by Daniel J. Solove
I was recently interviewed in HR Horizons, the magazine of the National Association of College and University Business Officers (NACUBO) on the topic of privacy and data security in higher education. Here are a few excerpts:
What is the difference between data security and data privacy, and what risks do each pose for a college or university?
Data security involves everything you need to know and do to secure the data you have and produce. This includes technical safeguards you should have in place such as firewalls, virus protection, and password controls. It includes processes for monitoring access to data. And it also includes physical controls, such as policies for data destruction like document-shredding programs. Data security officers most often have a technical background and operate from within the IT unit of a university.
Data privacy is rooted in policy concerns and may be handled within an institution’s legal or compliance office to ensure that people are aware of the laws and privacy risks related to the handling and dissemination of personal data. The personal data at stake at an institution of higher education includes not only student data, but also employee, alumni, donor, and vendor information.
Privacy and security go hand-in-hand. To use an analogy, you can create the world’s toughest safe (security) but if people give out the combination (privacy), then security is thwarted. Both privacy and security are ways of protecting data. Neither is effective without the other.
How well are colleges and universities protecting privacy and data security?
Higher education has made great strides with data security over the past decade. The biggest remaining gap to fill, in my view, is in training. So much of data security involves human behavior, and one of the most powerful tools to affect human behavior is education.
While many other industries have extensive education and awareness programs relating to data security, higher education is only starting to dip its toe in these waters. I hope that soon higher education will be a leader in data security training because higher education is founded upon the philosophy that education can solve problems and improve outcomes.
Privacy protections have been slower to develop in higher education. Currently, only a handful of institutions of higher education have a privacy officer. A privacy officer’s job is to make sure that laws are complied with and that risks are mitigated, in part by ensuring that all institution and department policies are up-to-date and that people are appropriately trained in connection with the information they access and handle. The privacy officer is an essential component in the compliance programs of many businesses and nearly all financial institutions and health institutions. I predict that in next 5-10 years, most colleges and universities will have a privacy officer because privacy is so complicated that it demands the attention of a full-time employee.
For more, read the full piece at HR Horizons.
****
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of training on privacy and security topics. This post was originally posted on his blog at LinkedIn, where Solove is an “LinkedIn Influencer.” His blog has more than 600,000 followers.
If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:
* Professor Solove’s LinkedIn Influencer blog
* Professor Solove’s Twitter Feed
* Professor Solove’s Newsletter
Please join one or more of Professor Solove’s LinkedIn Discussion Groups:
* Privacy and Data Security
* HIPAA Privacy & Security
* Education Privacy and Data Security