Dive Brief:
- Ed tech startups typically do not place a priority on student data protections early on, according to a new study by the School of Public Policy and Management at Carnegie Mellon University, Heinz College, that found few resources and little demand from consumers don't give startups incentive to “establish formal strategies” around public-facing communications concerning data protection.
- These startups tend to use an open source, standardized privacy policy when they start, but those policies usually become customized as the startups expand operations — plus, innovation at ed tech startups doesn't seem to be encumbered by concerns regarding privacy regulation, according to the report.
- The report suggested that such startups should have dynamic privacy practices and should work to build a culture surrounding the protection of student data in its staff. Additionally, these startups should try to avoid collecting and/or keeping student data if it is unnecessary.
Dive Insight:
Though it is important to note that the sample size for the study was small (only six tech startups were analyzed), it can be helpful for higher ed administrators who are working to ensure student data is protected. Higher education is the most vulnerable industry to hacking besides healthcare, and there are numerous strategies higher ed institutions can use to make their own tech practices safer, including firewall establishment and multiple authentication steps for users. Still, there are certainly benefits to partnering with a tech startup. The costs may be significantly less than partnering with businesses that are more renowned, and schools may have the chance to benefit from innovative tools or approaches before they become widely disseminated in the marketplace.
However, the study notes that startups may not substantively focus data security and management practices, at least in the early stages of the business, because they often faced “little demand from customers” on instituting certain practices. This means it may be incumbent on higher ed institutions to require that startups promise more student data protection from the outset, which could instill a more widespread understanding among all ed tech companies that such protections should be considered essential. It is beneficial for colleges and universities to demand this, as well. Industries and companies often suffer bad press in the wake of substantial data breach, and higher ed institutions in a similar situation would likely not avoid such scrutiny.