Build Business-Aligned Privacy Programs for Higher Education Institutions
Embed privacy by design into your business processes and protect high-risk personal data.
- Higher education institutions have increased pressure in ensuring personal data protection for students and faculties in the new digital era, especially protecting sensitive information such as health data, biometrics data, etc.
- Privacy teams are having a difficult time conveying the legal obligations and privacy protection principles and providing actionable guidance to business partners.
- One institution may have more than one IT department. Decentralized and fractional systems lead to inconsistent policies and procedures.
Our Advice
Critical Insight
- Students are wary of privacy risks and value privacy protections. So should the leaders at the education institutions. Embed privacy-by-design principles into your business processes and data lifecycle to protect valuable personal data for students and faculty.
Impact and Result
- Establish a holistic and integrated privacy program that embeds privacy by design principles into the business processes.
- Partner with business departments by speaking a language it can understand and providing tools it can implement.
- Gain the visibility of personal data processing activities and prioritize personal data protection initiatives.
- Create privacy policies, standards and procedures that are established with respect to how information is collected, processed, shared, and protected within the data lifecycle.
Workshop: Build Business-Aligned Privacy Programs for Higher Education Institutions
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Module 1: Collect Privacy Requirements
The Purpose
- Identify the driving forces behind the privacy program.
- Understand privacy governance.
- Assign ownership of privacy.
Key Benefits Achieved
Privacy requirements documented and privacy governance structure established.
Activities
Outputs
Define and Document Drivers
- Business context and drivers behind privacy program
Establish Privacy Governance Structure
Build Privacy RACI
- Data privacy RACI chart
Define Personal Data Scope
Build Risk Map
Module 2: Conduct a Privacy Gap Analysis
The Purpose
- Understand the methodology behind the Data Process Mapping Tool
- Assess risks and map out your data breach response process
- Work through the threshold assessment and DPIA process
Key Benefits Achieved
Privacy program gap areas identified
Activities
Outputs
Conduct interviews and complete Data Process Mapping Tool
- Data Process Mapping Tool draft
Compare compliance and regulatory requirements with current privacy practices of the organization
- Mapped privacy control gap areas to relevant privacy laws, frameworks, or industry standards
Identify gap areas
Review the DPIA process and identify whether threshold assessment or full DPIA is required
Module 3: Build the Privacy Roadmap
The Purpose
- Identify where high-priority gaps exist in current privacy practices
- Tie cost, effort, risk, and alignment values to each of the relevant privacy gap-closing initiatives
- Further refine resourcing estimates
Key Benefits Achieved
Gap initiatives identified and prioritized
Activities
Outputs
Complete business unit gap analysis; consolidate inputs from interviews
- Privacy Framework Tool
Apply variables to privacy initiatives
Create a visual privacy roadmap
Define and refine the effort map; validate costing and resourcing
- Data privacy roadmap and prioritized set of initiatives
Module 4: Implement and Operationalize
The Purpose
- Complete the roadmap
- Establish metrics that map to the needs of the organization
- Implement and integrate metrics into operations
Key Benefits Achieved
Privacy program roadmap completed
Activities
Outputs
Review Info-Tech’s privacy metrics and select relevant metrics for the privacy program
- Completed data privacy roadmap
Operationalize metrics
Input all outputs from into the Data Privacy Report
Summarize and build an executive presentation
Set checkpoints and drive continuous improvement
- Data Privacy Program Report document
Build Business-Aligned Privacy Programs for Higher Education Institutions
Embed privacy by design into your business processes and protect high-risk personal data.
EXECUTIVE BRIEF
Analyst Perspective
Students are wary of privacy risks and value privacy protections. So should the leaders at education institutions.
|
College students are living in environments that increasingly require regular interaction with information technology and data. Students are aware of data protection risks and take privacy seriously. Some personal identifiers, such as email addresses, can be easily replaced. But biometric information such as fingerprints and facial geometry scans are unique. Students' strong belief in the protection of sensitive personal information stems from a desire to protect themselves from privacy risks and harm that may last for the rest of their lives. With a veritable explosion of data breaches highlighted almost daily across the globe, and the introduction of heavy-handed privacy laws and regulatory frameworks, privacy has taken center stage. Students care about their data privacy, and this concern is increasing. This leaves leaders in the education section questioning what exactly privacy involves and how to make it scalable for their respective institutes. As the general public begins to take back control over data privacy, so too should education institutions by taking a tactical, measurable approach to privacy and the business. Alan Tang |
Executive Summary
Your Challenge |
Common Obstacles |
Info-Tech’s Approach |
|---|---|---|
|
|
|
Info-Tech Insight
Students are wary of privacy risks and value privacy protections. So should the leaders at education institutions. Privacy-by-design principles should be embedded into the business processes and data lifecycle to protect the valuable personal data of students and faculty.
Relevant Legal Obligations and Guidelines
More than 130 countries had put in place legislation to secure the protection of data and privacy
Info-Tech Insight
Higher education institutions increasingly depend on online platforms related to student learning, advising, and management in order to optimize processes and deliver student services at scale. The importance of privacy and data protection is increasingly recognized. Equally concerned is the collection, use and disclosure of personal information to third parties without prior notice or consent from students and faculties.
