World’s Leading Universities and their Privacy Policies
Abstract
Personal information is categorized under sensitive data and requires to be protected from getting into the wrong hands. Hence, different measures, as well as policies, are being outlined and updated regularly in an effort to ensure personal information retains its integrity and remains confidential. In different institutions, one is required to subscribe to various policies before accessing its resources, for instance, the internet.
This paper addresses the different policies put in place by the three world-class universities – the university of Denver, Yale University, and the University of Pennsylvania. In all the three universities, they retain the sole obligation to inspect all the computers in their ownership, and, which are within the school at any given moment. However, their policies very differently, according to the school. One thing to note on privacy policies in the three institutions is that they take privacy seriously and work hard to ensure no unauthorized individual has access to them.
Keywords: privacy policy, personal information, integrity, and confidentiality.
Introduction
Education is the key to a good life, as is believed by many people across the globe. From the onset of life to the end, one never stops learning, be it formally or informally. Learning in school the formal way begins from the kindergarten all the way to the university. Narrowing down to institutions of higher learning, the universities, this is an area where adults are the students, people perceived to be old enough to discern between what is good and right. Learning in these tertiary institutions is made possible thanks to the policies put in place by their various administrations (Bennett & Raab 2017). In this text, three world-class universities in the form of the University of Pennsylvania, University of Denver, and the Yale University shall form the basis of this research seeking to answer the question; How do educational institutions address privacy in their policies?
Background information
Yale University has a rather unique way of addressing the issue of personal information. The university tracks the browsing patterns on the users browsing on the school’s website as a way of understanding how their sites are being used (Chen, Xu & Yu, 2015). There is a collection of generic information by the use of what are known as ‘cookies’ that makes an evaluation of the browsing content. In Denver University, any individual connected to the university’s website, he or she is prompted by a consensual dialog box where the user is obliged to agree to abide by and subscribe to the rules and regulations of the university. The university reserves the right to inspect all of its computers in its ownership within the school premises at any given time (Johansen, Birrell, Van, Schneider, Stenhaug & Johansen, 2015). The University of Pennsylvania uses third-party service providers to obtain personal information of all students for the purposes of, among others providing functionality to students, responding to inquiries of students.
Even though the three institutions may differ in their modus operandi concerning the handling of personal information, it is worth noting that all the three respect the privacy of the students, and at no given time would any of the three make private information public, or use them for financial gain at the detriment of the students (Johansen et al., 2015). Yale University has a well-equipped security operations unit that is charged with the responsibility of ensuring that private information remains private, while public information remains in the public domain (Chen et al. 2015). The University of Denver is committed to taking reasonable precautions in order to maintain security and privacy. However, it does not guarantee the students that there would not be any breach of security in the school’s network, and so students must assume the risk of security breaches (Johansen et al. 2015). The University of Pennsylvania, on the other side, provides that when a student gives out personal information, the students make a representation that he or she permits the school to use the information in accordance with the school’s privacy policy (Reidenberg, Bhatia, Breaux & Norton, 2016).
Literature review
In a world that has been characterized by threats to personal privacy and are increasing rapidly, there have been legislations made to curb the same. However, experts are of the idea that there has not been enough legislation to get to the root of this matter and eradicate this issue once and for all. The legislation put in place to shed light on this issue has been rather slow in the opinions of many experts (Bennett & Raab, 2017). It is for the same reason that it is vital to reconcile technology and privacy for the best interests of everybody.
According to Bennett & Raab, (2017), putting in place legislation as a means of dealing with the impending problem should not just be left at that, but governments should make the extra step to ensure that the violators of this crime are punished in accordance with the law. That would then act as a show of seriousness by the governments to demonstrate their resolve towards dealing with violation and privacy. That aside, the governments need to lead the fore line in ensuring that all regulations are adhered to by putting in officers in the IT department in every institution to oversee the implementation of these laws.
Reflecting on this issue, there is a rising surge in the number of constant incidences of cybercrimes where identity theft has taken center stage in the world of technology. This has been rather rampant, especially in financial institutions leading to the theft of a lot of money obtained illegally. Perhaps a serious government would be ideal to set up an excellent example for the others to follow.
The management of Yale University is committed to protecting the privacy of all students, and any information voluntarily provided through the university’s website such as name, email addresses, phone numbers among others are not to be sold or traded to other institutions such as universities, colleges, business, non-profit organizations or any businesses (Chen et al., 2015). The school’s department of IT is involved in the daily tracking of the browsing patterns and the collection of cookies to evaluate the browsing content by a student. The institution strives to ensure that private information remains private and that no private content goes to the public domain.
