Reprinted with permission from CNET News

Unbelievable but true: While most higher educational institutions engage in e-commerce, most also engage in practices that present potential privacy risks--and less than 30 percent bother posting privacy notices on their home pages.

When it comes to privacy, universities and colleges need to go back to school.

Bentley College and Watchfire, a company specializing in online risk management, just surveyed 236 institutions on their online privacy policies. The list was culled from universities and national liberal arts colleges appearing in the 2004 U.S. News and World Report ranking of America's best colleges.

This survey is timely, as most educational institutions use the Internet to process electronic admissions applications. They also engage in other types of e-commerce transactions, such as the online sale of athletic tickets, alumni donations over the Internet, and the sale of textbooks, clothing and other items online. With a growing number of universities and colleges suffering data breaches, the need for privacy attention clearly is heightened.

A full 100 percent of doctoral universities and liberal arts colleges had a least one non-secure page with a data collection form.

The survey contains a number of key findings. Among the highlights:

  • Practically 100 percent of doctoral universities and liberal arts colleges had at least one data collection form on a Web page without a link to a privacy notice.

  • Almost 100 percent of doctoral universities and liberal arts colleges had at least one data collection form that used the GET method to submit data, which poses identity theft risks because sensitive information is stored in Web server log files that can be accessed under certain circumstances by hackers. (The GET method refers to a form submission where the form input consists of a query string which is appended to the URL of the requested page.)

  • A full 100 percent of doctoral universities and liberal arts colleges had a least one non-secure page with a data collection form.

The survey analyzed the content of 65 privacy notices that were linked from home pages of schools in the sample. This analysis revealed:

  • 63 percent contained a statement defining the scope of the privacy notice.

  • 66 percent contained contact information relating to privacy concerns.

  • 20 percent contained a statement about how changes to the notice are handled.

  • 85 percent described whether the site collects personal information.

  • Not a single one of these sites displayed a privacy trust seal.

Of the 51 schools that disclosed in their privacy notices that they collection personal information:

  • 49 percent disclosed what personal information is collected.

  • 90 percent reported how they use personal information.

  • 59 percent described in the privacy notice how their sites use cookies or Web bugs.

  • 53 percent explained whether the schools share personal information when required by law.

  • 53 percent reported in the privacy notice whether they share personal information with third-party affiliates.

  • 33 percent described in the privacy notice how users could access their own personal information.

  • 61 percent made a statement about how their sites protect personal information.

Unfortunately, the results of this survey suggest that online privacy still is not a true part of the mission of higher educational institutions. Obviously, universities and colleges need to learn how to protect privacy interest on the Internet. Not only is this the right thing to do from a current data protection standpoint. It also sets the right example for students who someday will graduate to become leaders of this country.

Eric J. Sinrod is a partner in the San Francisco office of Duane Morris. His focus includes information technology and intellectual property disputes. To receive his weekly columns, send an e-mail to ejsinrod@duanemorris.com with "Subscribe" in the subject line. The views expressed in this column do not necessarily reflect those of Sinrod's law firm or its individual partners.

This article is for general information and does not include full legal analysis of the matters presented. It should not be construed or relied upon as legal advice or legal opinion on any specific facts or circumstances. The description of the results of any specific case or transaction contained herein does not mean or suggest that similar results can or could be obtained in any other matter. Each legal matter should be considered to be unique and subject to varying results. The invitation to contact the authors or attorneys in our firm is not a solicitation to provide professional services and should not be construed as a statement as to any availability to perform legal services in any jurisdiction in which such attorney is not permitted to practice.

Duane Morris LLP, among the 100 largest law firms in the United States, is a full-service firm of more than 600 lawyers. In addition to legal services, Duane Morris has independent affiliates employing approximately 100 professionals engaged in other disciplines. With offices in major markets, and as part of an international network of independent law firms, Duane Morris represents clients across the nation and around the world.