Sign In

Communications of the ACM

Virtual extension

Online Privacy Practices in Higher Education: Making the Grade?


View as: Print Mobile App ACM Digital Library Full Text (PDF) Share: Send by email Share on reddit Share on StumbleUpon Share on Hacker News Share on Tweeter Share on Facebook

In June 2006, the trustees of Ohio University (OU) voted unanimously to spend up to $4 million on enhanced information security. The decision came in the wake of the media coverage about OU's "lax, low-priority attitude toward security," resulting in five data breaches detected since April, the theft of 173,000 Social Security numbers, and an unsecured alumni database which was used by hackers for over a year to share music files and launch attacks on other systems.5 Fallout from the breaches included a lawsuit filed by alumni who sought class action status to represent any students, employees and other alumni affected by the breaches,6 and an 8% decline in the number of donations received when the breaches were disclosed compared with the same period in the previous year.7

Higher education faces significant privacy and security challenges, as the OU example illustrates.1 First, most colleges and universities engage in the same types of ecommerce activities that raise privacy concerns in the private sector and potentially pose privacy risks if not managed effectively. For example, schools typically process electronic applications, engage in relationship marketing, accept donations and sell t-shirts, textbooks and athletic tickets, online. However, their privacy policies have received little attention compared to the scrutiny the private sector has received.3

Universities also collect and maintain large online stores of sensitive personal information, putting them at risk for security breaches. Further, while most businesses have retention policies specifying when records should be discarded, many educational records containing sensitive personal information about students and their families may be retained indefinitely. Higher education has accounted for a disproportionate share of publicly reported security breaches.9 The majority of these breaches were attributed to hacking, but schools also reported lost laptops, or even posting of sensitive information on a Web site. Some schools reported multiple incidents.

Further, like the private sector, higher education faces privacy risks posed by decentralized computing environments. Many schools outsource common business functions such as online admissions, sale of athletic tickets, credit card processing or operation of their bookstores to third parties. However, the higher education information environment is also characterized by other attributes including norms of academic freedom that pose additional risks and challenges not found in the commercial world. Academic departments often operate their own servers and run their own Web sites. Individual faculty, students and student organizations also have personal Web sites that run on department servers or servers managed by the school.

This article presents the results of a benchmark study of online privacy practices in higher education.2 The study addresses the question, how well is higher education managing online privacy? The study is based on an audit of Web site privacy practices and a content analysis of the online privacy notices of America's leading colleges and universities to assess whether they observe fair information practices.

Back to Top

Fair Information Practices

To manage privacy effectively, organizations need to implement policies based on fair information practices. Fair information practices (FIP) are global principles that provide individuals with control over the disclosure and subsequent use of their personal information, and describes organizational obligations for data protection. Because FIP balance the legitimate but competing business and individual interests around the use of the individual's personal information, they provide the basis for both privacy laws and self-regulatory programs. For example, federal privacy laws based on FIP that affect higher education include the Family Educational Rights and Privacy Act (FERPA), the Health Insurance Portability and Accountability Act (HIPAA), and the Children's Online Privacy Protection Act (COPPA).1

Currently, the most widely accepted U.S. version of fair information practices reflects a subset of the 1980 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data and is based on five elements: notice, choice, access, security and accountability.3 Notice means when individuals provide personal information, they have the right to know what, if any, information is being collected and how it will be used. Choice means individuals should have the right to object when personal information is collected for one purpose and will be used for other unrelated purposes or shared with third parties, unless this sharing is required by law. Access means individuals should have the right to see their information and correct errors. Security means organizations should ensure data integrity and protect data from unauthorized access during both transmission and storage. Accountability means organizations should put in place processes to insure they comply with these principles.

As a result of the publicity about security breaches, privacy is often equated with security. However, privacy is more than security. While security is one important element of privacy, there are important differences between the two. Privacy is about how organizations use (and reuse) personal information, and whether or not they gain permission for these uses, while security is about protecting information. Failure by organizations to manage personal information along both of these dimensions can result in harm to the individual.11 While you cannot have privacy without security, you can have security without privacy, as organizations can secure personal information yet make legal but poor decisions about using this information which raise privacy concerns.

