nothing about FERPA compliance. Nevertheless, given the Internet’s importance, the study provides a useful view into how much attention universities pay to privacy. My theory is that if they handled privacy well, it would show on their Web pages. Unfortunately, but not surprisingly, that is not the case. Ms. Culnan said that if the universities were graded on privacy, they would fail.
Only 36 percent of schools had a privacy notice that could be accessed from the home page either by a link on the page, by using a drop-down menu or by doing a search. That’s dismal. Having a privacy policy is pretty basic. Corporate America, responding to pressure from the public, Congress and the Federal Trade Commission, has privacy policies on most Web sites.
Nearly 100 percent of schools had at least one data collection form on a page without a link to a privacy notice. The average was 177 link-less pages per school.
For those schools with privacy policies, the content varied quite a bit. Ninety percent of privacy notices described how personal information was used. About half described what personal information was collected. About half that reuse personal information for correspondence or marketing provided an opt out. Only about one-third described how users could access personal information collected by the site. The study has many more details.
Universities appear to be about where American business was 10 years ago. Some pay attention to privacy, and a few do it well, but privacy is not much of a priority. My guess is that most schools implemented FERPA decades ago and never revisited the issue. Eventually there will be some horror stories, and that will start a new cycle of public pressure, legislation and, eventually, more school privacy.
