Last week, Kuma participated in a workshop hosted by the Center for Democracy & Technology: “Should It Stay or Should It Go? Balancing Retention, Deletion, and Student Privacy”. The question refers to whether educational institutions should hang onto student personal information, and, if so, for how long.
Striking a balance
According to Jenn Behrens, Kuma Partner and EVP of Privacy, student privacy is an increasingly challenging aspect of educational governance that demands deliberate consideration and management. While evidence shows that minimizing the amount of personal information maintained by organizations decreases the potential risk for privacy breach events, schools need to counterbalance this risk with various programmatic and educational needs to maintain student records for years and even decades. Behrens recommends schools develop a pragmatic retention schedule and data deletion policy.
There are a series of steps that organizations can do to facilitate this, including:
- Identify a privacy framework and relevant privacy regulations that are within the scope of the organization,
- Develop a data categorization policy to designate what data is public, confidential, sensitive, etc,
- Conduct a data and asset inventory to catalog what data is collected and the systems in which is stored and processed,
- Complete a Privacy Impact Assessment to identify the risk associated with collecting, processing and storing the data,
- Develop a retention schedule based on the data collected and stored by the organization in compliance with business needs, regulatory requirements and industry best practices,
- Produce a data deletion policy that provides the methodology for deleting and/or destroying data and media used to collect, process and store data.
These steps will support the negotiation of competing business needs and drive stronger privacy program methods throughout the institution.
Using third-parties for data management
As schools rely further and further on third-parties and vendors to maintain their information systems and provide data integration and analysis services, educational organizations dive increasingly into a web of third-party management. Having a sound privacy practice in place that integrates policy and expectations for vendor and third-party risk management, data inventories, asset inventories, and developing/enriching retention schedule and data disposal policies, is an important part of the process.
How Kuma Helps
Kuma helps all types of organizations establish and mature security and privacy programs unique to their business climate and needs. We ensure you have access to senior level resources and confidence through our forward-thinking approach. Educational institutions can benefit in particular from our privacy program assessment, privacy program development and implementation, and CPO engagements.