Data Collection Comforts: Most Students Trust Their Colleges

The graduate students in Carrie Klein's higher education administration courses are well aware that the colleges and universities where they work collect and use data about their undergraduates. But when Klein asks them to estimate how much data they'd be likely to gather about an individual student on a typical day on campus, they're usually way off.

The day-in-the-life module lists activities a student might go through, including parking, going to class, hitting the gym, checking email, logging on to the learning management system, dropping in to see an adviser, stopping at the health center, participating in an event and using an ID to buy lunch and later get into a residence hall.

The question: How many data points were collected?

The typical response: fewer than 20.

The right answer: 40 or more.

"These are grad-level courses for folks working on campuses, and sometimes they aren't even aware of how much data is being collected, or how they can inform student success initiatives," says Klein, an affiliate faculty member at George Mason University.

In small teams and then in a larger group, her students discuss the exercise and how colleges use student information. Location data, determined by IP address at system log-in time, tends to surprise people the most, explains Klein, who's on staff at SHEEO, the State Higher Education Executive Officers Association, as a senior policy analyst.

About five years ago, she asked undergrads about personal data being collected and found these students, too, "were fairly unaware," says Klein. "Regardless of population group, we tend to underestimate what's being collected about us."

The latest Student Voice survey from Inside Higher Ed and College Pulse, presented by Kaplan, found most students are unaware of just how much data their institutions have about them, but they also are not overly concerned about it.

[block:block=176]

While four in 10 think it's important for their college to have a data privacy policy, only about one in 10 is aware of such a policy and has read it. When any privacy policy is presented, Klein notes, "How many of us blindly click just to get access to information we need?"

The 2,286 undergraduates from 120 colleges and universities surveyed tend to be more concerned about the way technology companies such as Google or Facebook, and social media or other mobile apps, handle private information. Just 14 percent are not at all concerned about privacy as related to tech companies, and 10 percent have that trust in app developers.

When asked about data their colleges likely collect about them:

• More than half of students have no concerns about how their attendance (66 percent), grades (55 percent) and enrollment (51 percent) data are handled.
• Less than half have no concerns about how their course engagement behavior data (47 percent) and financial information (46 percent) are handled.
• Eighty-five percent of students find it very or somewhat acceptable for their colleges to send alerts and reminders when assignments are due.

"Students seem less concerned if the institutional behavior can be linked to academic help seeking," says Michael Brown, an assistant professor of higher education and student affairs at Iowa State University. With Klein, Brown has researched and written about student privacy policy documents and come up with an inclusive approach to policies that govern learning analytics use. "When I interview students, they assume the institution has an ethic of care," he says. "Maybe [college leaders] don't always do the best thing, but at least they have good intentions."

In Pegah K. Parsi's experience as UC San Diego's inaugural campus privacy officer, students think, "My institution is doing good in the world. They're not monetizing my data." After a recent large data breach, students said things like, "I don't have buying power, I don't have money. What do I care that my data was breached?"

In her three-hour "privacy 101" workshops and other efforts, Parsi will explain the broader perspective of the harm that compromised data can cause, she says. Maintaining data privacy "is not just for people who have money, not just for people who are powerful, people who are whistle-blowers, people who are criminals, or people who are VIPs."

Parsi's first impression of the Student Voice data is the "huge knowledge gap for students. But it's not that different from what we see in society." When consumers don't understand, they'll express an "I'm not concerned" viewpoint.

Students may also simply not feel empowered to do anything about their concerns, Parsi adds. "It's like telling someone to handle their privacy with respect to Google. How do I push back? Can I turn down their privacy statement? Can I negotiate? No, I can't." An 18-year-old may think their entire life is already on the internet, or that the odds anyone would choose them to harm are too slim.

Have students -- who all have at least heard about Zoombombing of online classes at this point -- grown more concerned about their data since the pandemic started?

