< Back to Main Site

EDUCAUSE review onlineEDUCAUSE review online

Policy Dimensions of Analytics in Higher Education

0 Comments

Rodney J. Petersen is Senior Government Relations Officer and Managing Director, Washington Office, for EDUCAUSE.

The current higher education landscape is replete with demands for improving accountability, increasing efficiency, and controlling costs. At the same time, information technologies make it easier to collect and analyze information to measure outcomes or to assist in decision making. Consequently, there is a higher demand for better information and also a never-before-available supply of data. This corresponding increase in both supply and demand creates the perfect storm for higher education to move into a new era of analytics. However, in a recent discussion session about the legal issues and campus policy dimensions for analytics, one participant joked: "This is where analytics efforts on campus come to die!" Although legal and policy dimensions do present considerable challenges, they should not be simply dismissed as obstacles with no solutions. Therefore, it is helpful to frame the policy context of analytics to include the policy drivers that are generating demand and the campus policy choices that should be guiding campus practice.

Policy Drivers

Internal and external forces are demanding greater accountability and transparency of college and university finances and operations. Policy-makers at the federal and state levels are expecting answers to questions: How are taxpayers' dollars used? What is the impact of public investment in higher education? Are there ways to reduce costs and keep college affordable? Are institutions retaining students and ensuring that they complete college? There are also efforts to track individual students' progress along the educational continuum—from K–12 to postsecondary education to employment—through the use of state longitudinal data systems. Increasing emphasis on learning outcomes requires that we identify measures of progress and develop better mechanisms to assess learning. Data helps to unlock the mystery about college costs, learning outcomes, institutional effectiveness, and other performance indicators.

In most cases, this data is collected, analyzed, and reported to satisfy regulatory requirements and is often viewed as a bureaucratic intrusion upon institutional autonomy. Yet there is also an increasing recognition of the inherent value of data-informed decisions and the power of information technologies to create dashboards, infographics, or other snapshot views to keep governing boards, campus administrators, and faculty informed in a variety of areas—which in turn can help them spot early signs of trouble where intervention may be necessary. A key component of an analytics program is first to identify the policy questions to be answered and then to engage in a risk-management exercise, including a cost/benefit analysis, to determine if analytics will provide the answers or feedback needed.

Campus Policy

Creating a culture of evidence on campus requires clear policies and processes with respect to the use of data. A key component of a solid analytics program is a system that is built on trust and normalized processes, transcending individual personalities or arbitrary decision making. A holistic approach to data management starts with effective governance, rational policies, and reliable procedures.

Data Governance. The most important step that any campus can take is to create a comprehensive data-governance structure to address all the types of data used in various situations. For example, although cloud computing or service outsourcing (with data stored or handled outside of the institution) creates unique challenges, most of the policy and process questions could be addressed through a data-governance body. Similarly, as research institutions move to apply privacy protections and security safeguards to research data in a manner similar to administrative data, they will find that including research data within the data-governance system will lead to more consistent and effective results.1

Data Classification. One of the first tasks of a data-governance body is to inventory campus data sources and create a data-classification system that sorts data into categories that identify the necessary level of protection. This process may necessarily be different for a private versus a public institution, since state laws or regulations may require that certain information be available to the public. A typical classification scheme for a public college or university might include the categories of (1) public, (2) non-public, and (3) sensitive or regulated. It is often difficult to define terms or draw lines (e.g., between "non-public" or "sensitive"), which is why some institutions have chosen more generic categories (e.g., levels 1, 2, 3). A data-classification or data-categorization exercise is a fundamental building block for an analytics program.2

Roles and Responsibilities. Once the data has been classified, it is useful to clarify roles and responsibilities. This is often accomplished by assigning roles such as data stewards or data custodians. Data stewards are usually director-level employees who have the overall responsibility for specific data sets, including the enforcement of data standards and controls and the implementation of policies such as data access. Data custodians, in contrast, do not have the same policy authority but are often the departmental employees, IT staff, or users who have access to the data. As custodians, they have corresponding responsibilities to follow policy and procedures, but they do not typically have the power to authorize access.

Data Policies. The establishment of data policies and procedures takes on different forms at different types and sizes of institutions. In some cases, data policies may be dictated by legal or regulatory requirements that get translated into a formal compliance program. In other cases, data policies might establish the broad frameworks for data governance and classification and for the role of data stewards and custodians, as outlined above. Data access is perhaps one of the most important—and difficult—policy issues to clarify. Who should have access to the data and under what circumstances? Who is authorized to decide? What are the corresponding responsibilities of the data user (e.g., to protect data storage and transmission, possibly through the process of encryption, or to anonymize or de-identify data before reporting)? Data-retention schedules may also need to follow legal requirements (e.g., state public records laws). Equally important are the policy choices of when and how to securely dispose of or destroy data.3

Data Privacy and Fair Information Practices. The United States does not currently have a comprehensive national privacy law. As a result, federal and state laws and regulations have taken a piece-meal approach to regulating data according to the type of data collected. For example, the Family Educational Rights and Privacy Act (FERPA) governs the use of students' education records. The Health Insurance Portability and Accountability Act (HIPAA) is concerned with the use of personal health information. The Gramm-Leach-Bliley Act covers financial information. Employee information tends to be addressed by state law or through institutional policy or employment contracts. Since there are generally very few absolute mandates for data privacy, it comes down to choices about how to balance individual concerns for privacy with institutional needs. A common ethical framework for the development of campus privacy policies and practices can be found in the Fair Information Practice Principles. The Federal Trade Commission summarizes the principles as follows:

