By Anuradha Gandhi and Rachita Thakur
Introduction
- Overview of data privacy and its importance in educational institution
In digital age, educational institutions have become vast repositories of personal data in digitized format, as on January 25, 2023 there are total 1074 recognized universities as per University Grant Commission[1], from academic records to sensitive personal data like health, financial and identity related data. This data driven environment has created both opportunities and challenges in protecting individual data. The education sector has emerged as the most targeted industry for cyber-attacks, accounting for more than 700,000 detected threats in April-June 2023 in India, according to a study.[2]
As per a news dated June 10, 2024 a leading University of Bhopal experienced an alleged data breach of significant data of students and faculty member. The Institution is authorized by University Grant Commission (UGC), i.e. it maintains the standards teaching, examination and research in university education as per the Government of India guidelines. Despite the claims that the university has a privacy policy which is GDPR and CCPA compliant yet the breach took place effecting the personal information of students. The data leak includes unique ID of student, username, full name, email id, password, and user activation key.[3] Notably, the University’s privacy policy was last updated on January 25, 2022.
A report of April 5, 2024 states that University of Winnipeg in Canada reported that hacker has stolen sensitive personal information of student and faculty, students who enrolled in 2018 have their names, programs of study, street addresses, student number, insurance numbers (domestic students only), fee and tuition amounts, gender information, and marital status information”. Apart from this data of all current and former employees since 2003 were exposed.
- Types of Data Collected in Universities
As a part of personal information and sensitive personal information, University collects following data of Students:-
Academic records
An academic record can be understood as an official document that provides a comprehensive history of student’s enrolment with the University. It is an official document generated by university of their student which may include enrolment details like
- Name
- Roll number
- Date of birth
- Parents name
- Blood group
- Grades
- Completion status of degree
- Any scholarship you have received, etc.
The list is not exhaustive and can also include data like job offers, internships, any disciplinary actions taken against student, etc.
Financial information
Universities ask for financial information of different kind at different stages at University level. Financial includes bank account or debit card or credit card or other payment instruments details. At the time of submission of fees the student provide the university with bank account details like
- Transaction ID,
- IFSC Code,
- Bank name,
- Account holder name.
At the time of seeking scholarship students have to provide with the financial status of family, last few years ITR, PAN card details of student and parents/guardian, Aadhaar card of parent and student, all semester mark sheets, etc. These information list is not exhaustive and can include various other things depending upon the different university policies.
Health and Counselling data
Medical forms and survey- during time of admission students may be required to submit vaccination details, medical history survey, etc. Also, every other university has the policy to provide their students with insurance policy or they require them to submit their own insurance policy, in either way an insurance policy reveals the health status of the student whether they have any history of health issue.
Universities also have medical center where student’s visit in case of medical issue and the medical experts collect data relating to diagnosis, treatment or counselling services. Mental health records may be collected by counsellor at the time of counselling or therapy sessions.
Unlike Health Insurance Portability and Accountability Act, 1996 (HIPAA) which applies to healthcare providers, health plan (Insurance policy) and that transmit health information in digital format, India do not have any such law in enforcement relating to healthcare data. Digital India Healthcare Act was one such proposed Act in 2018 which never got implemented.
Behavioral and usage data from digital platform
Increasingly, higher education systems have been using Learning Management System (LMS) digital data to capture and understand students’ learning and well-being. When instructors and students make use of LMS features, the system captures a trace of each event in a log file. The trace data can potentially allow researchers to better understand learning behaviors of students as they provide a rich, fine-grained, and accurate record of students’ actions.[4]
- Key Privacy Concerns in Universities
3.1 Data breaches and unauthorized access
Universities are increasingly vulnerable to data breaches due to insufficient cybersecurity measures, making student data an easy target for cybercriminals.[5] Weak passwords, website vulnerabilities and inadequate defenses allow hackers to exploit systems and access sensitive information.[6] During the COVID-19 pandemic, the reliance on platforms like zoom, Microsoft teams and google meet exposed student data to third party, amplifying risks of phishing, malware and data leaks.
