Protecting Privacy: Conforming With Student Data Regulations

How are higher-ed tech managers navigating the challenge of facilitating collaboration while ensuring the privacy of student data in the face of myriad regulations like FERPA?
(Image credit: Getty Images)

Cybercrime has consistently outpaced violent crimes as the number-one threat Americans fear in the past decade by a large margin, according to an annual Gallup study. It’s no wonder why. The threats persist as security breaches seem to increase in frequency and severity. 

“You can’t lock everything down and be a public institution.”

John O’Brien, Montclair State University

Networked audio and video systems provide a legitimate vulnerability, and AV pros need to brush up on their information security standards. The issue is even more complex for education institutions as they are subject to regulations like FERPA, the Family Education and Rights and Privacy Act, established to protect the privacy of student education records. Photos and videos of students are considered part of their education records, as well as any other part of their digital footprint on campus.

John O’Brien

(Image credit: John O’Brien)

Education technology managers are challenged by the demand to enable easy collaboration while ensuring the security of student data. But it’s certainly not just collaboration devices to be concerned with. “Almost any software that’s out there in the cloud, there’s going to be a security risk,” said John O’Brien, assistant director of academic technology, technical support services at Montclair State University in New Jersey. 

While FERPA certainly gets the most attention, there are myriad other regulations with which education institutions must comply, according to Bill Britton, vice president of information technology, CIO and director of Cal Poly’s Cybersecurity Center. Any college or university that maintains health records on student athletes fall under HIPAA regulations. Research working with corporate partners may be handling intellectual property data, thus subject to IP law privacy standards. For those postsecondary schools working with government entities, there’s the ITAR (International Traffic in Arms Regulations), which regulates defense and military-related technologies in the interest of national security. 

Then there are state regulations. California, for example, has some of the strictest privacy laws in the country. The California Consumer Privacy Act is known as GDPR Light, a nod to Europe’s sweeping data privacy law. The Student Online Personal Information Protection Act (SOPIPA), which took effect in 2016, prohibits sharing K-12 student data for targeted advertising.

When it comes to complying with regulations, there are just so many different rules with each one. They all report to different offices, and often, IT people aren’t even drawn into the conversation—until, of course, there’s a breach. “Organization and structure are really important in this conversation,” Britton said. “Smart organizations have coworking groups,” which function across departments. 

The issue presents a sense of urgency behind the move to converge AV and IT departments.

Cal Poly is fortunate to have a much larger IT department than most universities, comprising three sub-groups: policy and governance, which works with the rest of the university; tech support; and forensics, which responds to incidents and proactively seeks vulnerabilities. The audiovisual team resides under the governance group’s Accessible Technology Initiative (ATI), a policy making IT resources and services accessible to all, as well as guiding proper implementation of technology. “ATI and cybersecurity are tied at the hip now,” which is very rare, Britton noted. 

At Montclair State, the AV department was absorbed into IT back in 1998. When the AV team seeks to onboard a new device, they have a detailed system in place. They’re required to provide a host of information to their IT colleagues. “We have a security checklist that new [vendors] have to fill out,” he said. “They have to meet the Montclair State University standards.”

The process covers the methods a device uses to get on the network, how it functions, MAC address, SSL, and all other security protocols. This is all in addition to automated network monitoring software, Cisco’s ISE (Identity Services Engine), which simplifies identity management across diverse network devices. Additionally, if an IP device hasn’t been used in a while, say, for two or three months, it gets knocked off the network. 

Policy is Fundamental

Internal policies play an important role after devices are onboarded. The policy at Montclair State is to share content on the learning management platform, Canvas, which is private and protected by internal servers. Content posted to Canvas is only available to students and faculty who have access to that specific course. Despite clear rules being in place, there is still potential risk of violation with some adjuncts or others if they were to obliviously post videos or photos on a social media platform without written permission. That’s a clear violation of the policy putting the university at risk of FERPA violation. 

Technology is changing so fast, you don’t realize you’re breaking the rules. In the academic world, you have to be more flexible, but you have to be reactive.

Bill Britton, Cal Poly

“People who use Canvas all should know that videos you’re going to share with your students should be in Canvas—not on Facebook, not YouTube,” O’Brien said. “It all has to be behind some type of authentication. This goes to all student work.”

Bill Britton

(Image credit: Bill Britton)

Two teams are involved in reviewing new networked devices at Cal Poly, so they can check accessibility and security at the same time, adding a layer of redundancy to the process—a rare and important safeguard. Automated tools also monitor network usage at all stages. “Student devices are more of the Wild West,” Britton noted. Cal Poly scanners pick up those devices without reading any packets or information, but there’s still an inherent risk. “Say a student pokes a hole in the firewall, and we find out, but it’s a series of violations of university policy.”

The Responsible Use Policy defines access to Cal Poly’s IT resources as a privilege for faculty, staff, and students to support studies and official duties, further outlining rules for use. “But technology is changing so fast, you don’t realize you’re breaking the rules,” Britton said. The key is communications and open discussions. “In the academic world, you have to be more flexible, but you have to be reactive.”

Indeed, the education risks are much different than those of a commercial business or government for these reasons. As MSU’s O’Brien stated, “You can’t lock everything down and be a public institution.”

Applying Best Practices

When it comes to evaluating and deploying networked AV devices, there are a number of best practices to follow. First and foremost, “Ensure you have good governance in place,” Britton advised. “Without the ruleset, [people] can do anything they want. The governance should be to review before accessing.”

Secondly, have a review group in place, so the entire university is aware of those capabilities. Thirdly, “Audit, audit, audit, audit,” Britton said. “Manually, technically, physically, ensure devices are doing what they’re supposed to be doing and not being misused.” 

For vendors, the onus is on them to communicate what connections their devices or software make. Having great relationships with vendors is hugely beneficial. Britton cites an exceptional relationship Cal Poly has with Oblong. They directly collaborated on R&D, physically testing solutions in the university’s cyber lab, and further validating use cases in advance of deployment. 

O’Brien points to vendors like Biamp and Crestron that send equipment out for testing prior to any purchase. He also extolled the exceptional service support from Zoom, which has helped authenticate security protocols, among many other supporting efforts. 

Continuous Education 

With a technical subject as dynamic as cybersecurity, ongoing education is invaluable. Trade journals and online resources are great places to start. Britton recommends ISACA, a nonprofit global association serving information systems, as well as leading conventions and media sources like DEF CON and RSA as his top-three resources. 

O’Brien relies on a wide range of resources available to the education technology community, including NJ Edge, a local nonprofit technology partner; Internet2, a member-driven technology community founded by leading higher education institutions; and the Consortium of College and University Media Centers (CCUMC). For AV industry-specific resources, he strongly encourages every young person coming into the industry to join AVIXA, the AV User Group, and the IMCCA. O’Brien said that he has benefited greatly by participating in all of these organizations.

While the networked AV world opens up endless opportunities for advanced communications, the benefits carry a host of additional responsibilities. AV technology managers in education must continue to upgrade their skills, knowledge, and policies to meet the ever-evolving demands for data privacy.

Lindsey M. Adler is a writer, editor and journalist who produces a wide range of content about the audiovisual industry.

Lindsey M. Adler

Lindsey M. Adler is an audiovisual storyteller based in New York.