Privacy notices represent the public face of an organization's overall privacy policy the rules that govern the collection and use of personal information. They typically describe the organization's implementation of FIP. Recent surveys found that most .com Web sites post some form of privacy notice. Prior research also found that people use privacy notices as one important way to manage the risk of disclosing personal information online.8 Best practices for online privacy include developing a privacy notice written in plain language that accurately describes the organization's information practices. At a minimum, the notice should be linked from the organization's home page and on all other pages where personal information is collected. Figure 1 describes the basic elements of a good privacy notice. We now present the results of our assessment of whether current practices in higher education reflect these best practices.

Back to Top

How the Study Was Conducted

This study is based on an analysis of the Web sites of the top 236 schools from the US News and World Report 2004 list of best colleges. The sample consisted of 129 national doctoral universities and 107 national liberal arts colleges. We collected three types of data: data about actual practices based on an automated audit of common privacy risks; a content analysis to measure the extent to which the privacy notices posted by schools in our sample reflect fair information practices; and a readability assessment of these notices.

Back to Top

Automated Audit for Common Privacy Risks

First, we conducted an automated audit of the Web sites for all 236 schools using Watchfire's WebXM Privacy Module.a Web XM was an automated tool that helps organizations identify risks related to their collection of personal information online. Watchfire ran five scans for each school. In addition to the home page, we scanned four other sections of the Web sites where schools are likely to collect personal information: undergraduate admissions, athletics, alumni, and employment/human resources. Each scan analyzed approximately 200 pages from each starting URL; we scanned a total of 174,291 pages across all schools. The scans looked for three types of privacy risks related to privacy notice use, cookies, and data collection forms. Table 1 describes these risks and how they relate to fair information practices.

First, we scanned for pages without a link to a privacy notice. Nearly 100% had at least one data collection form on a page without a link to a privacy notice with an average of 177 such pages per school. Next, we scanned for third party cookies. Third-party cookies were found on the Web sites of only nine schools (4%) suggesting this is not a major risk factor in higher education. However, it is interesting to note that for these nine schools, five did not have a homepage privacy notice, and one of the four schools with a privacy notice did not address cookies in their notice. Finally, we scanned for privacy risks associated with data collection forms. All of the 236 schools had at least one non-secure page with a data collection form, with an average of 424 such pages per school. Nearly 100% had at least one data collection form that used the HTTP GET method to submit the data with an average of 209 instances per school. As described in Table 1, the GET method encodes data in the Request-URI which may then be stored in a server log, making it visible to unauthorized individuals.

Back to Top

Content Analysis of Home Page Privacy Notices

Next, we conducted a manual search for privacy notices in each of the five sections we analyzed during the automated audit (home page, undergraduate admissions, alumni, athletics, and employment/HR). Only 36% of the schools overall (40% doctoral universities and 21% liberal arts colleges) had a privacy notice that could be accessed from the home page either by a link on the page, by using a dropdown menu, or by doing a search.

Of these 85 home page privacy notices, only 65 were linked from the home page, and of these 65, the link for only 53 of the sites was explicitly labeled as "privacy." Further, for some schools, the notices posted on other sections of the sites differed from the home page privacy notice. For example, 50 schools posted a privacy notice for the undergraduate admissions section of their Web site, but only 41 of these policies were the same as the privacy policy posted on the home page. Finally, an additional 39 schools or 17% of the sample had privacy notices on other sections of the site, but no home page privacy notice.

Doctoral universities were statistically more likely to have a homepage privacy notice than liberal arts colleges. Overall, larger schools, based on number of undergraduate students, were statistically more likely to have a home page privacy notice than smaller schools, however there were no significant differences for size when doctoral universities and liberal arts colleges were analyzed separately. Further, there were no significant differences for public versus private institutions.

Next, we did a content analysis of the 65 home page privacy notices linked from the home page. We analyzed each notice to determine to what extent the notice reflected four elements of fair information practices (notice, choice, access and security). Our survey form was adapted from the form used in the FTC's 2000 Online Privacy Survey.3

Table 2 contains the results for the content analysis of the 65 home page privacy notices. Less than half of the notices described the scope of the notice or provided contact information. While the results of the automated audit suggest that all schools collect personal information, only 51 schools provided a statement to that effect. For these 51 schools, we next analyzed the notice to see to what extent the notice reflected the basics of fair information practices and these results are also contained in Table 2. While 90% of these notices described how personal information is used, approximately half of the notices fell short on the remaining criteria.

