Skip to main content

IT@Cornell


Working Definition of Privacy

There are many ways to define information privacy. Since the Cornell IT Policy Office is working with Professor Daniel Solove on assessing information privacy at the university, we have posted some basic concepts below, reproduced with permission from his Guide to Developing a Comprehensive Privacy Program (CUWebLogin required.)

WHAT IS PRIVACY?

Many commentators have lamented that the meaning of “privacy” is vague and elusive. According to Professor Solove, we should understand privacy is an umbrella term for a group of related yet distinct things. Privacy is about respecting the desires of individuals where compatible with the aims of the larger community. Privacy is not just about what people expect but about what they desire. Privacy is not merely an individual right – it is an important component of any flourishing community. 

With regard to schools, some of the privacy issues include:

Cyberbullying
Cyberbullying occurs when students use the Internet (blogs, social media, texting, etc.) to harass, humiliate, or torment other students.

Gossip
Students or employees can spread harmful, embarrassing, or discrediting information about other students or school employees.

Defamation
Students or employees can spread false rumors about others.

Data Security Breaches
Personal information maintained in school record systems can be leaked, lost, stolen, or improperly accessed.

Improper Disclosure
Personal information about students, employees, or other individuals can be improperly disclosed to others or the public.

Breach of Confidentiality
Secrets learned in confidence can be improperly revealed. Sometimes, these secrets should be revealed, such as when there is a duty to reveal such secrets when there is a health or safety threat.

Unreasonable Searches
School officials could engage in an improper search of a student or employee – either (1) without sufficient justification or suspicion of wrongdoing or (2) too broad or intrusive to achieve the purposes of the search. In addition to the Fourth Amendment, which regulates public schools, there are statutes that regulate both public and private schools.

Surveillance
The school’s use of surveillance cameras or monitoring of its computer network can cause problems if not appropriately limited or subjected to oversight.

WHAT IS A COMPREHENSIVE PRIVACY PROGRAM?

To protect privacy adequately, all schools should develop a comprehensive privacy
program. A comprehensive privacy program is an orderly and thorough way to address all of the
school’s privacy risks by:

  • Identifying the risks
  • Adding or revising policies
  • Providing guidelines to employees to prevent mishaps
  • Training employees about how to deal with privacy issues
  • Keeping updated about new legal and technological developments

A comprehensive privacy program should ensure the privacy of everyone in the school community is protected—students, employees, families, alumni, donors, applicants, and others. A commonly asked question is, “My school has a program for following the Family Educational Rights and Privacy Act (FERPA). Is that sufficient as a comprehensive privacy program?”

No. Schools must do more than just follow FERPA, which covers just a fraction of the privacy issues schools must face. The Act does not address alumni and donor records, employee information, searches and surveillance of students, confidential information not maintained in records, cyberbullying, data retention and destruction, data security, sexting, and countless other issues. Dozens of other federal and state laws apply to schools.

WHAT ARE PRIVACY RISKS?

A privacy risk includes any potential problems involving the collection, use, or disclosure of personal data by the school or by others within the school community.

There are several types of privacy risk:

  • Legal Compliance—Failure to comply with privacy laws and regulations can result in significant legal sanctions, liability, fines, and other unpleasant consequences. There are dozens of federal and state laws that apply to schools.
  • Reputational—Having a privacy mishap can severely damage the reputation of a school.
  • Financial—Privacy violations can lead to costly litigation, large damage awards, and expensive and burdensome legal requirements (data security breach notification).
  • Student Well-Being—Leaked or improperly-disclosed data can cause significant harm to students as can failure to respond to incidents where students are violating each other’s privacy (cyberbullying, online gossip, etc.)
  • Employee Well-Being—Privacy mishaps can affect and harm employees
  • Soured Relationships—Privacy mishaps or even poor privacy practices that have not involved an actual mishap can sour relationships between schools and parents, applicants, donors, alumni, and others. These relationships are essential for schools.
  • Time and Resources—One of the largest often under-appreciated privacy risks involves the extensive amount of time and resources needed to respond to a privacy mishap.

All content on this page © TeachPrivacy, LLC.