You are here

Bentley College-Watchfire Survey of Online Privacy Practices in Higher Education Reveals Risk Management Issues

April 23, 2006

A first-of-its-kind national survey of online privacy practices in higher education, conducted by Bentley College and Watchfire, reveals that while most schools engage in e-commerce, only 65 of 236 schools surveyed have privacy notices linked from their home page while nearly all schools surveyed engage in practices that potentially pose a privacy risk. The 236 institutions surveyed were top-ranked doctoral universities and national liberal arts colleges from the 2004 U.S. News and World Report list of America's Best Colleges.


The benchmark study comes at a time when most schools are using the Internet to process electronic applications and other types of e-commerce transactions, ranging from online alumni donations to the sale of athletic tickets, clothing and textbooks. These are the same types of commercial activities that raise privacy concerns in the private sector. And with an increasing number of colleges and universities across the U.S. falling victim to data breaches, online privacy has emerged as an important risk management issue in higher education.


"Higher education is not immune from concerns about online privacy," says Mary J. Culnan, Bentley Slade Professor of Management and Information Technology, who conducted the research with Thomas J. Carlin, a Bentley MBA candidate. "Privacy breaches potentially undermine consumer trust and confidence and make people less willing to disclose personal information online; this benchmark survey should be a wake-up call for all institutions of higher education."


Similar to the surveys of online privacy notices posted by .com websites, initiated by the Federal Trade Commission in 1998, the Bentley-Watchfire survey is based on a content analysis of online privacy notices. But it goes one step further than the prior surveys with an automated scan of the websites to measure whether or not these sites also engaged in practices that may pose privacy risks to users such as pages without a link to a privacy notice or non-secure pages with data collection forms. Watchfire, a company specializing in online risk management software and services to help ensure the security and compliance of websites, conducted the automated portion of the survey for Bentley using the Privacy Module of its WebXM software.


"This year's litany of stories about security breaches shouldn't be construed as a gloom and doom scenario but a wake-up call for higher education, parents, students and alumni," said Traci Logan, Bentley's vice provost and vice president for information technology, who helped design the study. "For many, the college application process represents the first plunge into the deep end of the pool when it comes to voluntary release of confidential personal data. While most CIO's in higher education identify information privacy and security as a critical challenge, too often this view doesn't permeate organizational culture and spending. But it's clear that with the millennial generation becoming more cavalier about sharing information on sites like and MySpace, we have a deepening obligation not only to protect personal information but to better communicate how it might be used once it leaves the fingertips. The very best strategies integrate that philosophy into institutional culture."


Key findings of the automated portion of the survey include:


  • Nearly 100% of both doctoral universities and liberal arts colleges had at least one data collection form on a page without a link to a privacy notice
  • Nearly 100% of both doctoral universities and liberal arts colleges had at least one data collection form that used the GET method to submit the data, posing the risk of identity theft because sensitive information is stored in web server log files that may be accessed by hackers
  • 100% of both doctoral universities and liberal arts colleges had at least one non-secure page with a data collection form


    For the manual survey, the authors analyzed content for the 65 privacy notices that were linked from the home page of the schools in the sample. They analyzed each notice to determine to what extent it reflected the basic elements of fair information practices. The authors found:


    For all 65 privacy notices:




    • 63 % contained a statement defining the scope of the privacy notice
    • 66 % contained contact information for privacy concerns
    • 20 % contained a statement about how changes to the notice are handled
    • 85 % described whether or not the site collects personal information
    • None of these websites displayed a privacy seal


      For the 51 schools that disclosed in the notice that they collect personal information:


      • 49 % disclosed what personal information is collected
      • 90 % reported how they use personal information
      • 59% described in the privacy notice how their sites use cookies or web bugs
      • 53% said whether or not the school shares personal information when required by law
      • 53% reported in the privacy notice whether or not the school shares personal information with third party affiliates
      • 33% described in the privacy notice how users could access their personal information
      • 61% contained a statement saying how the site protects personal information


        Privacy notices represent "the public face" of an organization's online privacy policy - the rules that govern the collection and use of personal information, according to the authors. "The survey results suggest that online privacy is currently not a strategic priority for higher education, and it should be," said Culnan, "especially as higher education embraces e-commerce. Good privacy notices, backed up by an effective governance process, have been shown to help build trust by reducing the risk of disclosing personal information online."


        The study's full report in PDF format is available at: and


        Watchfire provides Online Risk Management software and services to help ensure the security and compliance of websites. More than 500 enterprises and government agencies, including AXA Financial, SunTrust, Vodafone, Veterans Affairs and Dell rely on Watchfire to audit and report on issues impacting their online business. Watchfire has been the recipient of several industry honors including the HP/IAPP Privacy Innovation Award, InfoSecurity Product Guide's Hot Security Company 2006, Computerworld's Innovative Technology Award, and "Recommended" rating by Computer Reseller News. Watchfire was named by IDC as the worldwide market-share leader in web application vulnerability assessment software. Watchfire's partners include IBM Global Services, Sapient, WebTrends, PricewaterhouseCoopers, TRUSTe, Microsoft, Interwoven, EMC Documentum and Mercury. Watchfire is headquartered in Waltham, MA. For more information, please visit


        BENTLEY UNIVERSITY is one of the nation’s leading business schools, dedicated to preparing a new kind of business leader – one with the deep technical skills, broad global perspective, and high ethical standards required to make a difference in an ever-changing world. Our rich, diverse arts and sciences program, combined with an advanced business curriculum, prepares informed professionals who make an impact in their chosen fields. Located on a classic New England campus minutes from Boston, Bentley is a dynamic community of leaders, scholars and creative thinkers. The Graduate School emphasizes the impact of technology on business practice, in offerings that include MBA and Master of Science programs, PhD programs in accountancy and in business, and customized executive education programs. The university enrolls approximately 4,100 full-time undergraduate, 140 adult part-time undergraduate, 1,430 graduate, and 43 doctoral students. Bentley is accredited by the New England Association of Schools and Colleges; AACSB International – The Association to Advance Collegiate Schools of Business; and the European Quality Improvement System, which benchmarks quality in management and business education. For more information, please visit

        Type: Latest Headlines