Over the last decade, the information security and privacy industry have rapidly shifted along with technological advancements. While the controls of the yesteryears are often still in place to safeguard the legacy infrastructure in our environments, a new set of challenges has emerged for security professionals in educational institutions of today. Aside from the classic focus of confidentiality, integrity, and availability of information, information security and privacy professionals must now also pay attention to the responsible use of information, trust, and transparency.
In a world driven by complex digital machines fueled by predictive analytics model and interconnected through APIs, data elements that seemed mundane and meaningless in the past can now be correlated together to generate meaningful information about constituents in an organization. In a modern educational institution, intentional and unintentional data sensors are deployed everywhere across the campus where data about individuals and the environment in which they operate are being collected; geolocation data is collected through WiFi access points and Bluetooth beacons, building entry and exit data are collected through campus card readers and cameras, data related to diet and exercise routines collected through cafeterias and recreational facilities, and interaction data between an individual and the learning management system is collected through authentication logs. These data, among others, can then be correlated, enriched, and refined through predictive models to allow an institution to predict anything from student success to student health.
With this incredible capability to make sense of data at our fingertips, the question related to the ethical use of these data also arises. The regulatory and legal industry is struggling to keep up with the rapid development of technology and the modern ability to process data, and have only recently started to realize the impact of mass data collection and processing. With the emergence of the EU General Data Protection Regulation and the high profile court cases against the mega tech firms in the Silicon Valley, consumers and regulators alike are beginning to take notice and action against mass data collection and processing. In January of 2020, similar to the California SB 1386 that brought the data breach notification laws across the United States in the 2000s, the California Consumer Privacy Act became effective and helped to usher in a new wave of data privacy regulations being proposed across the United States. In 2019, nearly half of all states in the U.S. and Puerto Rico have had new legislative proposals related to data and information privacy.
However, without concrete regulatory guidance, it is currently up to organizations to self-govern and self-regulate to ensure we are being responsible stewards of the data collected by these data sensors. As modern institutions develop capabilities to tap into the data at its fingertips, it must also take into consideration of core privacy principle that should be provided to individuals within its realm. These include notice to individuals on the collection and use of the data, choice provided to the individuals on the use and sharing of their data, access provided to the individuals for the examination of their own data, and the security, responsible use and maintenance of the collected data. Only through the exercise of these principles, can we, as institutions and stewards of institutional data, earn the trust and confidence of our constituents and safely navigate the future where firm regulations around data processing and collection are sure to emerge.