The revelation of the Baker University Data Breach has highlighted an issue that is emerging in the higher education sector and has been largely ignored until now: a new and long-term role for universities as custodians of their students’ sensitive personal information well beyond their time on campus. This role is distinct from that of other organisations; whereas most organisations typically only collect and use an individual’s personal information for a limited length of time, universities can, and do, collect, store, and use the same personal data over a period of years (for example, through a student’s academic, housing, healthcare, etc.)—thus vastly increasing the potential for privacy risks over time. 

Within a student’s lifecycle with an institution, there are a number of points at which they may be asked to provide personal information. A student may start to compile their personal information when they apply for admission, when they submit their application using a copy of their Social Security number, etc. After a student has been accepted and enrolled, they will continue to compile personal information related to their academics, their: housing, etc., and so on. Finally, even after a student graduates, their records continue to contain significant amounts of personal information, such as contact information, donation history and employment information, and most institutions will retain those records indefinitely.

Because many universities retain student records for so long after graduation, the amount of data at many universities can become very complex. In addition, universities generally do not have a defined period after which they will delete records. Universities usually retain information for compliance, as an archival, or for alumni engagement, which means that universities are always adding to and keeping historical data. Eventually, all of the historical data becomes a very large repository of data spread across multiple systems, departments, and vendors, which is a result of combining many different types of software products that were never intended to be used together in a secure fashion.

Decentralization compounds this issue, because many universities operate as semi-autonomous departments that include: admissions, registrar, student health, athletics, and alumni relations. Each department has its own respective access control mechanisms and independent staff members using their own unique software platforms. Therefore, when a vulnerability exists in one department's software system, there is increased risk that an authorized user could access data from another department's software system due to record sharing or synchronization between systems.

The risks associated with legacy technology are heightened even further because many institutions are still operating on hardware that predates the implementation of many of the current cybersecurity standards. Institutions are constrained by budgets and other competing priorities, which means that many institutions are waiting to upgrade their systems. So there are institutions that have a combination of an older database (an on-premise system) along with a Cloud System. These hybrid environments are difficult to secure consistently, therefore, it is more likely that there will be misconfigured systems or unpatched systems and unauthorized access to these systems.

The seriousness of university breaches derives from the nature of the data stored at these institutions. Many times, educational institutions maintain both personal and financial records in their systems. Student identification numbers (and government IDs), banking or credit card information, medical records, etc., can coexist within these interconnected systems. As such, if a university records are breached, this combination of data may result in the perpetration of identity theft (or financial fraud) or the long-term use of the card holder's personal data.

In addition, the very nature of how data is retained further complicates the risk of a university breach. For example, alumni may feel that their risk of exposure ends when they graduate, but colleges and universities continue to retain student records for many years, sometimes decades. Therefore, the risk to these individuals continues even if they no longer have an active relationship with their institution—sometimes without their knowledge that this data is still being retained.

While Regulatory Frameworks have been put in place to offer protection from breaches, their relative effectiveness varies. The many different regulatory frameworks that govern how information is stored (educational records, financial records, medical records) can create a patchwork of disparate requirements for universities. Even if universities comply with regulatory requirements, however, compliance does not ensure security. Frequently, the basis of a large majority of data breaches is due not to an institution's noncompliance with regulations, but rather outdated or overly complicated systems that were not adequately monitored.

With the rise in digital high education has come to an industry-wide challenge for the university setting: balancing the need for an open Academic Learning Environment while also ensuring that institutions have the capacity to be a long-term data steward of Institutional Data. The current practices of strengthening Institutional Data Access Controls, modernizing Institutional Data Infrastructure, reducing Institutional Data Retention and re-evaluating Institutional Data Sharing with Third Party Service Providers are no longer optional - these foundational measures must be in place for any institution to ensure the privacy of their students and alumni now and in the future.

Universities are more than just Ornate Places of Learning. They are custodians of Personal Data Throughout each of our lives and must therefore take their role as such very seriously in a time when Personal Data cannot be retrieved after it has been possessed or accessed by another entity.