Advisory Opinion: Managing Data Security With Technology Providers

PROFESSIONAL ETHICS
person looking at a laptop

TAGS: advisory opinion, ethics, principles,

By the Principles for Ethical Professional Practice Committee

Students, alumni, and employers expect that career centers will provide efficient and effective ways for them to connect within the virtual environment. To use these systems, users may be required to provide a certain amount of personal information. Users may also believe that their career centers have a degree of control over the technology provider platforms and, therefore, trust that the online platform is secure and safe for them to use.

For career centers, the related ethical considerations are:

  • Principle 1: Practice reasonable, responsible, and transparent behavior.
  • Principle 4: Comply with laws associated with local, state, and federal entities, including, but not limited to, EEO compliance, immigration, and affirmative action.
  • Principle 5: Protect confidentiality.

There are two main areas of concern for career development professionals—1) the security of the user’s personal information and 2) the use of that same information by technology providers (or, depending on the situation, the higher education institution itself). Both of these concerns are developing areas, and the recommendations will likely continue to evolve along with the related societal discussion.

The security of personal information is a concern for users, who are typically students and alumni of the institution. User data could be compromised through malicious hacking or unintentionally through data disclosure without authorization. Stolen personal data can lead to a variety of negative outcomes for victims, including identity theft. Consequently, it is imperative for educational institutions, technology providers, and employers to know how to safeguard student data that are stored internally or through a third party, to carefully consider what data and information they are collecting, and to clearly communicate how the information will be used and to whom it will be disclosed.

The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects student identifiable information found in student records from unauthorized disclosure. The Protection of Pupil Rights Amendment (PPRA) is a federal law that provides certain rights for parents of student regarding, among other things, student participation in surveys; the inspection of instructional material; and the collection, disclosure, and use of personal information for marketing purposes. In addition to FERPA and PPRA, there are other statutory and regulatory requirements affecting both educational institutions and employers with respect to handling and maintaining student personal data. Currently, there are 40 states with established laws relating to student privacy. State and federal laws vary in terms of what information is protected. Colleges and universities should work with their legal professionals to determine the impact of FERPA, PPRA, and other applicable laws with respect to the use of any electronically stored personal information of students/alumni.

The use and security of personal data is a rapidly evolving area in terms of the types of technology used, user attitudes, and legal frameworks and requirements. Career center professionals should understand both the general and platform-specific situations presented by platforms that involve the use of personal data. Career center professionals should understand both the general and platform-specific situations presented by platforms that involve the use of personal data. Career center professionals should expect to invest time in staying current on the topics of data privacy and the online security of student personal information and be ready to update related policies.

Key Considerations for Selecting Technology Providers

When choosing a technology provider, career center staff should consider:

  • What data are being provided by whom and for what purpose?
  • How will the technology provider ensure the security of users’ personal information?
  • What personal information does the technology provider ask students to provide, and is it necessary to provide all of the information requested for the student to use the platform to its fullest potential?
  • How is the technology provider using student data, e.g., what is presented to employers, what is visible to other users, and how is the technology provider using the information to further develop the system itself?
  • What laws, statutes, and/or regulations apply to the disclosure of the student data to the technology provider? Specifically, are there FERPA, PPRA, and/or state-related issues?
  • How will the technology provider ensure that users have consented to how their personal information will be disclosed or used?
  • What protections are provided by the technology provider to the educational institution for any unauthorized disclosures or breaches of security related to student data?
  • Does the provider agreement contain indemnification language to protect the educational institution?
  • Does the provider agreement include language that specifies any limitations regarding the use of student personal information and reasons for disclosure?
  • Has the technology provider incorporated universal design into its product? Can the technology be used by all students?
  • Should a data breach occur or the technology be used for illegal or unethical practices, who is responsible for notifying the affected parties and is such language included in the provider agreement?

