Everyone in our community is responsible for the protection of our customers' privacy and their personal information. However, you don't need to understand the nuances of every privacy regulation currently affecting higher education to tackle data privacy issues on campus. Whether you are working on a data breach response plan, updating institutional policies, collaborating with researchers on a new project, or educating students, faculty, and staff about data privacy, consider teaming up with your institution's privacy officer(s). The privacy officer(s) will be more than happy to lend expertise and help make sure privacy, risk, and information security considerations are carefully weighed.
Know and understand your privacy policies.
- Most institutions have a standard privacy policy, statement, or notice on their website to help visitors understand the practices related to the collection, use, or disclosure of information. Two examples are Indiana University and University of California, Berkeley.
- Additional privacy statements or notices may be included in third-party contracts or services offered to students, faculty, and staff (e.g., learning management systems used for classes).
- Also consider any third-party privacy policies or terms and conditions you may have agreed to as an individual (e.g., Facebook or any other third-party services or apps that aren't officially hosted by the institution through a signed contract).
Always start with privacy.
- Include privacy in the planning phase of all new projects.
- If you don't need personal information, don't collect it. You can always ask for more information later.
- Inform your customers about why you're collecting their personal information.
Keep and use data securely.
- Keep personal information confidential and limit access to the data.
- Make sure you're only using the data the way you said you'd use it. Ensure you get the customer's consent before you use it otherwise.
- Destroy or deidentify private information when you no longer need it.
- Know your data breach response plan.