Skip to end of metadata
Go to start of metadata

Table of Contents

Getting Started

This chapter of the Information Security Guide will serve as a clearinghouse for sharing higher education privacy materials. While privacy is a discipline distinct from information security, sharing privacy information in this resource is appropriate given the many collaborations necessary between higher education information security and privacy programs to ensure the comprehensive protection of institutional data.

The initial process in developing an institutional privacy program is to understand the institution's approach to privacy, understand the different types of data used at the institution, and identify which laws and regulations are applicable to the institution's use of data. You will also want to get to know your stakeholders and other institutional privacy supporters.

Learn more about the General Data Protection Regulation (GDPR) and how it may affect your institution starting in May 2018.

Top of page

Overview

In the past few years, higher education institutions have begun to hire a growing number of individuals, often called Chief Privacy Officers (CPOs), dedicated to campus privacy and data protection concerns. Higher education institutions collect, store, use, transmit, disclose, and dispose of a wide variety of data every day. The data are varied and include research data, academic data, medical data, financial data, and the personally identifiable data of faculty, staff, students, alumni, and any other person that comes into contact with the institution. Concerns about privacy and data protection have risen in conjunction with the emergence of new technologies, the vast amounts (and variety) of data at play in the higher education environment, and how that data is being used. (See our brief list of the most common federal data protection laws, or visit the Higher Education Compliance Alliance Matrix.)

At the outset, it should be noted that privacy concerns are very different from security concerns, even though the two concepts are often used interchangeably. Information security activities are focused on protecting the confidentiality (i.e., only those authorized to see certain data have access to it), integrity (i.e., the data remains unchanged while it is processed in IT systems), and availability (i.e., data is available/accessible to users when they need it) of data.  

Privacy, on the other hand, looks at the privacy rights of individuals and the laws, practices, and norms about how information is collected, used, and disclosed. Within that very broad definition are two concepts:

  • Autonomy privacy: The right of an individual to conduct their activities without concern of observation. (This is commonly understood as the "right to be let alone” and to conduct one’s activities without interference from the government or other government-like organizations.)
  • Information privacy: The right of an individual to have some control over how their personal information is used. This concept stems from the Fair Information Practice Principles (FIPPs).

Source: UC Berkeley (2016)

In the higher education context, issues around privacy are encountered daily. Consider the following brief examples:

  •  An institution wishes to install surveillance cameras in its recreational center locker rooms because of increased theft and assaults in these spaces.
  • The admissions office wishes to update the institution’s application form and ask students to include their social media account names on their application for admission.
  • A faculty member wishes to conduct research on rare diseases and wants to use patient medical records received from the university’s medical center for her research.

All of these examples include privacy issues that need to be addressed. Privacy also contains a compliance component, as there are many laws and regulations that include privacy requirements. In addition to state laws, some of the more well-known federal privacy laws mentioned in the higher education privacy space include:

  • The Family Educational Rights and Privacy Act of 1974 (FERPA): Designed to protect students and their families by ensuring the privacy of student educational records.
  • The Health Insurance Portability and Accountability Act of 1996 (HIPAA): Requires covered entities (typically medical and health insurance providers and their associates) to protect the security and privacy of health records.
  • The Gramm Leach Bliley Act of 1999 (GLBA): Imposes privacy and information security provisions on financial institutions; designed to protect consumer financial data.
  • Federal Policy for the Protection of Human Subjects (“Common Rule”): Published in 1991 and codified in separate regulations by 15 federal departments and agencies, outlines the basic ethical principles (including privacy and confidentiality) in research involving human subjects.
  • The Children’s Online Privacy Protection Act (COPPA): Governs the online collection of personal information from children under the age of 13.
  • The Fair and Accurate Credit Transaction Act of 2003 (FACTA, or “Red Flags Rule”): Requires entities engaged in certain kinds of consumer financial transactions (predominantly credit transactions) to be aware of the warning signs of identity theft and to take steps to respond to suspected incidents of identity theft.
  • The Privacy Act of 1974: Specifies the rules that a federal agency must follow to collect, use, transfer, and disclose an individual’s personally identifiable information (PII).

As institutions consider privacy issues, a number of responsibilities have evolved for individuals responsible for campus privacy activities and/or programs. Those responsibilities include:

  • Establishing privacy policies, notices, standards, and processes with institutional stakeholders.
  • Ensuring that the institution complies with applicable state, federal, and international laws, campus policies and procedures, and industry privacy standards.
  • Developing and managing privacy awareness education for students, faculty, and staff.
  • Serving as a subject matter expert and counseling campus constituents on best practices, new technologies, privacy complaints, potential institution-wide risks, and privacy impacts on institution-wide initiatives.
  • Assisting with investigations and responses to campus privacy breaches or incidents.

Note: This chapter of the Information Security Guide will serve as a clearinghouse for sharing higher education privacy materials. While privacy is a discipline distinct from information security, sharing privacy information in this resource is appropriate given the many collaborations necessary between higher education information security and privacy programs to ensure the comprehensive protection of institutional data.

Top of page

Resources

Top of page

Standards

ISO

NIST

COBIT

PCI DSS

2014 Cybersecurity Framework

HIPAA Security

ISO/IEC 29100:2011 (privacy framework)

800-53: Appendix J

N/A

N/A

Cybersecurity Framework: See methodology to protect privacy and civil liberties.

45 CFR 160
45 CFR 164
(note FERPA interplay in some instances)

Top of page


(question) Questions or comments? (info) Contact us.

(warning) Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).