Unbelievable but true – while most higher educational institutions engage in ecommerce activities, most of them engage in practices that present potential privacy risks, while less than 30% of them even post privacy notices on their web site home pages, according to a recently released survey. Plainly, universities and colleges need to go back to school when it comes to privacy.

Bentley College and Watchfire, a company specializing in online risk management, just surveyed 236 institutions that were top-ranked universities and national liberal arts colleges, as so designated by the 2004 U.S. News and World Report list of America's Best Colleges, with respect to online privacy issues.

This survey is timely, as most educational institutions now are using the Internet to process electronic admissions applications, while engaging in other types of ecommerce transactions, such as the online sale of athletic tickets, accepting alumni donations over the Internet, and selling textbooks, clothing and other items online. With a growing number of universities and colleges suffering data breaches, the need for privacy attention is heightened.

The survey contains a number of key findings, including the following:

• Practically 100% of doctoral universities and liberal arts colleges had at least one data collection form on a web page without a link to a privacy notice.
• Almost 100% of doctoral universities and liberal arts colleges had at least one data collection form that used the GET method to submit data, which poses identity theft risks because sensitive information is stored in web server log files that can be accessed under certain circumstances by hackers.
• A full 100% of doctoral universities and liberal arts colleges had a least one non-secure page with a data collection form.

The survey analyzed the content of 65 privacy notices that were linked from home pages of schools in the sample. This analysis revealed:

• 63% contained a statement defining the scope of the privacy notice.
• 66% contained contact information relating to privacy concerns.
• 20% contained a statement about how changes to the notice are handled.
• 85% described whether the site collects personal information.
• And none of these sites displayed a privacy trust seal.

Of the 51 schools that disclosed in their privacy notices that they collection personal information:

• 49% disclosed what personal information is collected.
• 90% reported how they use personal information.
• 59% described in the privacy notice how their sites use cookies or web bugs.
• 53% explained whether the schools share personal information when required by law.
• 53% reported in the privacy notice whether they share personal information with third-party affiliates.
• 33% described in the privacy notice how users could access their own personal information.
• And 61% made a statement about how their sites protect personal information.

Unfortunately, the results of this survey show that online privacy is not a true part of the mission of higher educational institutions. Obviously, universities and colleges need to go back to school to learn how to protect privacy interest on the Internet. This not only is the right thing to do from a current data protection standpoint, but it also sets the right example for the students who later will be leading this country.

Biography

Eric Sinrod is a partner in the San Francisco office of Duane Morris. His focus includes information technology and intellectual property disputes. To receive his weekly columns, send an e-mail to with the word "Subscribe" in the subject line.

Disclaimer: This column is prepared and published for informational purposes only and should not be construed as legal advice. The views expressed in this column are those of the author and do not necessarily reflect the views of the author's law firm or its individual partners.

Reprinted with permission of Findlaw.com