In the unlikely event that the university acts contrary to this, they would be held liable for an offence, and the students would be eligible to sue for damages. It would prove costly for the university to have to pay up a student whose life and career lies in its hands. The institution, therefore, needs to put in mechanisms of whatever means to ensure that private information remains private in the best interest of everyone (Chen, Xu & Yu, 2015). There have hardly been any cases of privacy violation or private information of students in any of the highly reputable institutions of leadership, to say the least. Still, the possibility of this happening should not be ignored. Perhaps all people should be made wary of the probability that this actually happens.
Ermakova, Fabian & Babina, (2015), opine that a good number of internet users on educational websites, as well as others such as those of healthcare and other products, usually ignore reading the privacy policies before agreeing to subscribe to something. They blame this on the possibility and likelihood that is owed to psychological habituation observed by experts in this field. This simple misdemeanour has since led to a good number of security breaches, leading to some students having their private information leaked without their consent, leading to unnecessary lawsuits costing the education facilities thousands of dollars in compensation.
It is a very common thing to ignore reading the privacy policies of any website before agreeing to them. This could be blamed on the fact that the human mind likes assuming too much, and that the words of the privacy policy are too many and probably meaningless (Ermakova, Fabian & Babina, 2015). A survey conducted in the past by experts shows that out of ten people, only two or three read the words of the privacy policy in entirety. This is to say that the other seven agree to what they actually don’t know.
Reidenberg, Breaux, Cranor, French, Grannis, Graves & Ramanath, (2015), opine that there are instances where misunderstandings occur when a student or a user of any website for that matter misunderstands the intended meanings of some words. This creates a situation where a careful reader reserves the right to disagree with such a policy. Still, because he or she wants to continue using the site, he or she has no other obligation but to click ‘I agree.’ It is important to note that the United States applies the ‘notice and choice’ approach to policies of internet usage.
Many a time is the incidents where words are misconstrued to mean something else different by the users of websites in schools and health care policies, only to discover later that the intended word was different from what the internet user understood. If there is a breach of the privacy policy, the user would then invoke the policy bit to be dismayed upon interpretation. This poses a great risk of misrepresentations (Reidenberg et al., 2015). Perhaps the said internet source could up their game by giving expressed explanations of ambiguous terms in some sought of footnotes. This would be a creative way to ensure that the user, while agreeing to the terms, knows what he or she is putting himself into. It would also avoid lawsuits that are uncalled for.
According to Zaeem, German & Barber, 2018, article, research has revealed that quite a number of people often fail to read the privacy policies of many of the websites they use. This is to say that a tiny percentage actually reads them, with many of them admitting to the fact that they ignore them because they are rather lengthy and are written in small fonts, making it stressful to get a glimpse of what it is all about. Unknown to them are the legal consequences they would face in the event of a breach of privacy, having already implicitly agreed to the policies.
Truth be told, the wordings of any privacy policies that a majority of people in the world have come across are rather too wordy. To make it worse, the fonts are too small for someone to keep straining to try to read. In most cases, one would find himself skipping or quickly agreeing to whichever terms are there, oblivious to their implications. Perhaps it could be a very wise thing to do by taking the time to go through the privacy policy; however, wordy and tiny it could be (Zaeem, German & Barber, 2018). In the wake of constant compromise of technology integrity, humans are better placed to read and understand a privacy policy instead of just ignoring. A reflection on the legal consequences of agreeing to the terms of the privacy policy of a website shows that things could work to the detriment of an internet user. Taking up a matter of such caliber to court in search of an injunction to be awarded, damages would not hold water in a court of law. Perhaps all people need to be careful with the little things they ignore.
Johansen et al., (2015), propose a mechanism by which shared data could be protected by way of expression and enforcement of security policies. This would be made possible by the use of meta-code, which can express policies in a broad class. This includes access-based policies, use-based policies, sticky policies with the ability to declassify as well as obligations. The meta-code would then be interposed in the access path of the file system in a bid to ensure compliance with policy requirements. The feasibility of this is heavily reliant on the adaptations to these programs by the server systems.
