In their September meeting earlier this year, the Board of Visitors’ Audit, Compliance and Risk Committee laid out a promising new proposal through which the University will retire its patchwork of discretionary privacy rules and replace them with a single, comprehensive privacy framework. This step forward is significant for all stakeholders at the University — after all, elevating privacy from scattered provisions to a coherent, enforceable framework is more than administrative housekeeping. Rather, it is a substantive step toward safeguarding student autonomy in an era when it is most at risk.
Higher education is a prime target for data breaches — second only to healthcare — and incidents cost millions while exposing students to safety risks. That risk is extended to U.Va. Health, where data breaches can threaten patients’ safety. Prior to the recent changes, the University had relied on many narrow, piecemeal rules that differed across different departments — PROV-005, for example, covers how course recordings are used — but there has not been one clear, University-wide standard for handling data. This has created a patchwork where thousands of employees and part-time workers touch sensitive information without a unified standard.
Add in an ecosystem of third-party contractors and vendors with weak internal rules that cancel out the value of choosing secure partners, and you have a disaster waiting for you. The best example of this in recent memory is the WahooEats app. Now completely shut down, the app was alleged to be insecure about students’ information. That is the consequence of having no single standard across Grounds when hiring vendors.
Ambiguity of federal and state legislation compounds this issue. Currently, the University sits under slim legislation. Federally, the Family Educational Rights and Privacy Act governs access to education records, but it has not been meaningfully updated since 2011 — and it still does not spell out what technical standards of encryption schools must use. In Virginia, the Consumer Data Protection Act largely sidesteps public institutions so it does not fully apply on Grounds. At educational institutes, Virginia’s Student Online Personal Information Protection Act limits data sharing with outside parties, but the language lacks any technical provisions, and its application has remained spotty. All of this suggests that the laws protecting students’ data are outdated or lack clear rules, leaving too much uncertainty for how our data is stored.
This question of data storage is particularly high stakes in the current political climate — this summer, the Internal Revenue Service announced that they would expand data sharing with immigration authorities, stoking fears that the tax data linked to the Free Application For Student Aid could become a back door to immigration enforcement. Schools must clearly be firewalled from immigration enforcement — education must never rely on a person’s status, and a campus must remain a haven of safety for those pursuing academia. Companies like Pearson have faced data breaches as recently as March of this year. This makes it painfully more evident that we need effective privacy protection at the University, and we need it now.
Standout institutions on the metaphoric cutting edge of data protection include the University of California system, which does not rely on just department-by-department rules. Instead they set a university-wide baseline standard for privacy. Moreover, they require outside parties to prove data privacy and publish plain-English guidance so students and staff understand rules. This combination is the kind of lift the University must follow upon.
The plan from the September meeting does just that. It pulls the various, disparate pieces of privacy protections at the University together by aligning with TrustArc’s 13-point plan, a set of practical guidelines from an outside firm that helps organizations handle data while complying with legal requirements. The new changes provide a solid framework to demonstrate compliance with regulatory standards and the tasks completed to meet them — as opposed to a no man’s land of internal bureaucracy that may delay action. Nevertheless, a key vulnerability remains.
Following the September meeting, the University published a website sketching the initiative's goals. However, the site is more scaffolding than substance — useful for signaling intent, but light on the details which would give students a look at what policies are being put into action on Grounds. A unified standard clarifies responsibilities, curbs arbitrary decision making and helps students understand how their information is collected, stored, shared and protected. But that only works if students and other stakeholders have the tools with which to understand their privacy rights and protections. In short, we need clear, concrete explanations of how their data is stored, safeguarded and used. The devil is not in the lack of values, but in the lack of practical details.
The University must treat the new framework as a starting gun, not a victory lap. Students want protection, but often are not aware of their rights. The University can address this by introducing recurring privacy education for everyone, especially for student part-time workers and employees. It should also adopt explicit data-governance rules — covering technical requirements — and publish them in clear language for student understanding. Contracts with vendors should also focus on language that explicitly forbids the sale of student data to other third parties. Moving quickly on these specifics is not bureaucracy — it is a values test that the University should want to pass.
Muhammad Ali Rashid is a senior columnist for The Cavalier Daily. He can be reached at opinion@cavalierdaily.com.
The opinions expressed in this column are not necessarily those of The Cavalier Daily. Columns represent the views of the authors alone.
Read More
JEFFERSON COUNCIL: The hypocritical politicization of U.Va.’s presidential search
By Jefferson Council | YesterdayThe current presidential search committee includes 28 members — Board members, students, administrators, alumni and faculty — with at least as many faculty as the previous two. Given its composition, concerns about representation are unfounded.
KING: The College Republicans’ letter to the Board dishonors the University
By Michael King | 2 days agoWith their calls for administrative consequences, the CRs thumb their noses at the Jeffersonian principles of free speech that this University was founded to defend.
EDITORIAL: Some ‘limited’ feedback on the Compact
By Editorial Board | 4 days agoThis Compact plants the seed for further federal interference in student affairs and free speech, and it threatens to cancel all federal funding should the University sign the Compact and fail to adhere to its demands.