Typical Business Processes of a Higher Education Institution
Usually, there are three types of business processes supporting the operations of a higher education institution: defining processes, shared processes and enabling processes.
Defining Capabilities
- Recruitment (Undergrad, Graduate Studies)
- Admission (Undergrad, Graduate)
- Student Enrollment (Enrollment, Financial Aid)
- Instruction & Research (Teaching & Learning, Research)
- Graduation (Graduation, Transcripts)
- Advancement (Alumni Relations, Fundraising)
Shared Capabilities
- Student Administration (Student progression, Record maintenance)
- Student Support Services (Athletics, Career Development)
- Academic Admin (Academic Year Scheduling, Policy Admin)
Enabling Capabilities
- Facilities & Property Mgmt.
- Finance Mgmt.
- Human Resources
- IT
- Legal Services
- Government, Public, and Stakeholders
- Governance, Risk, and Compliance
Privacy is all about personal data
When building a privacy program, focus on all personal data, whether it’s publicly available or private. This includes defining how the data is processed, creating notices and capturing consent, and protecting the data itself. Conversely, an effective privacy program allows access to information based on regulatory guidance and appropriate measures.
Examples of personal data include:
Traditional PII: Personally identifiable information |
Personal Data: Any information relating to an identified or identifiable person |
Sensitive Personal Data: Special categories of personal data (some regulations, like GDPR, expand their scope to include these) |
Full name (if not common) |
Enrollment status |
Biometrics data: Retinal scans, voice signatures, or facial geometry |
Home address |
Grade level |
Health information: Patient identification number or health records |
Date of birth |
Dates of attendance |
Political opinions |
Social security number |
Degrees, honors, and awards received |
Trade union membership |
Banking information |
Location data |
Sexual orientation and/or gender identity |
Passport number |
Photograph |
Religious and/or philosophical beliefs |
Etc. |
Etc. |
Ethnic origin and/or race |
Privacy and Security Are Among the Top Concerns
Privacy and cybersecurity together are the #2 issue education institutions will be facing in 2023 based on EDUCAUSE’s recent report “Top 10 IT Issues, 2023: Foundation Models.”
Source: EDUCAUSE, 2022.
Privacy Policies Are Not Fully Understood
ECAR's 2019 survey of US students found that less than half of them believed they benefited from their institution's privacy and security policies, and even fewer students reported understanding how their institution used their personal data. *
 |
*ECAR, 2019.
Transparency and Communication Are Key
Case Study:
In March 2020, in response to a proposal to adopt facial recognition for security surveillance at UCLA, students from 36 campuses protested, in person and via online petitions, against the use of facial recognition systems. The pushback from students and the community led UCLA and about 50 other colleges and universities to promise not to use facial recognition technology on their campuses.*
*Kari Paul, "'Ban This Technology': Students Protest US Universities' Use of Facial Recognition," The Guardian, March 2, 2020.
Info-Tech Insight
To foster trust and cooperation, higher education institutions should communicate how and why they collect and use students' personal information.
True Cost of a Data Breach
An industry outlook
Even with a robust privacy program in place, organizations are still susceptible to a data breach. The benefit comes from reducing your risk of regulatory compliance issues and resulting fines and minimizing overall exposure.
86% of data breach costs are associated with REGULATORY fines
Healthcare* |
Government |
Financial Services |
Education |
Estimated Cost of Exposure: $841.41 |
Estimated Cost of Exposure: $114.75 |
Estimated Cost of Exposure: $188.05 |
Estimated Cost of Exposure: $207.75 |
* All fine estimates are based on an annual turnover of US$10 million and 1,000 lost records Source: Proteus-Cyber, 2019.
About Info-Tech
Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.
We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.
What Is a Blueprint?
A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.
Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.
Need Extra Help?
Speak With An Analyst
Get the help you need in this 4-phase advisory process. You'll receive 8 touchpoints with our researchers, all included in your membership.
Guided Implementation 1: Collect Privacy Requirements
- Call 1: Scope requirements, drivers, objectives, and challenges.
- Call 2: Build out privacy ownership using the RACI chart.
Guided Implementation 2: Conduct a Privacy Gap Analysis
- Call 1: Review results of data process mapping business unit interviews.
- Call 2: Delve into the Privacy Framework Tool to identify and evaluate gaps.
Guided Implementation 3: Build the Privacy Roadmap
- Call 1: Determine cost and effort ratio of gap initiatives.
- Call 2: Build out additional privacy collateral (notice, policy, etc.).
Guided Implementation 4: Implement and Operationalize
- Call 1: Review standard privacy metrics and customize for your organization.
- Call 2: Establish and document performance monitoring schedule.
Contributors
- Amalia Barthel, Lecturer and Advisor, CIPM, CPIT, PMP, CRISC, CISM, University of Toronto
- Cat Coode, Data Privacy Consultant, Fractional Data Privacy Officer, Speaker, Binary Tattoo
- Paul Hinds, CISA, CISM, CRISC, CDPSE, Security Privacy Advisor, Northwestern University
- Mark Roman B.Math, MBA, PMP, Managing Partner, Info-Tech Research Group
- Mark Maby, Research Director for Higher Education, Info-Tech Research Group
- Mark Hoeting, Executive Counselor, Info-Tech Research Group