The use of meta codes may not be understandable to those that barely even know the basics of technology. It is a suggestion that would not go down with many for the mere fact that one cannot make out what it stands for, and whether there is a guarantee that privacy policy would not be compromised (Johansen et al., 2015). Perhaps the solution to all these problems associated with the issue of income enforcement of privacy policies would call for the world to delve deeper into what only the people in the field of IT seem to understand most. A thorough look at this matter points to the solution in the direction of the experts in Information Technology. The use of meta codes is a language that can barely be understood by the layman, and more often than not, they would dismiss the idea.
Reidenberg et al., (2016), admit to the fact there is a lot of ambiguity in the languages that work to undermine the value of privacy for people that use various sites. The authors make a comparison of multiple impacts that different regulatory models have on the ambiguity of the policies of privacies in various sectors of the internet. There is the development of a theory of vague and ambiguous terms and an expansion of what is a scoring method of comparison of relative vagueness of different policies. Natural language is then used to apply these theories to rate a set of policies.
It has been in the public domain that numerous websites have fallen victim to the use of ambiguous languages in their websites, leading to unwarranted legal consequences. Different regulatory models have been trying day in day out to provide a solution to this to no avail (Reidenberg et al., 2016). Perhaps the development of theories looking into the vagueness of these languages could nip it all in the bud.
Research Method
The data collection methodology used in this paper included a qualitative and quantitative data collection. This involved the analysis of different literatures and analysis of the key findings. The hypothesis of the paper was used to identify the primary papers to use. The conclusions findings and conclusions found in this research paper were as a result of building on previous knowledge.
Also, an interview was used as a data collection tool, where individuals from the three different school who are responsible for the respective school’s privacy policy were interviewed. Both open-ended and closed questions were used during the interview. From the interview, it helped to have an in-depth understanding of the privacy policies in the respective institutions.
A focus group will be formulated immediately after the interview of around six students, two from each of the schools and who have had both good and bad experiences with the schools’ privacy policies. Opinions, as well as the ideas from all the group members, will be recorded and authenticated before putting it on paper. A non-intimidating environment for discussion will be set up to ensure everyone speaks his or her mind without fear.
Data collection plan
The following guidelines will guide the researcher in piloting the interview.
Acquiring permission for the study. A letter to the school dean will be formulated, and authenticated by the research paper advisor, requesting permission to gather data through the interview with the selected respondent. In addition, a formal letter will be formulated to the dean of the respective schools requesting their permission to conduct an interview with one of the employees who are well versed with the respective school’s privacy policy.
A venue suiting the respondent will be selected. In addition, the aim of the interview will be explained in full to the respective respondent after they agree while assuring them confidentiality, as well as the integrity of the information or data they may provide during the period of the interview. Further details of the nature, period, purpose, and expectation of the interview will be explained. The interview will be conducted in an informal way (conversation), which will be recorded to ensure proper data recording. The respondent will be asked questions (attached in appendix 1) and given ample time (5 min) to respond.
Documents such as the school documentation of the privacy policy will be reviewed to ensure they concur with what was recorded in both the focus group and the interview. Other documents that will be reviewed include, the data file for the number of individuals caught violating school privacy policy as well as the document authenticating what was recorded on tape on both settings.
Results
The vice president of audit, compliance and privacy Mr Gregory from Pennsylvanian university, and senior privacy policy officers from both Yale and the University of Denver agreed to our interview. Both officers from Yale and Denver never agreed to offer their names due to personal and privacy issues which were agreed before the commencement of the interview.
The following responses were gathered during the interview:
- What kind of personal information do you ask every visitor/ student to fill who come to the school website, app or school portal?
The entire respondent agreed to use the website, computer and mobile application owned by their respective institutions. They referred to the website, computer and mobile application, as services they offered which they have to collect personal information of the users to enable them to track any mischievous behaviour or any actor who violates their terms and conditions.
In addition, Yale and Pennsylvania university respondent added that they also use collected information through a newsletter signup, and other information provided offline when visiting the institution places such as seminars among others.
- When do you ask for personal information?
The personal information collected in the collection in the respective institution include email id, social media account id, first name and last name of the user, profile picture, web cookies, postal address as well as respective institution credentials to their online portal.
Yale and Pennsylvania University provided collected information during sign up, seminar visits, library visits, school portal signup as well as when surfing their websites. Denver, also collected information same as the other two institutions but avoided using cookies from their websites.
- How do you use the personal information you collect?
University of Pennsylvania respondent agreed that they use personal information with their third-party service providers to offer service functionality and fulfil the request of their users since if the information requested is not provided, the institution may not be in a position to provide the service a user may require.