Autumm Caines, an instructional designer at the University of Michigan at Dearborn whose work has included a co-authored Educause Review article on how colleges can help students question their data privacy, hopes so. "Any time you use anything digital, you're creating more digital exhaust and a deeper digital footprint," she says. "All of that is data that can be collected, stored, hacked, leaked and misused. I like to think that students are making these connections."

Following are nine ways higher ed institutions can help students think more critically about data use and protection.

1. Communicate about any existing data privacy policy.

As the Student Voice survey found, awareness of such policies and their content is weak. Just 12 percent of respondents know of a policy and have read it. Students at two-year colleges (250 students in the survey sample, and with an average age of 25) are twice as likely as those at four-year institutions to have done so.

"If students need a scavenger hunt to know where to find the policy, [efforts] probably need a little more work," says Jennifer Bell-Ellwanger, CEO of the Data Quality Campaign, which recently developed a resource to help higher ed leaders ensure student data remain secure and are properly used to help students succeed.

Klein agrees more policy visibility is needed. "It's often just on the IT website, or institutional research website -- not where students are going frequently," she says, adding that a policy's placement is as important as the policy using accessible language.

Institutions without a clear privacy policy are behind the times, says Parsi. "It's a disservice. It's no longer 1997, when FERPA [the Family Educational Rights and Privacy Act] was probably covering the things you are doing."

2. Assemble (or strengthen) a data privacy team.

Higher ed is paying a lot of attention to privacy, particularly since the European Union's General Data Protection Regulation was adopted in 2016, but it's also a hot topic in U.S. legislative circles. Bell-Ellwanger is aware of seven current provisions and bills related to postsecondary education data. Institutions not yet focused on privacy need to catch up.

Hiring a campus privacy officer is one recommended move. Parsi, who has been with UC San Diego for over three years, is part of the Educause Higher Education Chief Privacy Officers Community Group. She has gotten the sense that institutions employing an administrator with her title are often "still in the evolving stages, where somebody found the need for a privacy officer and then slapped that hat on someone whose role was something else," she says. University counsel and records retention leaders often become the someone. That reality makes sharing across institutions, such as in the Educause group, especially crucial. "We all literally steal from each other," Parsi quips.

At the University of Michigan and elsewhere, many people across the institution are involved in student data privacy, but including a chief information security officer on the team "allows for these units to collaborate together and have that common voice," says Ravi Pendse, vice president for information technology and chief information officer. Sol Bermann, Michigan's CISO, "works in close partnership with me to ensure that we are sending a consistent message: 'We take your privacy seriously. We respect your data and are going to be good stewards of your data,'" says Pendse. An advisory council, which includes students, works to help ensure new technology rollouts include details about data privacy impacts, he adds.

"It's kind of a special breed of people who can understand the teaching and pedagogy side, the tech side and the ethical and legal side [of data privacy]. You need a unicorn."

--Autumm Caines, University of Michigan at Dearborn

Caines sits on a privacy group at Dearborn that has representation from her teaching center, IT and the library. "It's kind of a special breed of people who can understand the teaching and pedagogy side, the tech side and the ethical and legal side," she says. "You need a unicorn." Her group is in the process of developing a pamphlet for the campus community on data privacy, including advice for faculty on keeping terms of service in mind when adopting new tech tools for use in courses.

3. Ensure you have data about your data.

Parsi's first steps in her new role involved "figuring out everything we're doing with student data," she says. After that general inventory was complete, her team could move toward more transparency and choices about data collection and use.

When Pendse began work in his role at Michigan in 2018, he "started asking questions as simple as 'where is our data?'" he explains. "It was a loaded question. Some data is centrally available; other data is dispersed across campus." Data analytics and use are very important to supporting instruction, and his team knew that building data transparency and trust would be required in that endeavor. This year, with input from focus groups and panel discussions, they launched the ViziBlue Student Data Dashboard to give students information on what types of data, across eight categories, are collected on them and how they are used and shared.

It's just the kind of tool one survey respondent, at a private university in North Carolina, would probably appreciate. "I don't know where I would look to find out what [my university] collects from me," wrote the student, who expressed concern about internet search history and unencrypted website use data.

