Experts in data and internet privacy said GW community members remain unprotected from potential data privacy breaches under a newly released set of “core principles” that officials rolled out earlier this month.
The principles include commitments from GW to clarify new privacy policy changes, abide by federal and local law, guide how GW will make data privacy decisions and determine how they will gather community members’ personal data. Experts in data privacy policy said the new principles lack details on what type of information GW might collect and how it can be used after officials gathered community members’ location data from Wi-Fi access points last school year.
Bracey said the University is implementing three data privacy principles to abide by “applicable” personal privacy laws, make data policy decisions in a transparent environment and clearly communicate officials’ new policies going forward. He said the University is still considering implementing new data privacy policies, like bolstering the review and approval process for data collection programs and receiving input from student and faculty leaders on future decision making.
“Through the careful implementation of these measures, we expect to create a more collaborative and more transparent environment that allows the University to realize the benefits of data analytics while protecting the privacy interest of our community members,” Bracey said at the Faculty Senate meeting earlier this month.
Experts in data and internet privacy said the core principles are too broad and don’t paint a clear picture of how information from other potential data collection efforts will be approved, conducted and used going forward.
Ella Shenhav – an information privacy specialist and a partner at Shutts and Bowen, a nationally accredited law firm – said she would have expected the University to have developed stricter procedures for justifying data collection efforts roughly a year after the data collection project. She said creating private data privacy policies often takes a few months to a year, so she is surprised that officials only presented three general principles by now.
“It wouldn’t surprise me that it would take some time, but having said that at the same time, this pilot started in the fall of 2021, so we’re looking at about a year now,” she said. “A year is definitely sufficient to develop those kinds of policies and procedures.”
Shenhav said her “main concern” about the core principles is that they don’t specify what type of data the University would want to collect for students, like geolocation and video information, or how they would use and store it. She said the University could divulge more information about the purpose of the original data tracking project and what they planned to do with the data they collected last fall.
“I’m curious if the school would be willing to be more transparent because they are talking about being transparent if they’re willing in their transparency efforts to actually disclose all the types of information that were collected,” she said.
Officials declined in February to say which administrators approved and managed the project and why it took them more than a month to inform community members about the project.
Rebecca Herold – the chief executive officer of Privacy and Security Brainiacs, an Iowa-based personal privacy and health care consulting firm – said GW’s website privacy notice, which outlines how officials collect certain University data, is “pretty old” compared to other companies. The notice was last updated in September 2020 and currently includes policies on how GW collects and shares data internally and with third-party platforms.
She said officials should update the University’s privacy notices, especially because they are reviewing their data privacy policy-making processes.
“That sounds good, that’s a very good thing to communicate, but there’s certainly no details provided within what they said in that statement,” she said.
Herold said GW should bring in an outside consultant or expert to review and assess the University’s privacy policies and produce an independent risk assessment.
“If they really wanted to demonstrate that what they did is effective, having an objective, third-party expert look at that would be something that would support that,” she said.
Herold said officials should also specify which of their services – like apps, smart TVs and surveillance cameras – are tracking and storing data about community members’ movement on and off campus. She said specifying how GW monitors students, faculty and staff would help the University abide by its commitment to be transparent about data privacy rules.
“I would hope that the policies and associated procedures are not narrowly focused on only one type of surveillance that was discovered and people were concerned with, which certainly needs to be a part of what’s covered,” she said. “But hopefully it covers the wide range of surveillance possibilities that are becoming very common on college campuses.”
Debbie Reynolds – the founder of Debbie Reynolds Consulting, an online privacy and technology consulting firm – said officials should specify what kind of community behavior or identity data they collect, how they will use certain types of information and how long they will store it to develop a thorough and transparent data privacy policy.
“That’s something that I think a lot of organizations aren’t accustomed to,” she said. “They are accustomed to being able to have this open-ended situation where they keep data forever, and they use it for whatever, but what they need to realize is that this data really belongs to the individual and they’re still stewards of that data.”
Reynolds said large institutions like urban universities base much of their privacy policy on the California Consumer Privacy Act, which allows users to access, block the sale of and request the erasure of personal data that businesses collect, one of the first laws to give individuals these rights in the country. She said using the California rules, which have become a standard for rulemaking nationally, allow officials to communicate policies clearly.
GW’s privacy policy doesn’t give students the right to access or request that officials delete their personal data, according to the privacy policy website. The University’s Record Schedule lays out how long officials can hold onto different types of documents and information, depending on the type of information.
“Even though you’re not in California, a lot of other states and a lot of other institutions around the country are using that as sort of a benchmark,” she said.
Reynolds said officials need to create a full data privacy policy and “go back to fundamentals” on why they might need to acquire certain data and how they can properly disclose it. She said officials need to publicly justify when they collect specific data and stop collecting data if they are unable to do so.
The University’s privacy policy states officials have to outline a “lawful” basis for a new data collection process and inform community members on what type of information they are collecting.
“There is a responsibility for organizations to be transparent there, but they also find ways to justify why they have that data,” she said. “Because if they have a data breach or a data privacy infraction, that’s the first thing that a regulator is going to ask them.”