While students often complain that Drexel University accepts more students than its facilities (or endowment) can support, this time it was unintentional: Drexel erroneously sent out acceptance letters to 495 applicants who had earlier been denied or had incomplete applications.
This is not a problem unique to Drexel, but it is not unique at Drexel either; who can forget that in February 2014, the Steinbright Career Development Center revealed 5,379 student ID numbers, or that others’ birthdates and GPAs were sent to engineering freshmen the year before.
It suggests an institutional failure to properly safeguard students’ private information. Each time the University pledges reform, but each time another major incident occurs. Besides affecting students and applicants, it puts the University’s reputation at risk. Better privacy protection, then, should not just be preached but must be practiced.
The bulk of privacy risks come from student data that is not optional to maintain. Often disclosure is presented as an accident, but that may be too charitable. After all, the importance of being careful with sensitive records is obvious, so that is inexcusable that administrators would not think twice before sending out e-mails and letters involving them. These large-scale errors would usually be prevented by a simple second, third and even fourth look over.
Drexel has chosen to primarily implement a technological solution, in which the e-mail system detects the format of Social Security Numbers and the like and ensures the sender really meant to include them. It also attempts (unfruitfully) to rectify disclosures by removing e-mails from the Drexel servers. Neither approach does anything about the human error that starts it all, though, and cannot stop someone steadfastly determined to be lazy.
We rarely hear about the University employees who make these mistakes; the situation is preferably dealt with quietly. While employees have their privacy too, someone at the University must take responsibility for data usage errors and make a public apology — which will probably be much more effective in teaching a lesson in carefulness than shifting the burden to a computer.