While many readers may not be familiar with the International Standards Organization, the rigorous formal standards established by this UN-sponsored body form the backbone of data security best practices in large organizations everywhere. Collectively the standards are known as the ISO 27000 family. American colleges and universities in particular, which are busily outsourcing many key online services to outside cloud providers, would do well to pay close attention to the newest member of this family, ISO 27018, which sets out best practices for personally identifiable information (PII) held in the cloud.
ISO 27018 is the first international standard for privacy practices. Published in July 2014, the standard warrants the full attention of higher educational institutions as they consider the procurement of cloud services.
ISO 27018 provides clear rules, transparency and accountability for privacy practices. The standard prohibits providers from mining enterprise data for marketing and advertising purposes or unauthorized commercial uses. Colleges and universities control their data, making the nexus between the provider’s business model and technology transparent. Accountability for data breach notification clears up the uncertainty of responsibility that often remains unanswered until a crisis forces resolution – usually at the institution’s expense. Annual audits align with technical security standards. Consequently, ISO 27018 takes the guesswork out of risk management for privacy rules, procedures and practices in cloud computing contracts.
Larger significance lies in the fact that it saves individual colleges and universities from the “one off” game of contract negotiation. As many enterprise contracts in higher education stand now, those contracts frequently include security standards. ISO 27001, a technical security standard, trips off the tongue of the drafting pen easily. With respect to privacy, provision after provision of the contract that follows spells out the rules that 27018 covers in its entirely. And for those institutions that do not have the benefit of NET+, or other model contracts for cloud computing, this standard leaps beyond the contract negotiation learning curve -- often a luxury that many small, liberal arts colleges cannot afford because they do not have the resources to hire attorneys with the requisite knowledge or experience.
Finally, ISO 27018 tackles the key privacy question facing higher education cloud computing today: the uncertainly about what vendors are doing with their data. At worse, the rules protecting institutional information (including student data) are out of date; at the very least, the rules are murky. Some education technical vendors, whether they offer basic services such as email and storage or more sophisticated programs that track an individual student’s learning progress, are taking advantage of this legal twilight. If the fact of student profiling and the misuse of institutional information is not alarming enough, the absence of rules protecting that information in the future elevates concern. Who will own it? What will they do with it? Could student profiles be sold, or hacked, and then used for far more nefarious purposes that even those of advertising and marketing in the commercial world? Moreover, these standards address the emerging concern of “intellectual privacy,” or the requisite privacy that scholars need in order to think, work and do research autonomously and without the chilling effect of consumer surveillance. Therefore, adoption of the ISO 27018 standard as the threshold of doing business goes a long way in addressing both the information privacy needs and desires of higher education.