On May 28, 2023 where the system that the university used to transfer files across the campus and to other entities was breached, the data was taken using the malware.[7] External sources within an organization’s ecosystem or supply chain that have access to personal data pose a third party risk. Reports also reveal that 41% of primary schools, 70% of secondary schools and 92% of higher education institutions in the UK reported breaches in 2022. In U.S., 18 cyberattacks on schools were recorded in the first of the 2022.[8] These breaches, often caused by weak security measures, human error or deliberate attacks, result in severe consequences such as identity theft, fraud and reputational harm.[9]
3.2 Data Mining
Educational data mining (EDM) involves analyzing data from platforms like learning management systems, attendance records, grades, and online activities to improve learning outcomes. Techniques like classification, clustering, prediction and text mining identify student patterns, forecast outcomes and tailor educational experiences. It employs method to do an analysis of “student-to-student and student-to-teacher relationships and interactions” on social networks and also collect “attention metadata” to determine what a user is interacting with. Such comprehensive coverage will most likely improve the achievement of educational goals but will do so in exchange for personal data. The data collected often includes sensitive personal and academic details. It poses a serious risks to student privacy.[10]
Also, many educational institutions use AI as it enhances EDM through machine learning, natural language processing and adaptive learning. It analyze behavior and predict challenges automating insights from vast datasets.[11]Algorithmic bias can further in unfair predictions or treatment. Also, it could lead to stigmatization and individual profiling which can be a potential cause of discrimination.[12]
- Legal and Regulatory Framework
4.1 Overview of applicable laws: GDPR, FERPA, etc.
General Data Protection Regulation- Under GDPR, universities must have a lawful basis to collect, process and store student data. Students have right to access, rectify, object, restrict, and withdraw consent. The law talks about clear and transparent communication with student regarding what, why and how data is collected and used.
Family Education Rights and Privacy Act (FERPA)- It gives parents and students right to inspect the record maintained by the schools, request to correct, not release personally identifiable information to any other individual and can ask the universities to provide with the copy of policy concerning access to educational records.
California Consumer Privacy Act (CCPA)- Similarly, CCPA provides students (or their parents, if under 16) with the right to know, delete and opt-out. It also provide with the information of what piece of personal data is collected and purpose of collecting such data.
4.2 Indian laws
Digital Personal Data Protection Act, 2023
The act covers all data fiduciary that process data of students along with giving various other rights and in case of minor, it provides for parental or guardian consent. The Act gives right to data principle of deletion, withdrawal, purpose limitation, and retention of data, it also provides for explicit and unambiguous consent.
It also talks about in the event of an information security breach, data fiduciary shall be required to demonstrate, that they have implemented security control measures as per their documented information security program and information security policies.
Information Technology Act, 2000
Section 43A of the Act states that a body corporate possessing or dealing with sensitive personal information in digitized form which it owns, control or operates is negligent in implementing and maintaining reasonable security and which leads to any breach shall be liable to pay damages.[13]
Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011
The rules talk about protection of sensitive personal data or information of a person. It requires organization including educational institutions to ensure secure processing of sensitive personal information. The Act talks about taking prior permission from the provider of such information, who has provided such information under lawful contract or otherwise, unless such disclosure has been agreed to in the contract between the data fiduciary and principle, or where the disclosure is necessary for compliance of a legal obligation. Therefore, Universities’ engaging third party vendor for any purpose whether for online classes shall take prior permission of provider of information if sensitive information needs to be disclosed.[14]
- Conclusion
Maybe the third party vendors are not the one misusing personal data but the privacy policies of Universities and their implementation are weak enough to render the data vulnerable to data breach. In our analysis of privacy policy of various top universities it was felt that data processing activities are not protected by law. The third party relationship for processing the sensitive data of student is not clearly outlined or informed to the students. The personal information of students is particularly important as this information is most vulnerable section of society and any breach or misuse will stick with them for the rest of their lives. Also, striking a balance between leveraging AI-driven insights and protecting privacy is crucial for fostering trust and improving education. Universities must prioritize platforms with robust encryption, authentication and compliance with data protection laws.
Abhishekta Sharma, Assessment Intern at S.S.Rana & Co. has assisted in the research of this article.
[1]https://www.ugc.gov.in/oldpdf/consolidated%20list%20of%20all%20universities.pdf
[3] https://thecyberexpress.com/vit-bhopal-data-breach-in-india/
[4] Nistor, N., & Neubauer, K. (2010). From participation to dropout: Quantitative participation patterns in online university courses. Computers & Education, 55(2), 663–672.
[5] https://www.linkedin.com/pulse/educational-institutions-data-breaches-india-analysis-nk5df
[7] https://www.govtech.com/education/higher-ed/ucla-possible-victim-of-moveit-hack-confirms-data-breach
[8] https://www.getastra.com/blog/security-audit/third-party-data-breach-statistics/
[9] https://www.linkedin.com/advice/0/what-risks-using-third-party-educational
[10] https://informationethics.ca/index.php/irie/article/view/384
[12] https://www.newsoftwares.net/blog/the-growing-concern-how-data-mining-threatens-student-privacy/
[13] https://indiankanoon.org/doc/76191164/
[14] Rule 6, Information Technology ( Reasonable Security Practices and Procedures and Sensitive Personal data or information) Rules,2011