4. Allow data use opt-outs.

The Take Action section of each ViziBlue category allows students to view their personal data and, in some cases, opt out (or in). For example, website users can opt out of their data being used by Google Analytics.

Parsi is working to standardize the opt-out process at UC San Diego, and initial stages of any project involve discussion about whether it's mandatory and if there are parts where people can make choices. "Where it makes sense, let's give them the option," she says.

"Students should feel empowered to take ownership of their data, especially in understanding how it's being used for their education experience," says Bell-Ellwanger of DQC. That includes what's being used within the institution plus what a third-party vendor can access.

Brown of Iowa State believes students should have the chance to proactively enroll in early-warning systems, even though most would "enthusiastically embrace" the benefits of this technology. "People respond better to nudges when they know they're going to get nudged," he says. And if a third-party provider isn't willing to configure its product so that users can control their representation, he adds, maybe that product isn't needed.

5. Aim high on data privacy policy development.

When Brown and Klein studied institutional privacy and data policies, they found antiquated conceptions of data as static records, little regard for how third parties might use or commercialize student data, and language that doesn't clearly communicate student rights or institutional responsibilities, as they explained in their article on how to govern learning data.

"Transparency doesn't always mean a 20-page paper," says Parsi. "That's like privacy by obscurity." Instead, she prefers privacy policies that are clear, meaningful and not filled with legalese.

UC San Diego includes students on data subcommittees, such as one that's creating guidelines about student data in research, answering questions such as whether a researcher can use a class list to recruit study participants or send a survey to the entire student body.

Students need data privacy education, "but this isn't meant to be a paternalistic kind of thing. Half the time the high-level administrators need to be educated about it as well."

--Pegah Parsi, UC San Diego

Subcommittee participation involves becoming more educated about data. Students need that, "but this isn't meant to be a paternalistic kind of thing," Parsi says. "Half the time the high-level administrators need to be educated about it as well."

6. Ensure questions get answered.

Students should know, from reading a privacy policy as well as more directly from educators and staff, whom they can turn to with questions.

Since, as Klein notes, "it can be daunting for students to reach out," any faculty or staff member they trust enough to approach should be able to help them find out more.

A college whose leaders feel confident their workforce has been educated about data privacy might develop a privacy champions program, embedding the area into every unit through a touchpoint person, says Parsi, adding that her institution and many others aren't there yet. "Even in privacy officer roles, we are still learning. The landscape changes so rapidly, I'm going to have to look up the law like everyone else."

Staff in IT, the registrar, student affairs and student success areas must especially be prepared to field data questions, Brown says.

7. Educate early and often.

Orientation may seem like a good time to introduce privacy policy and practice, but experts advise caution. "I worry about it being crammed into an orientation, another 15-minute talk you sit through," says Caines. "This area runs the risk of becoming a box that gets checked."

She and others suggest folding discussion about data collection, use and choices into a first-year seminar course. At Iowa State, Brown could envision the topic becoming part of its one-credit introduction to the library course, where "you're talking about information literacy anyway."

Messaging at Michigan is multimodal, with video, social media content and events (such as a screening and discussion of the documentary The Social Dilemma), says Pendse. "We don't miss an opportunity to engage people on privacy and security. We want our students to be informed leaders."

During Parsi's privacy workshops, open to the campus and broader public, participants seem highly engaged in her comparison of the privacy and environmental movements. In the early stage of the environmental movement, individuals questioned how one person changing behaviors could actually make a difference, particularly given that the burden of changing one's behavior was immediate while the outcomes and benefits would not be felt for decades, she explains. Tackling the "data issue" may seem insurmountable -- and very inconvenient -- for a single individual, but a single student with knowledge and a question could wind up shaping a university's work on data privacy for years.

Student Voice survey respondents expressed concern about location tracking based on Wi-Fi connections on campus and about biometrics being used for access to campus resources. In addition, only one in four students thinks it's OK for colleges to track the websites they visit while on campus Wi-Fi. So these areas may be ones to focus on in education initiatives.

