Privacy law and higher education institutions
Tertiary Talk - June 2020
For tertiary education institutions (TEIs) the topic of data privacy has in recent years moved from an obscure to a more common discussion. In 2020 privacy measures in New Zealand are becoming more formalised due to increasing legislative obligations, including the introduction of mandatory breach reporting. This is consistent with global trends which appear to seek inspiration from the General Data Protection Regulation (GDPR) that came into effect in May 2018 across Europe. Large privacy breaches, growing negative sentiments against social media companies and public outcries around poor privacy handling by sales and marketing teams are causing data controllers and data processors to pay attention. The exposure of Cambridge Analytica’s ability to derive deeply held intelligence on personal habits and views was a landmark case. This article looks at privacy at TEIs, examples of where breaches have occurred and what New Zealand TEIs should look for with respect to managing privacy risks.
What is Privacy? Why is it relevant to my TEI?
Privacy in an individual sense is the right to freedom from intrusion or the right of the person to be left alone. Data privacy though refers to the way personal data (also called Personally Identifiable Information or PII) is collected, stored and used by organisations and focusses on the rights of individuals with respect to their personal information. Protecting PII that is collected by your organisation is required by law, and privacy breaches can lead to a substantial financial and reputational loss. Having privacy controls embedded into your systems and processes is therefore important for every kind of organisation or agency dealing with individual’s PII. TEIs should be concerned about managing privacy risk because:
- TEIs hold large volumes of sensitive and lucrative PII, such as student academic information, tax file details, bank account details, passport information and medical records. This makes TEIs particularly appealing targets to cybercriminals who would use the information to either sell on the black market or to pursue targeted fraud and scams against the individuals. See below for two case studies;
- TEIs hold and process personal information of their staff and students from all over the world, thus also potentially requiring compliance with foreign data privacy laws. In some countries, the data subject owns the data and a breach of their rights can attract large fines;
- International subject matter experts, celebrities and dignitaries may teach, or conduct research at TEIs, making institutions a prime target for cyber-espionage
- TEIs often use decentralised, cloud based or mobile devices that may not be well protected. This weakens their resilience against breaches and cyberattacks; and
- In New Zealand, TEIs assign a student ID number, which is considered a ‘unique identifier’ by the New Zealand Privacy Act and therefore there is an obligation upon the TEI to protect this information using privacy controls.
What happens when privacy is breached at a TEI?
In June 2019, the Australian National University (ANU) was struck by a data breach that affected an estimated 200,000 individuals and 19 years’ worth of PII. The breach constituted a serious violation of individuals’ privacy as legislated in the Australian Privacy Act and exposed victims to identity fraud and theft and even physical threat, as residential addresses were part of the PII stolen. The ANU incurred the major cost of investigating and remedying the breach for months after it occurred, and there was also significant international media reporting on the breach, impacting the university’s reputation. The university has since improved its cybersecurity, but the damage from the breach can’t be undone. A breach at the UK’s Greenwich University in 2016, which exposed almost 20,000 students’ personal data, resulted in a fine of NZ$240,000 for the institution by the regulator. This figure can be considered low in the scale of privacy breach fines as it was prior to GDPR and other regulations coming into force with significant penalties for breaches related to PII data from EU and US citizens.
Protecting privacy as a higher education institute
Having a set of robust, up-to-date privacy protection practices is important for every tertiary education provider since they work with a significant amount of personal data. It can be quite challenging to adhere to ever-changing local and global privacy regulations, but it is crucial for all businesses to understand the consequences if they do not fulfil these obligations. In 2020, the amended New Zealand Privacy Act will come into force, which will mean that all businesses including TEIs and other tertiary education providers will need to report serious privacy breaches. For example, if you experience a data breach that poses a risk of harm (e.g. leaked personal information is used in identity theft or published online), you must notify the people affected. Also, you must notify the Office of the Privacy Commissioner.
Validating that your TEI has adequate privacy protection procedures and controls can prevent significant financial loss and reputational damage and ensure that any potential breach is contained quickly and its impact on the institution is minimised.
Five key questions that should be asked of TEI leaders and privacy officers to gain confidence that institutions are effectively managing data privacy obligations are:
- Do we understand the size and severity of risks associated with the PII that we are carrying? For example how have we measured and addressed privacy risks attached to this information?
- How do we know that our privacy processes are fit for purpose and well communicated? For example what monitoring and reporting procedures have we implemented?
- Is the responsibility for privacy related matters clearly defined and communicated to all stakeholders, including our vendors and partners who have access to this data?
- What programme do we have in place to ensure our staff and partners are keeping up to date and upholding the obligations imposed by privacy laws relevant to our data subjects? For example, how are we embedding privacy thinking in the changes we make to our business?
- Do we have an incident management plan and is this tested regularly?
- Privacy definition: https://dataprivacymanager.net/security-vs-privacy
- New Zealand privacy law changes: https://www.business.govt.nz/news/get-ready-for-upcoming-privacy-law-changes
- What PII is (NZ): https://www.data.govt.nz/manage-data/privacy-and-security/what-is-personal-identifiable-information-and-the-privacy-act
- Australian Uni breach report: https://www.anu.edu.au/news/all-news/data-breach
- Australian Uni breach media: https://www.theguardian.com/australia-news/2019/jun/04/australian-national-university-hit-by-huge-data-breach
- Australian privacy act: https://www.legislation.gov.au/Details/C2020C00025
- UK University story: https://www.bbc.com/news/technology-44197118