The workforce management is a hectic task these days owing to the considerably increasing size of team members. The management of data is a fragile aspect because the consequences of failing to maintain it safely and securely are definitely not advantageous. The governmental intervention in the sphere of privacy and security makes it more evident about its significance. While the other industries have speedily implemented awareness programs related to the privacy and security policies, the education sector has been slower in pace. However, the initiatives are constant and this report would highlight the basic laws and regulations that guide the privacy and security of educational institutions. Here, with specific reference to the practices of University A the importance of the law and obligations under the law would be briefly discussed with specific light on some of the related aspects.
The University A is responsible for maintaining the personal information of all the individuals connected to the institution and use the information according to the legal standards. The necessity for securing sensitive information was reinforced with the state and federal government intervening in regulating the storage and utilization of that information. The sensitivity of the data is due to its possibility of creating financial or reputational harm to any of the person whose data is available with the University. The laws and regulations associated with privacy and security concerns both to personally identifiable sensitive information and the ways in which it is to be collected, mentions Siponen (2000).
The need to incorporate data protection policies in educational institutes is to ensure that there is no chance of leakage of data that might lead to any adverse consequence. Thus, the regulations are clearly inclined to protect the privacy of individuals whose data is stored in the records of the University. The most important aspect is that the regulations are applicable to the data collected both in the paper form or the electronic form. However, the laws are framed in a manner that allows the authorized transfer of data within legitimate sources associated with the business or as per legal requirements.
The University has varied approaches and expectations to be met regarding privacy and security. The laws and regulations that are in place for aligning the institutions with the standard practices are specific and important to be incorporated in the system of operations. The applicability of the regulations is on every single individual who has an interaction with the University like the staff members, students and agents. The entire faculty is also a part of the list along with the affiliates and third-party agents. However, the scope of the policy is limited to the maintenance of privacy and security of personal identifiable information without superseding any of the existing policies that the University follows.
It also involves the factors such as the fees structure, library amenities and other admin activities. Compliance in every form is to be maintained to meet expected benefits for the university. Maintaining the proper decorum would help the university to gain financial advantage that is much necessary for successful running of its functions. Therefore, the university has obligation to keep records safe without intervention of any second party as that might create dispute.
Privacy and security count for the preservation of information which is personal and sensitive. The Privacy and Data Protection Act 2014 is in the first place that takes care of the information records available with the University workforce. Health information of the individuals are also protected under the Health Records Act 2001. It is necessary that the University complies with the policies to ensure that the privacy of the entire individuals associated with it is handled according to the limits of the law. University A also needs to be compliant with the Information Privacy Principles which falls under the Privacy and Data Protection Act 2014 and the Health Privacy Principles in the Health Records Act 2001. The Privacy Act 1988 binds the complete workforce in dealing with sensitive information (McKelvey, 2014).
The above mentioned regulations define a particular scope within which the programs have to be designed to be in alignment with the accepted policies. It is the responsibility of the University to collect the required information following the strict guidance of the policies. The major points that the University is obligated to is in collection of information for which there has to be certain authorized activities that would need the availability of the information. In general, the University is eligible to collect information in cases of any function related to education. Employment of faculty members and staffs also require the collection of personal information and for this there is no other liability of permissible context. The University is also entitled to collect information on grounds of health services. Implementing ways to achieve these would result in financial profits for the University. The net revenue would automatically improve once the systematic structure is incorporated and followed.
While collecting information, the University should be strongly aware that the process of collecting the information is done through lawful and fair practices. Collection of any information through intrusive means is clearly against the law and does not meet the criteria for data privacy and security. The consent of the individual from whom the information is collected is of paramount importance. He or she should be clearly informed regarding the purpose for which the data is being collected. Also, there must be clear instructions on accessing their information and the sources to which the data might be shared. It is always beneficial if the person is informed about the law on grounds of which the information is collected and if by any means the information of the individual would be required by law, as observed by Farooq et al. (2015). The person trusting with the sensitive information should know about the consequences if the required information is not provided, as well as the policies that would serve privacy and security of one’s personal data. The University is to collect sensitive information in limited times that too with the consent of the individual if it is a legal requirement.
There are circumstances when individuals might refrain from sharing their identity during their transaction with the University following practicable law. However, in such an instance the University is not entitled to offer services to those individuals. The University has several obligations in terms of using or disclosing the information of the individuals with whom they are associated. It has to be the basic purpose for which the information was collected at maximum times. Apart from the primary purpose, the University is allowed to share information for a secondary purpose provided it is related to the primary purpose for personal information. In case of health and sensitive information, information might be used and disclosed for a secondary purpose, but that has to be related to the primary purpose with full knowledge to the individual about the scope of usage of his or her information.
Apart from the above mentioned scenarios, University A is entitled to use or disclose information only with informed consent of the individual or with the pact of an authorized disclosure or if it is required by law. Each of the staff members and the students who are part of the University is bound by the privacy guidelines that restrict them from sharing any information or request for access to information. Hence, the privacy statements play an important role which is again the obligation of the University to convey clearly to everyone.
University A at times requires sending data outside the University for conducting the functions and activities of the institute smoothly. However, this can be done only when the recipient also has been subjected to similar policies for handling information fairly. The transfer of information can also happen if it is for the benefit of the individual, but he or she fails to provide consent for the transaction due to impracticable conditions otherwise which they would have consented for the action. The exchange of information is mostly based on the benefit of the individual strictly limited to the applicable legislative principles. Ensuring the alignment with the standard system of data exchange and collection reduces expenditure on compliance changes that would add more revenue for the University.
