While chief business officers might not always have personal expertise in the details of data integrity and use, it is essential to understand critical best practices in data ownership, access, and utilization.
Why is this understanding essential? Leaders have a responsibility to protect those about whom data are being collected and to be both ethical and effective in using one of the institution’s most powerful resources—data—to help improve performance. Without such understanding, leaders leave the door open for individuals to break laws, intentionally or inadvertently; expose the institution to security breaches; or abuse the trust of constituents and the public.
Follow Best Practices
In reviewing guidance on ethics and integrity in data management, we’ve identified four critical best practices that assist in data protection, access, and use in decision making. These can be challenging to fully execute—at Georgia Gwinnett College (GGC), Lawrenceville, we have succeeded in fully implementing two of the four and are exploring the appropriate mechanisms for the other two.
Be transparent and communicate. Know what information you are collecting and why—and communicate about it to stakeholders. Most institutions collect information related to grades, courses, ID card usage, food purchases, the directory, and so forth. When you do so, explain to students what you are collecting, why the data are useful or necessary, how it is protected, who has access to it—and, whether or not the data are used for institutional performance improvement.
Studies show that students usually are comfortable with this and often want to know the results of their data usage, and how it can help them as individuals. Analyses of classroom attendance, support services utilization, and academic performance can often be of use in identifying at-risk students and the specific steps they can take to reduce that risk. Students are generally receptive to targeted advice on how to improve their performance, particularly when they understand the underlying logic. Also, sharing the policies that guide data security, access, and use helps explain the methods in place to safeguard their information and allows them to assist in that goal.
Understand that institutions do not have total ownership of student data and its use. Students own their own data about themselves. The institution’s role is to communicate about how it compiles data on students and for what purposes.
An important element of data protection and integrity is to give students appropriate control over correcting their data and obtain consent on how it will and will not be used. Explain the process for data review and correction, and know when student consent is required.
The health-care industry follows model practices in this arena that can be embraced, since it demonstrates the ways to collect individual information protected by law (e.g., HIPAA, FERPA), and also analyzes the information to identify emerging health trends to prevent epidemics.
One option that provides flexibility for the institution is to request that students give the university “portable consent,” by which they agree that data may be used under certain conditions in certain ways. For example, data analysis may help answer questions such as: Does prior enrollment in some classes predict higher success in subsequent classes? Does early engagement in co-curricular activities predict persistence to graduation?
Clearly define access to data and secure it. Identify which individuals have access to data and for what purpose, and clarify what position or office can provide permission for data access. At GGC, a standing committee, with representatives from information technology, institutional research, institutional effectiveness, enrollment management, and business and finance, reviews all requests for data and makes a joint determination regarding both permission for access and responsibility for providing the requested data. This collaborative process ensures that each request is considered from multiple perspectives and serves to protect the college from oversharing. For example, through this process GGC has been able to ensure that individual faculty members do not gain access to protected contact information for students whom they have no professional need to contact.
Recognize the trade-offs between access to students and benefits and risks to the institutions. Also, know the role of the Institutional Research Board (IRB), which is responsible for monitoring human research activity and ethics. Requests for data pursuant to research activities should be accompanied by the IRB’s approval letter. These letters generally include a statement of data and data gathering activities that are approved, and access should only be provided for data listed in the letter. We also prefer that those requesting data reaffirm their commitment to the data confidentiality agreement with each request, as opposed to operating from broad permission systems that might pose a higher risk of data exposure.
Structure accountability and assessment. Those who have responsibilities for data should be aware of those responsibilities. A clear governance and stewardship structure should be in place. In our departments, we identify the individuals who should be contacted with questions, and ensure that users are appropriately trained, can make reasonable interpretations, and can support quality decisions. Identify who is responsible for the accuracy of data, and set up processes and safeguards.
We also maintain a current inventory of all third-party educational service providers being used and require written contracts that address privacy and data security. In agreements with third-party vendors, spell out requirements on handling student data and specifics for which the vendor is held accountable. In fact, an audit of third-party vendors that have access to your student information is a good place to start in preventing data leaks from third-party vendors.
The CBO’s Role in Data Management
Chief business officers have a responsibility to apply the values of the institution toward data ownership, access, and use and know the implications of their decisions. Clear policies and documentation that are reviewed and updated annually are essential tools in maintaining best practice in data management. Comprehensive campus wide education about each individual’s responsibilities is also critical and can be included in staff and faculty orientation and onboarding processes. Finally, it is critical that CBOs and other senior leadership demonstrate the importance of these processes by complying with all expectations and holding their staff accountable for doing the same.
Linda Gilbert, assistant to the vice president for educational technology (retired); Juliana Lancaster, executive director of the office of plans, policy, and analysis; Laura Ledford, executive director for enrollment management; and Jennifer H. Stephens, deputy chief of staff, Georgia Gwinnett College