Key Considerations for Sharing Personal Information With Technology Providers

To ensure that all reasonable steps have been taken to both safeguard student/alumni data and protect the educational institution from potential liability, the following recommendations should be considered: 

  • Career centers should not enter into any technology provider agreements without reviewing such agreements with their legal teams. Such agreements should, at a minimum, contain indemnification provisions to protect the educational institution in the event of a data breach. The agreements should also specify who is responsible for notification in the event of a breach and provide a designated contact person for the provider.
  • Career centers should work with their IT and legal teams to review current data security and use policies, including those related to technology provider selection and contracting, to ensure that they are up-to-date and to address any concerns that may exist related to how technology providers manage user data. These policies should be compliant with applicable laws, such as FERPA, PPRA, and the General Data Protection Regulation in European Union law (GDPR).
  • Career centers may wish to provide a guide for users on data security as well as tips on how users could protect their data while still providing necessary information to employers as part of their job searches. It may also be advisable to inform users (students and alumni) that they are responsible for reading a technology provider’s privacy policy and for understanding how the personal information that they share is stored and used.
  • Career centers could also engage with technology providers to provide information related to how they are currently employing user-provided data in the development of their products. As this is a rapidly changing area, these conversations could continue over the course of the educational institution/technology provider relationship. Career centers may also want to engage in conversations with technology providers related to user consent and how that consent is obtained.
  • Career centers, in conjunction with the institution’s legal counsel, IT departments, and technology providers, should develop procedures to notify affected students and alumni in case of a data breach or misuse of the technology system.

It is imperative that both colleges and employers understand their legal obligations when handling and maintaining student personal data and information, particularly as technology systems become more complex and integrated. Both technology providers and career centers must ensure that they have established policies and procedures to protect data while balancing the ability of students and employers to connect.

Key Considerations for Students: Sharing Personal Information With Technology Providers

Many technology providers and third parties collect students‘ personal information online to customize their services to fit the students’ needs and interests and to determine their consumer demographics. In some cases, this could involve reselling that information to others. Consequently, students should be aware of the potential risks regarding the security and use of their data by technology providers.

Ideally, students should read a technology provider’s privacy policy carefully before providing or agreeing to provide any personal information to ensure that the technology provider is providing the security and privacy protections that students should expect. It is also best for students to stay up-to-date on providers’ privacy policies, as they are subject to change. It is important for students to understand that they are responsible for the data they disclose to a technology provider. Students should not agree to anything in writing without reviewing the same with legal counsel or career center staff.

Here are a few questions that students should consider in reviewing a privacy policy before deciding what type of information to provide:

  • Is the technology provider well known in the market? How long has it been in existence? The legitimacy of a technology provider is often measured according to its longevity, so students will want to consider if the technology provider has endured the test of time.
  • How will the technology provider ensure the security of the student’s personal information? How are personal data processed and stored, and for how long?
  • Does the platform have security features and a dedicated security team?
  • How is the technology provider using the student’s data? How often and how much of the personal information is being shared and with what other parties? (For example: What can employers see? What is visible to other users?) How is the technology provider using the information to improve the system?
  • Does the technology provider state clearly whether it sells personal information, and, if it does, for what purposes and to which third parties?
  • Does the technology provider agree in writing that it is compliant with applicable laws, statutes, or regulations, including FERPA, PPRA, HIPAA, and the GDPR, as well as relevant industry standards and best practices?

All legitimate technology providers and businesses should have a privacy policy easily accessible to users. If a technology provider does not have an easily accessible privacy policy online for review, then it may not be a safe technology provider with which to share personal information.

Students are also strongly encouraged to consult their school’s IT department and career center about any technology provider’s privacy policy, as well as review their institution’s security tips and best practices.

Reference

Easterly, Edward J. (November 2018). Maintaining and Handling Protected Data: How to Handle an Internal or Third-Party Breach. NACE Journal, 6-8.

Reviewed and revised by the 2024 Principles for Ethical Professional Practice Committee.

NACE's Job Outlook 2025 NACE25 2025 NACE Awards

NACE JOBWIRE