Most social science research doesn’t produce surprising results, but a recent survey of college student affairs and student success (SASS) professionals revealed unexpected findings on what they know and believe about student data privacy. Having asked SASS professionals from nine large public research universities about their knowledge, beliefs, and skills related to student data and privacy, my study showed that many professionals recognize some types of student data but are unaware of other key categories of information. Many professionals also lacked knowledge of institutions’ data collection and storage practices and other facts related to technology and student data. While the survey shows a relatively healthy overall profile of SASS professionals’ knowledge and practice, this blog offers strategies to help these professionals and higher education institutions better understand and protect student data privacy.
SASS professionals are people on college campuses who routinely work with student data through admissions, academic advising, support programs, and student life (e.g., housing, dining, co-curricular activities). I was not surprised that nearly all of them knew that student academic records, financial aid, conduct records, and health records were kept on campus and subject to regulations of the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act (HIPAA). I was also not surprised that most participants (over 95 percent) reported that they used student data to help students or that the group rated accessing individual student records as 3.8 out of 4, on average, on a scale of importance of data skills.
Surprising Results: Student Data Categories, Storage, Algorithms, and More
I was surprised, however, to find that many SASS professionals did not know about other prominent types of student data and where institutions collect and store student data. Also surprising were many professionals’ beliefs about the algorithms their institutions use and findings related to their learning about key data privacy laws and how they learn essential data skills. Some of the specific results include the following:
- A quarter or more of respondents either were not aware that their institutions held student data related to recreational sports (intramurals), campus transportation, library materials checked out, public computer cluster usage, co-curricular activity participation, or campus dining, or they were aware of these categories but had not considered them as student data. I expected greater awareness of these grey data categories that accumulate through students’ daily interactions with card-swipe systems and other individually tracked activities.
- There was little consensus on most campuses about where SASS professionals believed their institutions collect and hold student data. The survey listed 23 categories of data, and we asked whether the data is collected and stored in homegrown, vendor, or mixed (both homegrown and vendor) platforms. I looked for signs of consensus among the five campuses with enough respondents to make a generalization, defined as 55 percent or more of respondents answering the same way for a given data category. On one campus, respondents reached this threshold on 12 categories. On another, it was six categories. But the three other campuses had three, one, or zero categories on which there was 55 percent or more consensus. I work on a campus that is transitioning from a homegrown student information system to a vendor platform, and everyone seems immersed in discussions about where data is, but the survey results indicate otherwise (my campus is one of the five but not the one with highest consensus).
- About two-thirds of respondents reported that they trust algorithms that homegrown platforms use to provide student success metrics (e.g., academic or socioemotional early warnings). The same number reported trusting these algorithms from vendors. In the student success professionals community, I often hear distrust of “black box” algorithms from vendors. And there is a substantial movement to ensure that algorithms do not amplify bias. For these reasons, the relatively high level of reported trust was surprising.
- Only one-third of respondents believed that vendors can develop and apply algorithms such as predictive analytics without sharing the algorithm with their campus, which may explain the relatively high level of trust in vendors. Vendors most often do not share proprietary algorithms with campuses (the “black box”), but the majority of SASS professionals believed that they did.
- Most (86.4 percent) SASS professionals reported that they learned about FERPA through general institutional training, among other sources, but only half as many (44.8 percent) learned about HIPAA this way.* Nearly as many (43.4 percent) learned on their own), and 8.8 percent had never learned about HIPAA. Given that a majority (65 percent) of respondents also indicated that HIPAA protected common student records such as documentation of a disability for accommodations, I was surprised that more professionals had not received HIPAA training.
- There was a significant discrepancy between where SASS professionals reported learning about data skills and where people who supervise SASS professionals said they expected their employees to learn data skills. Professionals reported learning through general training in their institution (64.8 percent), on their own (60.5 percent), and in their work units (59.4 percent).* In contrast, supervisors expected employees to learn in general training in the institution (22.5 percent), training in the work unit (22.5 percent), or on their own (8.5 percent). This difference in responses left me wondering where supervisors expected most of SASS professionals’ training to happen.
The biggest surprise of all, however, came in a small section of the survey that asked about COVID-19 testing. The survey, fielded in May 2021, did not include questions about masks or vaccines. But the responses to questions about COVID-19 testing did not fully align with respondents’ other beliefs about student data privacy. We asked about student conduct (getting a test) and about student health (results of a test). Although test results are health data, four out of five respondents believed that if a student tested positive for COVID-19, several campus entities (e.g., student housing, athletic department for student athletes, instructors, and/or academic support services for students who would need to be quarantined) should be notified.
More than half (52.5 percent) believed that the institution should track test results (positive or negative) but only in student medical records; 29.5 percent believed the institution should track test results but only outside medical records. I attribute this apparent contradiction (positive test results should be shared on campus but only tracked in medical records) to the complexities of working with student data in an unprecedented public health crisis. SASS professionals have never had to contemplate these kinds of decisions about student data and privacy.
Despite these surprises, the overall picture of SASS professionals’ knowledge, beliefs, and skills is healthy. By and large they are aware of categories of student data, know about FERPA and to some extent HIPAA, and have the skills they need to work with student data.
Strengthening Knowledge and Practice of Student Data Privacy
There are opportunities for SASS professionals and higher education institutions to improve knowledge, correct misperceptions, and to be more systematic in training on policies and skills. In the report, I make several recommendations for SASS professionals, their supervisors, and campus leaders. I summarize them here:
For SASS professionals: Learn what kinds of data are on your campus, where it is kept (homegrown, vendor platforms), and who can access the data and under what conditions. Think about how you might more effectively connect data across campus silos (e.g., student affairs to academics) to improve student outcomes.
For supervisors of SASS professionals: Assess the knowledge, beliefs, and skills of your staff regarding student data. Use your networks at mid-level on campus to create opportunities for learning and for improving student outcomes through effective, ethical use of multiple student data streams.
For campus leaders: Lead campus-wide dialogue about student data, its appropriate use, and protecting privacy. Prioritize transparency related to data collection, storage, and use.
* Respondents could choose all that applied, resulting in a total that could be over 100 percent.