"There can be real value in [biometric technology]," says Bell-Ellwanger. Survey respondents may have found it less acceptable because it's new and unfamiliar.

As one student from a public university in Colorado put it, "Collecting biometrics to allow access to things seems a little sketchy. My main concerns would be how they kept the data, that they don't sell the data, that the data stays on a very secure server and that the data is only accessed when required by law or by need of some other system in the network."

One Texas public university student sees no gray areas on this sort of data. "I don't want to be tracked in any form," the student wrote. "It's not their business to know where I am or what I'm doing or if I've been vaccinated." (Sixty percent of respondents, however, believe it's at least somewhat acceptable for their college to know their COVID vaccination status.)

8. Consider data privacy statements on course syllabi.

Klein's students at George Mason can't miss the privacy statement included on the syllabus. It begins with an explanation of her commitment to protecting their privacy by using only university-approved course technologies and adhering to FERPA guidelines through limiting student data use to legitimate educational purposes. She asks students to commit to three basic standards to protect their peers' privacy as well as their own, and then suggests they consider five questions about how their personal data are used and protected by the institution. Finally, the statement invites students to reach out with any questions and ends with a promise to help find answers to questions she can't answer fully.

The idea came from Caines's Educause Review article, which laid out a sample syllabus privacy statement developed collaboratively by about 40 attendees during an ed-tech conference session. "Having a privacy policy for institutions as a whole takes resources. You need educated people to talk about the laws and put it together," says Caines. Including a syllabus statement would require faculty to take some time to educate themselves about privacy law but seems manageable. "It's about getting the student to question who has your data and how it is stored," she says. "The focus is on the questions, not the statement."

The underlying goal is helping to create active, engaged citizens of society, Caines says. If a syllabus statement doesn't seem quite right, she suggests that instructors embed discussion about privacy within assignments. Such content could be a natural fit for courses in computer science, about the internet or technology in society, and in cybersecurity programs, she adds.

At UC San Diego, says Parsi, an entire English course was built upon privacy-related readings, and each quarter she's invited to lecture in a business school course for future CPAs. "It fits in to so many things."

9. Choose technology and tech partners wisely.

Only one in four Student Voice survey respondents finds it acceptable for colleges to share data about them with third parties like education-related companies. And several commented with concerns over institutions selling their personal data to third parties for profit. Colleges and individual professors are, however, thinking more critically about student data privacy when selecting tech tools.

At Iowa State, faculty members looking to use a new application or tool in a course must send IT information about where it's going to be used, by whom and for how long, plus how the developer collects and stores user data, says Brown. "Working with a company that won't make the technology transparent should be a red flag."

The DQC's new privacy resource advises higher ed leaders and educators to ensure vendors and contractors understand and adhere to institutional data privacy policies and procedures. "We think this is an area that needs to be unpacked quite a bit," Bell-Ellwanger says.

The college often ends up with negotiation power, explains Parsi. "Sometimes we're the big fish dealing with a small shop out of the garage." Yet she acknowledges that colleges don't generally have enough resources to evaluate every single thing for risk, and "privacy questions might go unasked and unanswered." She will look for areas truly in need of further review, such as when sensitive data are involved or the provider would be creating a profile behind the scenes about somebody and potentially sharing or selling the data.

Brown says he's aware of institutional agreements with TurnItIn and Proctorio that vary in terms, with some colleges prohibiting the companies from collecting student data.

Caines has been looking at fourth-party relationships, or partnerships between two vendors. Michigan strongly recommends instructors not use remote proctoring, but a major textbook provider had partnered with an online proctoring provider, meaning everyone with a textbook from that publisher automatically had proctoring as well. "It was a shock to me and other learning designers," says Caines, who co-wrote a blog post about it. "Vendors talk to one another and nobody at the institution knows."

Providers, meanwhile, are unlikely to be shocked about agreement negotiations. "As they've done business with more higher ed customers, these things come up," says Pendse. "Most in the industry are expecting to have that conversation."