Back to Top

Readability Assessment

For privacy notices to be useful, the notice must be readable. To assess readability, we collected three forms of data for all 65 notices. We measured overall readability using the Filesch-Kincaid grade level score, the length of the notice in words and whether or not the notice contained any internal links to facilitate navigation.

We found overall that these notices scored well on readability given the audience for these sites. The average Flesch-Kincaid grade level score was = 9.35 or first year of high school. The average length of the notices was 736 words (equivalent to approximately two pages of single-spaced text); 4% of the 65 notices contained at least one internal link to facilitate navigation.

Back to Top

Discussion and Recommendations

The results suggest that if the U.S's leading institutions of higher education were graded on privacy based on the results of this study, they would likely receive a failing grade. Nearly all of the institutions in our study engaged in practices online that pose a potential privacy risk yet less than one-third had a privacy notice accessible from their home page. Further, none of the notices included all of the core elements of fair information practices. The results also suggest that despite facing similar risks, higher education lags the private sector in addressing privacy issues.1,3

However, the issues raised by this study are likely the tip of the iceberg.1 The failure of the majority of schools in our sample to post any type of notice suggests that colleges and universities do not have comprehensive processes in place for managing privacy. While it can be a relatively simple matter to create a privacy notice, it is critical that the notice is backed up with an ongoing governance process to ensure that a school's practices are consistent with its privacy noticethat is, you "do what you say."

Key elements of privacy governance include assigning responsibility for privacy, developing a privacy policy that is based on an inventory of the personal information maintained by the organization, identifying relevant laws and regulations, reviewing contracts with third-parties who have access to personal information to ensure compliance with the policy, training and retraining faculty, staff and students, and ensuring the institution also complies with its own policy as well as all relevant laws and regulations. The privacy notice should be drafted after the school formally assesses its information practices and develops its privacy policy. Posting a notice independent of a formal process runs the risk that the notice will be at odds with the school's actual practices as some of the results suggest. For example, while some schools in this study included assurances about security in their notices, the results of the automated audit suggests that all these schools were potentially at risk for security breaches and as a result, may not be able to honor the promises they made in their notice. Failure to honor the promises made in the privacy notice may also create a potential legal exposure.

There is also a need for large-scale efforts to promote awareness in higher education of the need to make online privacy a strategic priority. Today, most commercial Web sites post some form of a privacy notice even if there is no legal requirement to do so. This resulted from a variety of activities by the federal government and the private sector.

Beginning in the late 1990's, the FTC conducted several Web surveys of the leading .com Web sites to assess the extent to which these sites posted privacy notices based on fair information practices.3 These surveys provided the catalyst for the private sector to launch a number of self-regulatory programs, motivated by a desire to avoid Federal legislation as well as recognition of the potential for privacy concerns to inhibit the growth of e-commerce. Further, the E-Government Act of 2002 required all federal agencies to develop privacy policies, and to post privacy notices on their Web sites. There have not been any similar efforts targeting higher education, but there should be, given the widespread adoption of e-commerce, the high incidence of security breaches in higher education, and the results of this study. Higher education trade and professional associations, the media, state attorney generals, and other legislative and regulatory bodies all have a bully pulpit that could be used to focus attention on the problem.

A new Massachusetts security regulation issued in September 2008 (201 CMR 17.00) may now require many colleges and universities to implement a comprehensive formal security program.10 The rule applies to all organizations that maintain personal information about a Massachusetts resident and defines processes to be included in the security program. While the rule does not require organizations to address other privacy issues nor to develop a privacy notice, complying with the security requirements provides an opportunity to address these related issues, including developing policies related to how the organization uses personal information.

In conclusion, effective privacy notices have been shown to help create trust, particularly for companies that do not have a strong brand.8 Currently, higher education enjoys a high level of public confidence. A 2006 survey conducted for the American Association of University Professors (AAUP) found that higher education enjoyed a level of confidence second only to the military, with nearly 42% of the public reporting they have "a lot of confidence."4 Therefore, privacy concerns are unlikely to reduce the demand to attend America's leading institutions of higher education. However, failing to manage privacy strategically can significantly damage reputation, reducing the willingness of donors to contribute. Privacy concerns can also cause people to refuse to interact with schools online, thereby raising the school's administrative costs.

