As students, we are constantly generating data on campus, whether we know it or not. From using Blackboard to Polaris to Outlook, we are engaging in conversations with these channels through our actions online. How does Bowdoin treat this information? This week, in an effort to learn more about the ways in which Bowdoin handles our data and keeps up with emerging industry standards, I sat down with Michael Cato, senior vice president and chief information officer of information technology, and Christina Finneran, vice president of institutional research, analytics and consulting.
One of the latest developments in data regulation is the General Data Protection Regulation (GDPR), which was passed by the European Union (EU) in 2016 and came into effect in 2018. The regulation intends to provide individuals control over their data and to standardize such practices for businesses within the EU. I was surprised when the regulation came up in the first minute of my conversation with Cato and Finneran since I thought of the GDPR as contained to the EU vacuum.
“We certainly have GDPR compliance regulation now concerning the Bowdoin website since we have students around the globe who are interested in the College,” Finneran explained. “We have Bowdoin students who are Europeans and who might travel home and want to use the website or other services or a faculty member might be on sabbatical or conducting research in Europe.”
Thus the College must be aware of and be quick to incorporate privacy laws enacted in nations across the globe.
“The way the GDPR regulation is set up is that it covers people who are in Europe at the time, but not necessarily European citizens. Let’s say you’re a student studying at the Sorbonne in France and you receive a survey, how are we obliged then to manage these situations?” said Finneran.
She added that GDPR sets a precedent for other countries to add similar regulations. International companies are pressured to adhere to these standards as soon as possible or run the risk of fines, such as the $1.67 billion fine that Google was charged with earlier this year for antitrust violations in the online advertising market.
“We do not collect information about casual observers or website visitation records; that is not the type of business we’re involved in,” Cato elaborated. “The ways you’re using wireless, those records are collected for the purposes of bettering our system, but we do not publicize those records or sell them to a third company. In fact, we have tight controls over who has access to them even on campus.”
Cato and Finneran cited other ways Bowdoin reinforces student privacy such as controls over the sharing of students’ academic and health information. Bowdoin incorporates privacy measures in their survey policies as well, so that one cannot triangulate someone’s identity through survey results, which was a recent concern some had about the U.S. census. At Bowdoin, if for example, a survey was being analyzed for a small major where individuals might be identifiable, the Office of Research, Analytics and Consulting aggregate the results over a few years so as to add a layer of privacy protection.
Digital privacy is inherently different from other forms of privacy, and there is good reason to be on the side of individual privacy. Both Cato and Finneran have cited situations in which they’ve seen an individual’s privacy and security violated with major costs to an institution. At one large institution where Cato previously worked, the cost was $3 million to rectify the results of a data exposure.
“We had to send out notifications to all 50 states,” said Cato. “355,000 records, including social security number and personal information of every single student that had ever been at that institution, were leaked.”
Why was the cost so astronomical? Because the school had to hire a team of contractors to rectify the situation, track down all the individuals whose information was leaked and expand the institution’s IT team from one person to a team of eight in a span of six months.
And then there are privacy cases that are less clear to resolve and that lack legal precedent. Cato cited a situation concerning a former employer in which a student had given another student, whom they were dating, their institutional login information. After they broke up, the ex used their account with malintent.
When I asked Cato and Finneran how they would define privacy themselves, they stressed the importance of informed consent.
“Understanding how I am using these tools and how they are using me is important, so that I can make an informed decision about how to use them. It is only then that I feel like my privacy is respected,” said Cato.
“I like to be in control of what information organizations have about me. The idea that there are organizations that are making assumptions about me is what bothers me,” added Finneran.
So we can rest easy now, right? Our privacy is being protected on campus?
“My latest favorite search engine is duckduckgo,” joked Finneran.