A new study published Wednesday by the National Association of Student Personnel Administrators and the think tank New America revealed that college students want to be more involved in planning the safety and security of their own personal and educational data. Funded by the Bill and Melinda Gates Foundation, the study surveyed 18 college students during the 2020 fall semester, also finding that students generally trust their schools to keep their data safe, even during virtual semesters conducted remotely during the COVID-19 pandemic.
Students were asked if they were comfortable with colleges collecting their data — including location, demographic, financial aid and academic information — as well as data not traditionally collected by universities, such as information from social media, Zoom recordings and mobile contact-tracing apps. Despite students largely desiring more transparency around data collection as a whole, the results were promising for institutions, the study showed, with students sharing that they trusted their universities to handle their data more than any other private company that they use, including social media companies like Facebook.
“I would definitely say I’m less concerned about my institution collecting data,” one student told researchers. “Because they generally don’t ask for data a whole lot of the time, besides what they get from, like the basic application type stuff. And I think the [Family Educational Rights and Privacy Act] just makes me feel better, because it’s like federal law. And as a student in higher ed who has worked in very FERPA protected areas, it’s very much like, FERPA is a big deal. Institutions are really, in my opinion, going the extra mile to protect student data.”
Protections like FERPA soothed some students’ concerns about their colleges collecting and storing their personal data, but a lack of transparency around when student location, demographic and health data is deleted raised questions for others. Students “do not want to feel surprised as to why an institution knows that they identify within certain demographic groups,” the report said, and some students claimed that kind of data collection could limit their own opportunities on campus.
“You don’t want to have it so it’s like, ‘go to these events because you’re Black,’ or ‘go to these events because you’re Christian,’ because then it can kind of limit the amount of growth that you can have and the types of people you’ll get to meet on campus,” a student said during the study.
Though not every student was familiar with their institution’s data-collection policies, those who raised concerns have good reason to do so. At the onset of the pandemic last March, colleges had to quickly transition thousands of students to remote learning, creating more opportunities for malicious actors to threaten the security of their digital systems. Dozens of schools, including the entire California State University system, Michigan State, the University of Notre Dame, the University of South Dakota and the University of Utah were all hit by cyberattacks last year. And just weeks ago, a cyberattack on Colorado University conducted through a third-party service revealed personally identifiable information of students and employees.
Ransomware attacks on universities doubled between 2019 and 2020, according to a report published last month by the cybersecurity provider BlueVoyant. Though ransomware attacks on higher education are becoming more lucrative over time, according to that report, the NASPA and New America researchers said a co-development approach to data security — in which colleges and students work together to develop policies — will make both parties feel more confident in their plan.
Jill Dunlap, the director for research and practice at NASPA, told EdScoop that setting up a system for greater data transparency could be relatively straightforward.
“Could campuses just tell students ‘hey, here’s who we work with, here’s how your data’s used and here’s a website you could go to if you’re interested in learning more?’” Dunlap said.
One specific finding of the study was that students requested universities not collect any data from their social media profiles, citing an expectation of personal privacy there. And when institutions are procuring software, students said, they should consider building or managing their own applications, rather than relying on third parties that students are unfamiliar with. And in communicating school policies with students, colleges should treat them like adults with clear, two-way messaging, rather than post-incident apologies, students said.
“This report provides a really unique opportunity for institutions to take a proactive look at how they provide that information to students,” Dunlap said. “So you don’t have to wait until there’s some sort of demand made on you as a campus administrator that you could put up a transparency page around.”