NACE Logo NACE Center Logo
National Association of Colleges and Employers NACE Center for Career Development and Talent Acquisition®
mobile menu
  • Case Study: Data Security

    Organizational Structure
    A college student uploads her resume into the career services online resume platform.

    TAGS: case study, ethics, principles, privacy

    by the Principles for Ethical Professional Practice Committee

    Scenario: The career center has contracted with an external service provider (vendor) to provide an online platform that will allow students and alumni (users) to engage with employers. As part of this service, users complete a profile and have the option of uploading a resume. Employers complete company profiles and are able to advertise opportunities with their organizations. The career center is able to use the system to manage events as well as send information out to users and employers. The service provider that hosts the system for the career center is able to access information that the users have provided as well as data related to how users engage with the system. The service provider has informed the career center that it will use this information to tailor each user's experience with the system to the user’s individual career interests.

    Recently, a student spoke with a staff member and expressed concern about uploading her personal information to the system. She recently read a news article about how a social media site's user data was used by a third party without the knowledge of the users. She would like to take full advantage of the career center's resources, but she wants to be sure that her data will be safe within the system. What should the career center be aware of when dealing with its vendors about data security issues?

    Questions:

    • What should the career center consider when choosing a vendor? Career center staff should consider:
      • What data are being provided? Is the student required to provide data protected by the Family Educational Rights and Privacy Act (FERPA)?
      • How will the vendor ensure the security of users’ personal information?
      • What personal information does the vendor ask students to provide, and is it necessary to provide all of the information requested for the student to use the platform to its fullest potential?
      • How is the vendor using student data (e.g., what is presented to employers, what is visible to other users, how is the vendor using the information to further develop the system itself)?
      • What laws, statutes, or regulations apply to the disclosure of the student data to the vendor? Specifically, are there FERPA-related issues?
      • How will the vendor ensure that users have consented to how their personal information will be disclosed or used?
      • Does the vendor indemnify the educational institution for any unauthorized disclosures or breaches of security related to student data?
    • Does career center staff have a responsibility to:
      • Educate students on the risks of sharing personal information within the vendor system?
      • Inform students as to how the vendor may use the personal information that they have shared (i.e., use a disclaimer or ask for consent)?

    Analysis:

    • Students, alumni, and employers expect that career centers will provide efficient and effective ways for them to connect within an online environment. To use these systems, users may be required to provide a certain amount of personal information. Users may also believe that their career centers have a degree of control over vendor platforms and, therefore, trust that the online platform is secure and safe for them to use.
    • Within this scenario, there are two main areas of concern for career development professionals—1) the security of the user’s personal information and 2) the use of that same information by vendors (or, depending on the situation, the higher education institution itself). Both of these concerns are developing areas, and the recommendations in this case study will likely continue to evolve along with the related societal discussion.
    • The security of personal information is a concern for the user. User data could be compromised through either an external hack or a malicious posting in which a criminal poses as a legitimate employer. Stolen personal data can lead to a variety of negative outcomes for victims, including identity theft. If the career center discloses the personal data to a vendor without the authorization of the student and it is subject to a breach, the career center may have potential liability exposure as well.
    • In addition, vendors may use the student data that is being provided by users (both in terms of personal information as well as how the system itself is used) to further develop the usefulness of the contracted platform. Although this approach may have benefit for all parties involved, it is worth considering to what degree users have consented for their information to be used by the vendor.

    Principles That Apply:

    • Principle 1: Practice reasonable, responsible, and transparent behavior.
    • Principle 4: Comply with laws associated with local, state, and federal entities, including but not limited to EEO compliance, immigration, and affirmative action.
    • Principle 5: Protect confidentiality.

    Options for Resolution:

    • The career center should not enter into any vendor agreements without reviewing such agreements with its legal teams. Such agreements should, at a minimum, contain indemnification provisions to protect the educational institution in the event of a breach.
    • Career centers should work with their IT and legal teams to review current data security and use policies, including those related to vendor selection and contracting, to ensure that they are up to date and to address any gaps that may exist related to how vendors manage user data. These policies should be compliant with applicable laws, such as FERPA.
    • Career centers may wish to provide a guide for users on data security as well as tips on how users could proactively protect their data while still providing necessary information to employers as part of their job searches. It may also be advisable to inform users that they are responsible for reading a vendor’s privacy policy.
    • Career centers should inform students that the students are solely responsible for the disclosure of any data to a vendor and include language that limits potential liability for the educational institution.
    • Career centers could also engage with vendors related to how they are currently employing user-provided data in the development of their products and put any such details in the written agreement between the parties. As this is a rapidly changing area, these conversations could continue over the course of the university/vendor relationship. Career centers may also want to engage in conversations with vendors related to user consent and how that consent is obtained by the vendor.

    Other Considerations: The use and security of personal data is a rapidly evolving area in terms of the technology itself, user attitudes, and legal framework. Although this case was written with a specific type of technology in mind, career center professionals should take care to understand the both the general and platform specific situations presented by a range of platforms that involve the use of personal data. Career center professionals should expect to invest time in staying current on the topic of the online security of personal information and be ready to update related policies.

    Posted October 2018

  • NACE Executive Leadership Symposium
    PROFESSIONAL DEVELOPMENT
    NACE Professional Development

    NACE JOBWIRE