Unbelievable but true – while most higher educational institutions engage in ecommerce activities, most of them engage in practices that present potential privacy risks, while less than 30% of them even post privacy notices on their web site home pages, according to a recently released survey. Plainly, universities and colleges need to go back to school when it comes to privacy.
Bentley College and Watchfire, a company specializing in online risk management, just surveyed 236 institutions that were top-ranked universities and national liberal arts colleges, as so designated by the 2004 U.S. News and World Report list of America's Best Colleges, with respect to online privacy issues.
This survey is timely, as most educational institutions now are using the Internet to process electronic admissions applications, while engaging in other types of ecommerce transactions, such as the online sale of athletic tickets, accepting alumni donations over the Internet, and selling textbooks, clothing and other items online. With a growing number of universities and colleges suffering data breaches, the need for privacy attention is heightened.
The survey contains a number of key findings, including the following:
- Practically 100% of doctoral universities and liberal arts colleges had at least one data collection form on a web page without a link to a privacy notice.
- Almost 100% of doctoral universities and liberal arts colleges had at least one data collection form that used the GET method to submit data, which poses identity theft risks because sensitive information is stored in web server log files that can be accessed under certain circumstances by hackers.
- A full 100% of doctoral universities and liberal arts colleges had a least one non-secure page with a data collection form.
- 63% contained a statement defining the scope of the privacy notice.
- 66% contained contact information relating to privacy concerns.
- 20% contained a statement about how changes to the notice are handled.
- 85% described whether the site collects personal information.
- And none of these sites displayed a privacy trust seal.
- 49% disclosed what personal information is collected.
- 90% reported how they use personal information.
- 59% described in the privacy notice how their sites use cookies or web bugs.
- 53% explained whether the schools share personal information when required by law.
- 53% reported in the privacy notice whether they share personal information with third-party affiliates.
- 33% described in the privacy notice how users could access their own personal information.
- And 61% made a statement about how their sites protect personal information.
Biography
Eric Sinrod is a partner in the San Francisco office of Duane Morris. His focus includes information technology and intellectual property disputes. To receive his weekly columns, send an e-mail to with the word "Subscribe" in the subject line.
Disclaimer: This column is prepared and published for informational purposes only and should not be construed as legal advice. The views expressed in this column are those of the author and do not necessarily reflect the views of the author's law firm or its individual partners.
Reprinted with permission of Findlaw.com