Last week undergraduates at Harvard University raised concerns about the institution handing over their data to an anti-affirmative action group as part of a lawsuit. Students for Fair Admissions, which is suing the university for allegedly discriminating against Asian American applicants, will have access to “academic, extracurricular, demographic and other information” from all undergrads who applied to Harvard between the fall 2009 and spring 2015, omitting names and Social Security numbers.
Protecting student information is increasingly challenging in an era when learners leave digital footprints of nearly all of their academic and extracurricular pursuits. Now universities, the overseers of student data, are charged with the double task of keeping that information safe and also protecting student privacy. The two can be at odds.
“Universities need to provide students the freedom to explore ideas without the concern that they’re being monitored. That’s important in an academic environment,” says Lisa Ho, campus privacy officer at the University of California, Berkeley.
She and her colleagues are currently addressing an issue with Piazza, a company that provides an online conversation forum for classes. Berkeley students and faculty like using the platform, Ho says, but Piazza has been monetizing student information by providing it to recruiters. The situation, which the university is working to resolve, highlights the messy work of understanding how third-parties use student data.
Universities used to handle student information in house, but now they work with so many providers that it’s hard to manage who has access to what, says James Litton, CEO and co-founder of Identity Automation, a software company that provides identity management solutions for a variety of industries. “Too many people have access to too much data too much of the time,” he says.
Some institutions have turned to solutions like Identity Automation’s to control and streamline how data flows within and outside the university. The company’s software can be used to manage who gets to see what data, allowing a help desk employee to access student enrollment records but not financial aid, for example.
“Universities are going to have to start selling students on the notion that they’re doing all that they can to protect their data,” Litton says.
Threats to student data privacy existed long before the internet. The FBI under J. Edgar Hoover infiltrated Berkeley student groups to counter communism in the 1960s. Around the same time, the CIA manipulated the National Student Association for intelligence gathering in other anti-communism efforts. But the privacy issue is more acute now that the amount of student data in cloud-based systems has grown exponentially and is more widely dispersed.
Similar to the way in which Google and other tech companies field government requests for user data, universities sometimes have to respond to student data inquiries from national agencies. For Ho and her colleagues at Berkeley, that raises points about not just what student data to collect, but how long to hold onto it. “If you have a requirement from national agency to turn it over, you can’t create rules or policy or procedures to deny that,” she says.
In 2015 Berkeley became the first college in the U.S. to issue a transparency report about government requests for student data. The report provides statistics on the number of requests for access to the private electronic communication of students, faculty and staff, as well the number of requests the university granted and an explanation of why.
Will Dammann, a senior at the University of Minnesota, is a supporter of the student unit record—a proposed federal database to track students as they move through college and into the workforce. The idea is to share more accurate information about student performance, such as how much money students make five years after they graduate, to allow for more transparency and accountability in higher education.
The University of Minnesota wasn’t as obvious of a choice as it should have been, says Dammann, who didn’t have to take out any loans to enroll. He was planning to attend a private college, where he would have had to borrow $60,000. “I looked at my loan situation and ultimately on the very last day I decided to enroll at the University of Minnesota. I’m very grateful for that,” says Dammann, who’s studying human resources and industrial relations and will graduate in the spring. “I’m sure I would have still been happy at the private institution, but I bet I would have had a lot of regrets when I left school.”
Damman says he hopes that a student unit record system will allow for other students to make smart decisions about how to spend their money on higher education. Still, he says he wouldn’t want anyone other than the government having access to student outcome data.
At Berkeley, Ho says data privacy and security experts evaluate all of the contracts between the university and outside companies to determine how student data will be used. Earlier this year the UC system—and Berkeley in particular—came under fire from students and faculty for monitoring digital patterns of digital traffic to its websites. Ho says she and her colleagues are currently validating that the monitoring Berkeley doing is necessary and appropriate.
“Just because we can do something—and it’s fantastic what we can do—with our data, it doesn’t necessarily mean that we should or want to be doing those things with that data.”