This Is Auburn Office of Audit, Compliance & Privacy
Case In Point: Lessons for the proactive manager

You have probably noticed that this publication comes from the Office of Audit, Compliance and Privacy (OACP) at Auburn University. Most months we lean toward the audit and compliance related components in this column. However, privacy is a very important issue for all institutions to consider and a concept that is ever evolving due to massive changes in technology over the past few years. Therefore, I have asked Kristin Roberts, a compliance manager who frequently deals with privacy concerns for OACP, to weigh in on this topic.

*********************************************************************************

Data Privacy Day is observed annually on January 28. The National Cyber Security Alliance aims to raise privacy awareness and education to inform consumers that they have ownership of their online presence, and to help organizations understand how privacy is good for business.

Last year the GDPR, the European Privacy Law, changed the privacy landscape around the world. The law gives individuals in the EU control over their personal data and requires companies processing European personal data to comply with the law. Google, Facebook, Marriott, and British Airways among others, have all been assessed fines in the millions of dollars for violations of GDPR. The fines imposed demonstrate that the EU will enforce this protection of fundamental rights.

Similarly, the California Consumer Privacy Act went into effect this month requiring companies to be transparent about the data they collect from users and how they use it. Companies must also provide users with the option to prevent their personal information from being sold. California is leading the way for other states in the U.S. to create or enforce privacy legislation and opens the door for a potential federal, U.S.-wide, data privacy law. This trend is shifting the world's view of privacy toward a more consumer-protection, individual-privacy-rights mindset.

With technology all around us in our everyday lives, we tend to become desensitized to privacy notices and freely share our personal information or click ‘ok' without really understanding the implications. In this increasingly data-driven world it is even more imperative that we be diligent about protecting our privacy. As institutions of higher education, we have a responsibility to protect our customers' information and their privacy rights, in addition to complying with current and future laws.

Here are some key privacy practices to help you prioritize protecting your customers' data and prepare for advancing privacy laws:

  • Make sure you need it before you collect it. Does the application or process under consideration need to collect or store confidential information? For example, if an application contains a unique student identifier, it likely does not need their Social Security Number also. Just because an application or form has a field for a piece of information, it does not mean that the process requires it.
  • If you collect it, protect it. Once a decision is made to collect data, there must be a plan in place to protect this data from unauthorized access and release. University policy (in addition to various Federal and state laws and regulations) will often speak to the requirements to store and/or share information. For example, the Family Educational Rights and Privacy Act (FERPA), as well as University policy, address when, and by whom, student directory information may be released.
  • Be open and honest about your data collection, use, and sharing practices. Clearly communicate to your customers how you collect, use, and share personal information, and give them an option to opt out or decline to use the service or application if they don't agree. If information is collected for a specific stated purpose, it should only be used for that purpose.
  • Follow your institution's data classification policy or data storage matrix. A data classification policy specifies levels of potentially sensitive information and how each class of data should be stored and accessed to ensure the appropriate level of security. For example, operational data, such as internal emails, may not be confidential, but should not be shared publicly without authorization.
  • Create a culture of privacy. Emphasize to employees the importance of privacy. Just because an employee has authorized access to a dataset of student information, does not mean the employee should peruse this dataset and look up information about acquaintances. Confidential data should only be accessed when there is a job-related need to access the information.
  • Conduct due diligence and maintain oversight of partners and vendors. The decision to store University data with a third party or in the cloud should only be made by individuals with University contract authority, and only after careful evaluation of the vendor's security posture and contractual obligations. Have a contract in place that ensures the partner or vendor adequately protects the data and is held accountable if they do not.

Similarly, you should also update your own privacy settings. Check the privacy settings on your personal devices and online services. Limit what you share publicly or with the provider and consider deleting or requesting deletion of certain personal information. Enable two-factor authentication whenever available. See https://twofactorauth.org/ for a list of websites and apps that support 2FA.

Importantly, the U.S. Department of Commerce's National Institute of Standards and Technology (NIST) just released Version 1.0 of the Privacy Framework, a tool to help organizations better identify, manage, and communicate privacy risks in order to protect individuals' privacy while still providing innovative products and services. Read the Privacy Framework V1.0 for guidance and best practices to implement at your institution to proactively reduce risk related to the collection, storage, and transmission of confidential and sensitive data.

Kristin Roberts
Compliance Manager

*********************************************************************************

Thank you, Kristin. We must remain vigilant with respect to protecting our data along with the many other issues in higher education. We again invite you to review the events from the prior month with a view toward how you can proactively manage risk.

Read this month's issue of Case In Point

Case In Point Archives






Last Updated: January 22, 2020