The revision of existing institutional data policies is an important step. Even a cursory review of existing data policies across the higher education institution landscape reveals that many share the same characteristics. They tend to be technical and tactical in nature and define in great detail how to protect different types of data, primarily on the basis of their sensitivity, from unauthorized access. Most will cover student data, but typically only with respect to compliance with federal or state laws. Some extend to intellectual property (IP) generated through research activities, largely to ensure that future claims around the value of the IP can be defended. However, none of the policies we have seen specifically address the strategic issue of regulating authorized access to and use of institutional data.
In short, existing policies tend to focus on preventing unauthorized access to data, rather than ensure that authorized access to data is coherent with the strategic goals of the institution. It is critical for data policies to be revised to address the myriad strategic questions raised by the proliferation of data and data analytics. These questions include:
-
What problems/opportunities is data expected to address?
-
What data can be shared with different categories of third parties?
-
Who should maintain ownership of the data itself?
-
What rights should the institution secure with regard to the output of data analysis?
-
What resale uses should be allowed?
-
What should be the economic goals of data agreements?
-
What rights of audit should institutions demand from third parties to ensure adherence to contractual obligations regarding data and data analytics?
-
Should open source software be mandated or preferred in order to facilitate transparency?
-
Should algorithms be transparent to the institution, allowing users to understand their mechanisms (and possible biases)?