All respondent agreed to use of personal emails to send promotional information as well as personalized services based on the client needs as well as for other legal reason such as compliance with the court order. University of Yale and Denver agreed to use the information same as the University of Pennsylvania. However, they never shared the personal information with third party services such as with the University of Pennsylvania.
- How secure is the private information collected.
The respondent from all the three institutions agreed not to have a 100% secure system. However, they guaranteed the institutions seek to utilize reasonable administrative, technical and organizational measures to ensure the protection of all personal information under their responsibility. Mr Gregory also, agreed that his institution had a quick dial-up number, which is used by any user using their resources who believed that their information was no longer secure to report to the officer in charge of security and privacy policy. In addition, any updates, review or deletion of personal information was allowed though it had to be reviewed by the audit and privacy board.
- Why do you collect visitors/student email?
Both University of Pennsylvania and Yale agreed that email was part of the university private information requirement since through it, sensitive information such as password reset as well as results of the services requested were communicated through it. In addition, it was used to send institution updates which were critical such as exam dates and fees as well as other arrears with the school. University of Denver respondent added that they also used the school email provided to the user to conduct forensics in case a complaint was lodged about it. However, the email user was to be informed first.
Discussion
Based on the results above, it is evident that the most commonly collected personal information is names, email, and school ID. The information collected is critical for the services provided by the respective schools. For instance, when a user from a given school needs to alter or delete his or her personal information, every process to do so should be conducted in a private email since sensitive information will be transmitted.
In addition, the usage of personal information can be due to legal purposes, where a court order is produced. The institutions do its best to ensure the personal information is not used for another purpose other than to serve the individual who provides that information and the individual can opt to delete any information at will though subjected to a legal review to avoid unforeseen consequences to the institutions.
On the issue of security, as expected, there is no 100% secure system with the current and emerging technologies in place. No matter how secure a system is, it has a breaking point, which can be even an employee of the institution. However, the institution has taken all the measures necessary to ensure personal information retains its availability, integrity and confidentiality.
The forum groups though they had varying opinions on the way their respective institutions collected, used, as well as transmit their personal information they all agreed that it was necessary to have the information to ensure they all were served equally. In addition, due to the security reasons, there was a need to correct the information to ensure no violation of the terms and conditions of the school.
Conclusion
As has been demonstrated, it goes without saying that various educational institutions have different policies on privacy. While all institutions have a high regard for personal information, how they are handled is quite different. What is more fulfilling is that all the institutions declare that they respect the privacies of all students, and would not at any time disclose information that may work against the interest of any student.
Reference Page
Bennett, C. J., & Raab, C. D. (2017). The governance of privacy: Policy instruments in global perspective. Routledge.
Chen, Z., Xu, B., & Yu, H. (2015). Yale University.
Ermakova, T., Fabian, B., & Babina, E. (2015). Readability of Privacy Policies of Education Websites. Wirtschaftsinformatik, 15.
Johansen, H. D., Birrell, E., Van Renesse, R., Schneider, F. B., Stenhaug, M., & Johansen, D. (2015, July). Enforcing privacy policies with meta-code. In Proceedings of the 6th Asia-Pacific Workshop on Systems (pp. 1-7).
Reidenberg, J. R., Bhatia, J., Breaux, T. D., & Norton, T. B. (2016). Ambiguity in privacy policies and the impact of regulation. The Journal of Legal Studies, 45(S2), S163-S190.
Reidenberg, J. R., Breaux, T., Cranor, L. F., French, B., Grannis, A., Graves, J. T., … & Ramanath, R. (2015). Disagreeable privacy policies: Mismatches between meaning and users’ understanding. Berkeley Tech. LJ, 30, 39.
Zaeem, R. N., German, R. L., & Barber, K. S. (2018). Privacy check: Automatic summarization of privacy policies using data mining. ACM Transactions on Internet Technology (TOIT), 18(4), 1-18.
Appendices
Questionnaire
Interview Questions on university Privacy Policy
- What is your name? ____________
- What is your school? [tick the most appropriate answer]
- Yale University.
- University of Pennsylvania.
- The University of Denver.
- What position do you hold in the school? __________ _________
- What kind of personal information do you ask every visitor/ student to fill who come to school website, app or school portal? ____________
- When do you ask for personal information? _____________
- How do you use the personal information you collect? _____________
- How secure is the private information collected? ___________
- Why do you collect visitors/student email? ___________
Certificate of authorship