  1. Notice/Awareness: Individuals should be given notice of an entity's information practices before any personal information is collected from them.
  2. Choice/Consent: Individuals should be given options as to how any personal information collected from them may be used, and secondary uses should be permissible only after consent.
  3. Access/Participation: Individuals should have access to data about them and should have the ability to insist on that data's accuracy and completeness.
  4. Integrity/Security: Data must be accurate and secure, with controls to protect against unauthorized access, destruction, use, or disclosure.
  5. Enforcement/Redress: There must be mechanisms to ensure compliance and appropriate means of recourse by individuals.4

De-Identification of Data. Institutions may have a number of reasons for using de-identified data for business, academic, or operational functions. For instance, data can be made available for institutional use, without identifying the underlying data subjects, for research purposes, institutional effectiveness studies, performance and operational studies, IT security and operational reviews, and public health purposes. Other uses of de-identified data may require the ability to retain unique identifiers for individuals in the data set, without identifying the actual identity of the individuals. For example, a researcher may need to know that certain actions were all taken by the same individual, in order to form conclusions about how individuals use the data or service. A website designer may want to determine how long individuals stay on the site or how individuals traverse the site in order to find the information sought. Systems development, test, and training environments may require the use of data that simulates real production data while not actually consisting of real data elements (e.g., Social Security numbers). In such cases, de-identification processes are complicated by the need to replace unique identifiers, such as Social Security numbers or IP numbers, with alternative unique identifiers that cannot be used to identify the individual. Yet though de-identifying data is a useful step toward protecting privacy, the de-identified data can still carry a number of privacy risks.5

Information Security. Although closely coupled with many of the policy choices identified above, information security concerns not the restrictions put on data but, rather, the availability of the data and the resiliency of its underlying information systems. Business continuity planning is thus a critical aspect of any information security program.6

Conclusion

For too long, IT professionals in higher education have been fixated on the "T" (technology) without an appreciation of the importance of the "I" (information). Fundamentally, analytics centers on the effective use of data and information. Therefore, the starting point for the examination of legal issues and campus policies must be the collection, storage, use, and disclosure of data—which necessarily align closely with matters of data privacy and information security. As enablers of the effective use of analytics, information security and technology systems and networks should not be viewed as barriers. With the increasing demand for more and better analytics, the IT community needs to work with other campus stakeholders to ensure that appropriate data governance, data classification, data roles and responsibilities, and other data policies and procedures are in place.

Notes
  1. For more information, see the EDUCAUSE Data Governance resource page.
  2. For more information, see the EDUCAUSE/Internet2 Higher Education Information Security Council's Data Classification Toolkit.
  3. For more information, see the EDUCAUSE Electronic Records Management Toolkit, the EDUCAUSE Records Retention and Disposition Toolkit, and the EDUCAUSE/Internet2 Practical Information Media Sanitization Guidelines for Higher Education.
  4. For more information, see the Federal Trade Commission's Fair Information Practice Principles.
  5. For more information, see the EDUCAUSE/Internet2 Higher Education Information Security Council's Guidelines for Data De-Identification or Anonymization.
  6. On business continuity planning, see the EDUCAUSE/Internet2 Higher Education Information Security Council's Business Continuity Planning Toolkit; for more information about data protection, see the EDUCAUSE/Internet2 Higher Education Information Security Council's Confidential Data Handling Blueprint.

EDUCAUSE Review, vol. 47, no. 4 (July/August 2012)

 

Rodney Petersen

Rodney Petersen is Managing Director of the EDUCAUSE Washington Office and a Senior Government Relations Officer. He also directs the EDUCAUSE Cybersecurity Initiative and is the lead staff liaison for the Higher Education Information Security Council. Prior to joining EDUCAUSE, he served as the Director of IT Policy and Planning in the Office of the Vice President and Chief Information Officer at the University of Maryland. He previously held the position of Campus Compliance Officer in the Office of the President at the University of Maryland where he mediated disputes and handled grievances under the Human Relations Code, including claims of discrimination or harassment that increasingly involved misuse of the Internet. He also completed one year of service as an Instructor in the Academy for Community Service for AmeriCorps National Civilian Community Corps where he taught alternative dispute resolution and facilitated service learning projects. He began his professional career in higher education as the Resident Student Life Director at Michigan State University. He is the co-editor of a book in the EDUCAUSE Leadership Strategy Series entitled "Computer and Network Security in Higher Education". He is also a founding member of the Association of College and University Policy Administrators and the author of "A Primer on Policy Development for Institutions of Higher Education" and "A Framework for IT Policy Development". He writes and speaks regularly on topics related to higher education cyber law and policy. He received his law degree from Wake Forest University. He also received a certificate as an Advanced Graduate Specialist in Education Policy, Planning, and Administration from the University of Maryland.

 

Most Popular

Stay Up-to-Date

RSS Email Twitter

Share Your Work and Ideas

Issues coming up will focus on digital scholarship, administrative computing, the value of IT, and building the profession. Share your work and ideas with EDUCAUSE Review Online.

E-mail us >
Close
Close


EDUCAUSE Connect
View dates and locations

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

EDUCAUSE Institute
Leadership/Management Programs
Explore More

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.