| |
Top U.S. universities failing in online privacy
April 27, 2006
A national survey of online privacy practices in higher education, conducted by Bentley College and Watchfire, found that only 65 of the top 236 doctoral universities and liberal arts colleges in the U.S. have privacy notices linked to their home page, yet nearly all these schools engage in practices that potentially pose a privacy risk.
The survey involved examinations of 175,000 Web pages from schools listed in the 2004 issue of U.S. News and World Report listing America's best colleges. Automated probes of Web pages by technology partner Watchfire Corp., which specializes in online risk management software, crawled pages originating from each school's home page and undergraduate admissions, human resource and athletics sections.
The benchmark study comes at a time when most schools are using the Internet to process electronic applications and other types of e-commerce transactions, ranging from online alumni donations to the sale of athletic tickets, clothing and textbooks.
These are the same types of commercial activities that raise privacy concerns in the private sector. And with an increasing number of colleges and universities across the U.S. falling victim to data breaches, online privacy has emerged as an important risk management issue in higher education.
"Higher education is not immune from concerns about online privacy," says Mary J. Culnan, Bentley Slade Professor of Management and Information Technology, who conducted the research with Thomas J. Carlin, a Bentley MBA candidate.
"Privacy breaches potentially undermine consumer trust and confidence and make people less willing to disclose personal information online; this benchmark survey should be a wake-up call for all institutions of higher education," said Culnan.
Similar to the surveys of online privacy notices posted by dot-com websites initiated by the Federal Trade Commission in 1998, the Bentley-Watchfire survey is based on a content analysis of online privacy notices. But it goes one step further than the prior surveys with an automated scan of the websites to measure whether or not these sites also engaged in practices that may pose privacy risks to users such as pages without a link to a privacy notice or non-secure pages with data collection forms.
"This year's litany of stories about security breaches shouldn't be construed as a gloom and doom scenario but a wake-up call for higher education, parents, students and alumni," said Traci Logan, Bentley's vice provost and vice president for information technology, who helped design the study.
For many, the college application process represents the first plunge into the deep end of the pool when it comes to voluntary release of confidential personal data.
While most CIO's in higher education identify information privacy and security as a critical challenge, too often this view doesn't permeate organizational culture and spending.
Key findings of the automated portion of the survey include:
-- Nearly 100% of both doctoral universities and liberal arts colleges had at least one data collection form on a page without a link to a privacy notice.
-- Nearly 100% of both doctoral universities and liberal arts colleges had at least one data collection form that used the GET method to submit the data, posing the risk of identity theft because sensitive information is stored in Web server log files that may be accessed by hackers.
-- 100% of both doctoral universities and liberal arts colleges had at least one non-secure page with a data collection form.
For the manual survey, the authors analyzed content for the 65 privacy notices that were linked from the home page of the schools in the sample. They analyzed each notice to determine to what extent it reflected the basic elements of fair information practices. The authors found:
For all 65 privacy notices:
-- 63% contained a statement defining the scope of the privacy notice.
-- 66% contained contact information for privacy concerns.
-- 20% contained a statement about how changes to the notice are handled.
-- 85% described whether or not the site collects personal information.
-- None of these websites displayed a privacy seal.
For the 51 schools that disclosed in the notice that they collect personal information:
-- 49% disclosed what personal information is collected.
-- 90% reported how they use personal information.
-- 59% described in the privacy notice how their sites use cookies or Web bugs.
-- 53% said whether or not the school shares personal information when required by law.
-- 53% reported in the privacy notice whether or not the school shares personal information with third party affiliates.
-- 33% described in the privacy notice how users could access their personal information.
-- 61% contained a statement saying how the site protects personal information.
"The survey results suggest that online privacy is currently not a strategic priority for higher education, and it should be," said Culnan, "especially as higher education embraces e-commerce. Good privacy notices, backed up by an effective governance process, have been shown to help build trust by reducing the risk of disclosing personal information online."
The study's full report in PDF format is available at: http://www.bentley.edu/news-events/pdf/Final_Report_040610.pdf
| |
E-mail this story
Printer-friendly version 
Bookmark this page
