Five Privacy Issues Higher Education Institutions Should Consider Monitoring

Takeaways

• Higher education institutions have unique data privacy and cybersecurity challenges, including cross-border data transfer requirements.
• Institutions are subject to increased regulatory oversight.
• Assessing current data privacy and cybersecurity processes, data maintained, and data shared across the institution and with third parties can help ensure compliance with varying legal requirements.

Related links

• DOJ New Data Transfer Rule Impacts Hiring, Business Ops + Vendor Mgmt: Time to Review Your Privacy + Cybersecurity Program
• California Announces Investigative Sweep of Location Data Industry

Article

Higher education institutions face unique data privacy and cybersecurity challenges. They are at the forefront of technological and research innovation and have become an increasingly attractive target for cybersecurity threats as a result. Additionally, colleges and universities have faced increased regulatory oversight, including global regulatory requirements on data privacy. In light of the challenges, institutions may want to consider how they are positioned on five critical privacy and cybersecurity issues.

1. Cross-Border Data Transfer

Educational programs frequently are subject to cross-border data transfer restrictions. These regulations can impact international campuses, visiting faculty, study abroad programs, and the sharing of research data. Administrators should consider establishing clear policies for potential international data sharing that incorporate the interplay between U.S. and relevant international requirements, such as the recently enacted Department of Justice Data Transfer Rule, the EU General Data Protection Regulation, and the Personal Information Protection Law of the People’s Republic of China.

2. Artificial Intelligence Literacy

Although the use of artificial intelligence (AI) in academia presents many opportunities, institutions must also ensure policies and processes are in place to prevent potential AI misuse. The increasing legislative focus on AI, such as the recent requirements of the EU AI Act and varying state legislation related to deepfakes, further highlights the importance of processes for compliance. Institutions should consider implementing or adopting privacy policies that incorporate the use of AI. Administrators could also consider implementing training programs on AI literacy across their institutions.

3. Website Tools, Location Data Tracking

The use of location-tracking technologies by higher education institutions has grown rapidly, driven by such goals as campus safety, attendance monitoring, and resource optimization. These technologies range from ID card swipes and Wi-Fi triangulation to mobile apps that track student, faculty, and employee real-time locations, and, in some cases, patient data for medical institutions. However, their deployment raises legal and privacy concerns. For example, the California attorney general announced an ongoing investigative sweep to emphasize compliance with the California Consumer Privacy Act. Administrators should consider developing a program that limits data collection to what is necessary for legitimate institutional purposes and regularly review location-tracking policies and procedures to ensure compliance with global regulatory requirements.

4. Cybersecurity Threats

Institutions are increasingly susceptible to cybersecurity threats, including data breaches, phishing campaigns, ransomware attacks, and related third-party vulnerabilities. In addition to the cost of implementing remedial measures in response to cybersecurity incidents, the threat of large-scale privacy litigation is a growing concern for institutions navigating the cybersecurity landscape. Additionally, global and national legislation impose ongoing obligations for institutions to safeguard sensitive data and establish security programs. These obligations can vary by jurisdiction and industry. Institutions may want to implement and routinely update policies and procedures regarding the collection of data, safeguard data, and incident responses.

5. Third-Party Risk Management

Higher education institutions often rely on third-party vendors for services ranging from leave and benefits management, learning management systems, research, dining services, to healthcare. Many educational technologies store student data, research information, and institutional records in cloud environments outside direct institutional control. Proper contractual safeguards help institutions retain appropriate control over how this data is collected, processed, and maintained. Institutions may want to consider implementing formal vendor assessment processes, including specific security and privacy requirements in contracts, conducting regular security reviews of critical vendors, and developing contingency plans for vendor security incidents.

* * *

Higher education institutions must be mindful of the increased demand for automated tools in employment-related decisions, the evolving regulatory requirements globally, and the potential impact of cybersecurity threats. Institutions may want to assess their current data privacy and cybersecurity processes, data maintained by the institution, and data shared across the institution and with third parties to ensure compliance with varying legal requirements.

Please contact a Jackson Lewis attorney for assistance with data privacy and cybersecurity compliance.