Security

Universities need a privacy refresher course

You might assume e-privacy is a sacred trust within academia, but attorney Eric J. Sinrod says that's hardly the case.

Unbelievable but true: While most higher educational institutions engage in e-commerce, most also engage in practices that present potential privacy risks--and less than 30 percent bother posting privacy notices on their home pages.

When it comes to privacy, universities and colleges need to go back to school.

Bentley College and Watchfire, a company specializing in online risk management, just surveyed 236 institutions on their online privacy policies. The list was culled from universities and national liberal arts colleges appearing in the 2004 U.S. News and World Report ranking of America's best colleges.

This survey is timely, as most educational institutions use the Internet to process electronic admissions applications. They also engage in other types of e-commerce transactions, such as the online sale of athletic tickets, alumni donations over the Internet, and the sale of textbooks, clothing and other items online. With a growing number of universities and colleges suffering data breaches, the need for privacy attention clearly is heightened.

A full 100 percent of doctoral universities and liberal arts colleges had a least one non-secure page with a data collection form.

The survey contains a number of key findings. Among the highlights:

•  Practically 100 percent of doctoral universities and liberal arts colleges had at least one data collection form on a Web page without a link to a privacy notice.

•  Almost 100 percent of doctoral universities and liberal arts colleges had at least one data collection form that used the GET method to submit data, which poses identity theft risks because sensitive information is stored in Web server log files that can be accessed under certain circumstances by hackers. (The GET method refers to a form submission where the form input consists of a query string which is appended to the URL of the requested page.)

•  A full 100 percent of doctoral universities and liberal arts colleges had a least one non-secure page with a data collection form.

The survey analyzed the content of 65 privacy notices that were linked from home pages of schools in the sample. This analysis revealed:

•  63 percent contained a statement defining the scope of the privacy notice.

•  66 percent contained contact information relating to privacy concerns.

•  20 percent contained a statement about how changes to the notice are handled.

•  85 percent described whether the site collects personal information.

•  Not a single one of these sites displayed a privacy trust seal.

Of the 51 schools that disclosed in their privacy notices that they collection personal information:

•  49 percent disclosed what personal information is collected.

•  90 percent reported how they use personal information.

•  59 percent described in the privacy notice how their sites use cookies or Web bugs.

•  53 percent explained whether the schools share personal information when required by law.

•  53 percent reported in the privacy notice whether they share personal information with third-party affiliates.

•  33 percent described in the privacy notice how users could access their own personal information.

•  61 percent made a statement about how their sites protect personal information.

Unfortunately, the results of this survey suggest that online privacy still is not a true part of the mission of higher educational institutions. Obviously, universities and colleges need to learn how to protect privacy interest on the Internet. Not only is this the right thing to do from a current data protection standpoint. It also sets the right example for students who someday will graduate to become leaders of this country.