Another obligation of the University is in accessing and correcting information to the individuals that are again subjected to legal requirements. The storage of data falls under the workforce for records management, thus accessing information or requesting for any such permission would have to be in accordance with the principles applicable for the records management procedure as well. The University has a provision known as the Freedom of Information process that allows it to process requests for access to information. Whenever, there is a chance of a probable conflict in accessing or sharing of information, the University must always fall back on the advice of the Privacy Officer. A very common instance occurs when an individual state about the inaccuracy of his or her data or it might be incomplete or not updated. The University handles such cases following reasonable steps to change their information or records their disagreement on the inaccurate information on file. There is increased chance of securing extra government funding once the compliance rate of the University is improved and all the measures of privacy and security is efficiently and effectively executed.
The clear mentioning of the responsibilities of the University in maintaining the sensitive information of the individuals continually reinforces the significance of data handling. The legislative principles act as a stamp on the procedures that the University has to abide by while dealing with information. Failure to meet the accepted standards of preserving data results in stern disciplinary measures and serious consequences leading to progressive disciplinary actions and even termination of employment, as observed by Kotyk (2013). Violation of any of the codes of conduct is highly unacceptable as it involves the sensitive of individuals that are solely personal and should not be made public without the consent of the respective parties, as pointed out by McKelvey (2014). Moreover, these are sensitive information and misuse of such data might lead to its usage in every wrong way.
The obligations are designed to be in compliance with the legislative rules, as well as be cognizant of the ways in collecting and keeping the data from the associated individuals. Failing to implement the standards would lead to breach of privacy and security that would the University dearly, as remarked by Farooq et al. (2015). Thus, every institute tries to closely follow the lines of the law for collection and storage of sensitive information. Moreover, being compliant to the privacy and security system enables the University to secure their financial grants.
If any possibility or discovery of breach is suspected then the matter has to be immediately reported to the authorities for lining up the steps to address the breach. Depending on the nature of the breach the consequence is faced. The authoritative bodies such as the Director, ITS Security and Risk Assurance personnel are generally responsible for regulating the actions including coordination of the responses received from the University to the breach of privacy security. Also, there would be penalties leading to actions against the University which is neither good for the reputation nor for the finances.
Breach of policy would lead to compromising of personal information to unauthorized sources in the first place that would be harmful for the individual. The harm could be constituted in any form of physical, psychological or financial loss of the individual. The kind of breach is established to estimate the possible harm so that measures can be taken to mitigate the damage. A breach can be caused due to a systemic problem in which the involvement of more people is risked. However, an unintentional breach also bears same consequence as an intended breach and the affect is on many of the individuals involving greater risks of the data being misused, as pointed out by Ahlan et al. (2015).
The potential consequences of a breach is identity theft and financial loss that further leads to threat of physical safety and loss of data exclusive to one’s academic or employment details. The far anticipated damage is of humiliation that is probably to cause damage to reputation and is a threat to emotional wellbeing, as stated by McKelvey (2014). Other than the losses directed to the individual solely, there are other harms associated to the University as well if breach of privacy security takes place. The major consequence is to lose the trust of public in the University that would severely hamper its normal functioning. The reputation of the University would get a major blow and adverse times have to be faced. Moreover, there could be a possibility of loss of assets which might be the cause of breach of privacy security. A university has a lot of operational tasks that are password protected due to its confidentiality. Breach of privacy can also result in financial exposure and the compensation to be paid for it would be severe involving legal proceedings.
The privacy policies are already in place for every institute. The workforce associated with managing information is aware of the privacy standards. However, it is essential that adequate steps are taken to demonstrate the compliance rules to everyone for making them compliant of the applicable rules and regulations related to accessing, storing or disclosing of sensitive information, as opined by Chan et al. (2005). Hence, it is among the other responsibilities of the University to implement, review and monitor the practices and internal policies time to time for ensuring compliance with the central policy structure.
The first way to demonstrate compliance is fully convey and train the workforce to collect and access data completely at par with the privacy standards. While collection from the individuals who indulge in any form of transaction with the University, the process should be transparent. The person must know the purpose for which the data would be used. There must be proper tracking of all the uses and disclosures of the sensitive information under secure methods. The processes have completely aligned with lawful principles before initiating any sort of transaction, opines Chandarman and Van Niekerk (2017). Protection of personal information and fair means of future transaction should be presented to the other side so that everything continues transparently.
Privacy and security also encompasses several other initiatives that fall in the same line of protecting information. Data governance is one such procedure that the University needs to have which documents the legal basis that led to collection and processing of data. Also, there must be documentation of the purpose of its collection and the span for which it would be available online. The University must also accommodate the individual rights that one can exercise with respect to their personal information. Any individual can exercise the rights to limit the disposal of data with the University for which they have to reach concerned authorities to facilitate further actions. So, there has to be an easy provision for contacting the concerned body without delays and other disruptions.
The conduction of the report reinforces the idea of the importance of privacy and security in educational institutes. The laws of the government guide the activities of such institutions and all the programs designed to be conducted as part of the workforce has to be within the scope of the regulation guidelines. From the perspective of privacy and security, University A has a number of regulations to be compliant with to be at par with the standard norms of maintaining data. The policies hold certain obligations that the university has like maintaining the standard codes for keeping individual records safe and secured. Breaching of any of the policies leads to serious consequence and is absolutely against the law. At the same time, it is important to demonstrate to the workforce that the University is compliant with the data protection policies. It would lead to awareness among the people and encourage them to build their trust accordingly.