Personal information is a valuable resource in the information age. Every college and university needs to guard its information assets as carefully as it protects its money. Personal information touches many business processes and is accessible to administrators, faculty and even student employees. As a result, privacy is a strategic issue that deserves the attention of university presidents and trustees in order to protect their institution's reputation with its stakeholders. Absent top management support, it is unlikely that a school will successfully implement an effective, ongoing governance process, particularly if privacy and security are viewed purely as a technology issue.1

Further, the challenges posed by the decentralized and open nature of many academic computing environments should not serve as an excuse for failing to manage privacy effectively. A cross-functional privacy task force of key stakeholders can shape policy related to the privacy implications of new technologies or current and new information uses, and promote buy-in across the organization. Automated tools, such as the one used to conduct a portion of this study, can be used to audit data collection practices across even large, decentralized Web environments and to flag potentially risky practices for review. A scope statement in the privacy notice, defining what parts of the Web site are governed by the notice, can address some of the challenges of decentralization. Just as schools have comprehensive policies governing their financial affairs that apply across the organization, it is a worthy goal for all schools to strive to ensure that all the Web pages they host abide by a common privacy policy. Managing privacy effectively is not easy, but today it is essential.

Back to Top

References

1. Cate, H. F. The privacy and security vacuum in higher education. Educause Review 41, 5 (2006), 1828.

2. Culnan, M.J., T.J. Carlin and T.A. Logan. Bentley-Watchfire Survey of Online Privacy Practices in Higher Education: Final Report (2006); www.bentley.edu/news-events/pdf/Final_Report_040610.pdf.

3. Federal Trade Commission. Privacy Online: Fair Information Practices in the Electronic Marketplace, (2000); www.ftc.gov/reports/privacy2000/privacy2000.pdf.

4. Gross, N. and Simmons, S. Americans' Views of Political Bias in the Academy and Academic Freedom (2006); www.aaup.org/surveys/2006Gross.pdf.

5. Ludlow, R. Ohio U. Leaders Vow to Boost Data Security, Columbus Dispatch, 01A. (June 24, 2006).

6. Ludlow, R. OU Faces Suit Over Data Loss, Columbus Dispatch, 01B. (June 27, 2006).

7. Ludlow, R. OU Gets More Cash from Fewer Donors, Columbus Dispatch, 02E. (July 12, 2006).

8. Milne, G.R. and Culnan, M.J., Strategies for reducing online privacy risks: Why consumers read [or don't read] online privacy notices. J. of Interactive Marketing 28, 3. (2004), 1529.

9. Privacy Rights Clearinghouse. A Chronology of Data Breaches Reported Since the ChoicePoint Incident (Updated June 19, 2006); www.privacyrights.org/ar/ChronDataBreaches.htm.

10. Smidinghoff, T.J. and Hamady, L.E. New state regulations signal significant expansion of corporate data security obligations, BNA Privacy and Security Law Report, 7, 41 (Oct. 20, 2008), 1518.

11. Solove, D.J. A Taxonomy of Privacy, University of Pennsylvania Law Review 154, 3 (2006), 477560.

Back to Top

Authors

Mary J. Culnan (mculnan@bentley.edu) is the Slade Professor of Management & Information Technology at Bentley College in Waltham, MA.

Thomas J. Carlin (tjcarlin@alum.bentley.edu) is a Product Manager at ChoiceStream, Inc. in Cambridge, MA. All work described in this article was done while he was an MBA candidate at Bentley College in Waltham, MA.

Back to Top

Footnotes

a. Watchfire was acquired by IBM in July 2007, and Watchfire's Privacy XM software was incorporated into the IBM Rational Software Delivery Platform. Both of these events took place after this paper was accepted for publication. See www.ibm.com/rational.

The authors acknowledge the helpful comments of Jane Fedorowicz, Charles Iacovou, and Lynne Markus on earlier versions of the article. We also acknowledge Traci Logan's contributions to the study design. Watchfire collected the data for the automated audit portion of the study.

DOI: http://doi.acm.org/10.1145/1467247.1467277

Back to Top

Figures

F1Figure 1. Privacy Notice Basics.

Back to Top

Tables

T1Table 1. Common Online Privacy Risks.

T2Table 2. Content Analysis for Home Page Privacy Notices: Fair Information Practices By Type of School.

Back to top


©2009 ACM  0001-0782/09/0300  $5.00

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.

The Digital Library is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.


 

No entries found