Data Privacy and “O.P.P.”

It’s a terrible reference to a catchy, but terribly noxious song performed by Naughty by Nature from the 90’s. Think twice before going out and finding the song on YouTube or elsewhere. I won’t even provide a link to it. It is decidedly NSFW. If you know the song, you know how it won’t get out of your head after you think about it twice. You’re probably already nodding to it without hearing it. I chuckled after I searched for it in preparation for this article and someone “had to Google it” to find out what it meant after seeing it in a tweet. Kids…

But we are going to turn that catchphrase on its head. Instead of “being down with O.P.P.” as a jarring, offensive attitude and phrase, we’re going to say that “being down with O.P.P”, other people’s PRIVACY, is something to strive for. So how do we become “down with O.P.P.” in this new and much better sense?

In our first article this week we talked about how to protect ourselves from companies sucking up our information. This time, we are going to talk about protecting the information that we, as a college, collect about candidates, students, employees, potential employees, alumni, donors and anyone else we as an institution interact with. All of that data must be protected, which requires us as staff, faculty, and student workers to properly handle it. To misquote a phrase, “with much data comes much responsibility”.

Data is core to business success, even in our business. The entire process of selecting students to admit to the college is massively data-driven. The more information we have, the better decisions we can make about where to expend resources to attract more and better students. With 79% of U.S. adults concerned about the way their data is being used by companies (according to the Pew Research Center), we have to make sure that we are handling that data securely and privately.

That starts with respect for the consumer, in our case, prospective students, their parents, alumni, potential donors and others. We must be open and transparent about how we collect, use, and share personal information. Clearly communicating is the first step. We must also be aware of local, national, state, or other privacy laws and regulations, to avoid being penalized for not properly informing the consumer before collecting data about them. Once we collect that data, we have to take appropriate steps to keep it secure and make sure our processes prohibit any use of that data for which we did not gain permission from the owner. For example, if we get permission to collect email addresses to conduct the long process of recruiting a student, but then turn around and use that email for promotion of an event or other activity, did we responsibly use the data we were given? Only if the owner of the email address was informed beforehand that we may use their email address to do so.

In addition, the college must have systems and processes in place to prevent data loss, like disaster recovery plans that explain how to deal with disruptions in our information technology systems. These disruptions could occur because of malicious cyber actors or just from natural disasters like storms or fires. We also have to make sure we protect ourselves from “insider threats” by running proper background checks on employees and contractors.

It’s not just our systems we have to secure, we also have to make sure that any third-party systems we use, like Salesforce, also properly secures and protects the data collected and stored there. This is a contractual obligation that most of us will never have to deal with, but the college, as an institution, must.

Finally, we all have to be on the same page about all of this, and to do that, cybersecurity awareness training is a must. It does no good to secure our systems with processes and technology, just for someone to fall for a phishing email and hand over data or login credentials. With that said, I have processed the results of the training frequency survey conducted back in November and December. While I received over one hundred results, this is a small percentage of our active community. The most chosen training frequency was twice a year. This would result in 15-25 minute online training sessions twice a year. The most likely months for these sessions are March and September.

Taking the training will be simple. You’ll get an email inviting you to complete the training. You can click on the link in the email OR better yet, go to and click on the “Berry Security Awareness” app there to go to the training platform. You don’t have to complete it all in one sitting. If you have 5-10 minutes on one day and about the same amount of time another day, you can stop and come back to the training to complete it. Notification emails will go out in late February, with requested completion dates sometime late in March.

Everyone who completes the training can then proudly say “I’m down with O.P.P.”…if you must. Just not too loudly…

(Visited 83 times, 1 visits today)