Experts in data and internet privacy said GW community members remain unprotected from potential data privacy breaches under a newly released set of “core principles” that officials rolled out earlier this month.
Bracey said the University is implementing three data privacy principles to abide by “applicable” personal privacy laws, make data policy decisions in a transparent environment and clearly communicate officials’ new policies going forward. He said the University is still considering implementing new data privacy policies, like bolstering the review and approval process for data collection programs and receiving input from student and faculty leaders on future decision making.
“Through the careful implementation of these measures, we expect to create a more collaborative and more transparent environment that allows the University to realize the benefits of data analytics while protecting the privacy interest of our community members,” Bracey said at the Faculty Senate meeting earlier this month.
Experts in data and internet privacy said the core principles are too broad and don’t paint a clear picture of how information from other potential data collection efforts will be approved, conducted and used going forward.
Ella Shenhav – an information privacy specialist and a partner at Shutts and Bowen, a nationally accredited law firm – said she would have expected the University to have developed stricter procedures for justifying data collection efforts roughly a year after the data collection project. She said creating private data privacy policies often takes a few months to a year, so she is surprised that officials only presented three general principles by now.
“It wouldn’t surprise me that it would take some time, but having said that at the same time, this pilot started in the fall of 2021, so we’re looking at about a year now,” she said. “A year is definitely sufficient to develop those kinds of policies and procedures.”
Shenhav said her “main concern” about the core principles is that they don’t specify what type of data the University would want to collect for students, like geolocation and video information, or how they would use and store it. She said the University could divulge more information about the purpose of the original data tracking project and what they planned to do with the data they collected last fall.
“I’m curious if the school would be willing to be more transparent because they are talking about being transparent if they’re willing in their transparency efforts to actually disclose all the types of information that were collected,” she said.
Officials declined in February to say which administrators approved and managed the project and why it took them more than a month to inform community members about the project.
Rebecca Herold – the chief executive officer of Privacy and Security Brainiacs, an Iowa-based personal privacy and health care consulting firm – said GW’s website privacy notice, which outlines how officials collect certain University data, is “pretty old” compared to other companies. The notice was last updated in September 2020 and currently includes policies on how GW collects and shares data internally and with third-party platforms.
“That sounds good, that’s a very good thing to communicate, but there’s certainly no details provided within what they said in that statement,” she said.
Herold said GW should bring in an outside consultant or expert to review and assess the University’s privacy policies and produce an independent risk assessment.
“If they really wanted to demonstrate that what they did is effective, having an objective, third-party expert look at that would be something that would support that,” she said.
Herold said officials should also specify which of their services – like apps, smart TVs and surveillance cameras – are tracking and storing data about community members’ movement on and off campus. She said specifying how GW monitors students, faculty and staff would help the University abide by its commitment to be transparent about data privacy rules.
“I would hope that the policies and associated procedures are not narrowly focused on only one type of surveillance that was discovered and people were concerned with, which certainly needs to be a part of what’s covered,” she said. “But hopefully it covers the wide range of surveillance possibilities that are becoming very common on college campuses.”
“That’s something that I think a lot of organizations aren’t accustomed to,” she said. “They are accustomed to being able to have this open-ended situation where they keep data forever, and they use it for whatever, but what they need to realize is that this data really belongs to the individual and they’re still stewards of that data.”
“Even though you’re not in California, a lot of other states and a lot of other institutions around the country are using that as sort of a benchmark,” she said.
“There is a responsibility for organizations to be transparent there, but they also find ways to justify why they have that data,” she said. “Because if they have a data breach or a data privacy infraction, that’s the first thing that a regulator is going to ask them.”