Privacy Governance - A Solution?
Mar 28, 2022
In this series, we have highlighted just how much data is currently used in Higher Ed and the overall absence of transparency, dove into the purpose of data collection and how it has changed, and reviewed problems associated with single privacy gatekeepers in absence of a collective body.
Today... we reveal the answer! (ok... "answer" is a little aggressive... at least a proposed direction in which to aim)
Given the nature of Higher Education, there seems to be a more obvious path - a data governance structure/committee to monitor applications and uses of data across campus. Not only does this fit into faculty and staff norms with regard to committees, but it simply resolves many of the existing stress points. What might this entail?
Having examined every major University's privacy practice, the best privacy governance system/structure in the Higher Education world might be the University of Michigan’s ViziBlue. They outlined their recommendations for their recent iteration in this document. I would describe it as jarring yet refreshing transparency compared to the norm. To summarize their fantastic work in probably a far too simple manner, the structure could be described as follows:
- Documentation (Process & Catalog):
1. Institutional contact responsible for keeping each system’s document updated
2. Log of changes and reviews to the system’s privacy document
3. Data contained, input, and generated by the system; noting the severity of risk or privacy of each field (a“data dictionary” of sorts)
4. Duration the data is stored in the system (is it kept forever? Is it removed after a student graduates?
5. Users/Groups who have access to the system
a. Fields or types of data that they have access to
b. Who’s responsible for approving access to this system
- Documentation (Process & Catalog):
- Oversight Committee:
1. Consists of Faculty/Administrators/Students
2. Is responsible for the overall governance of privacy
3. Establishes processes for approval of new systems and new use cases for existing systems
4. Ensures public transparency and sufficient communication
5. Understands what and how data is being used or collected across the campus
6. Provides access to a ticketing system which provides a trail for inquiries
a. Student data requests
b. New use case/new applications
Candidly, there is nothing magical or unexpected about the above. It's a simple framework that answers the most pressing problems with how data is used. In particular, it provides both transparency to students, faculty, staff, and the community, as well as protection from misuse that goes outside the bounds of the purposes highlighted previously.
The difficult part is the execution. For example, is it realistic to categorize the data of every vendor? Or ask already overworked staff/faculty to commit to a diligent but perhaps long process of evaluating use cases?
For Universities with more flexible budgets and broad expertise, perhaps not. But for many, it may be a tall ask.
At Degree Analytics, we recognize this gap and are aiming to help advance tools for all Universities to advance their data and privacy governance. Currently, we have developed an initial version of a transparency document that highlights What Data Exists, How it is Collected, and How it is Used (snapshot below). Its goal is to provide a basic framework that any University can quickly adapt to their unique environment and host on their website. It's FREE and open source! You can get it here
We are exploring a set of other tools to help monitor the 3rd party applications that are utilized (University approved or alerted when not).
Our Ask: we need your input and feedback! Whether it's on our open-source materials or otherwise, we believe creating a better more transparent future requires collective effort and collaboration. If interested, please reach out!
So - Interested in the Free Privacy Governance Tool? Get it Here