You have /5 articles left.
Sign up for a free account or log in.

Create Free Account

College admissions offices routinely seek applications from all over the world, and in doing so they communicate with applicants and potential applicants. As of May 25, however, American colleges will be covered by the European Union's General Data Protection Regulation. Violate that law -- and the routine gathering and storage of information could result in violations -- and a college could face fines of $23 million.

Not surprisingly, the size of potential fines has captured the attention of some academic leaders in the U.S. But many are still figuring out which of their practices could be subject to GDPR, as the regulation is known.

The American Association of Collegiate Registrars and Admissions Officers last week released a draft document -- prepared with several other higher education associations -- on scenarios for colleges to consider to determine whether they will need to change practices. The document provides an overview of the regulation, noting, for example, that it gives people in E.U. countries the right to explicit information about the gathering of identifiable information about them, the right to access their data and the right to remove information that they don't want maintained by an entity that collected it.

It is unclear whether the standard privacy protections used by American colleges will meet those standards. While American colleges rely on various third parties for names of potential applicants, and, in theory, students have the option to opt out of providing their information when they take standardized tests, many students don't realize that some of their information is then shared with colleges for recruitment purposes.

The draft released last week doesn't give American colleges a list of things to do or not do -- given that the applicability of GDPR will depend on all kinds of factors that may differ from college to college. But it offers a series of scenarios to consider to help colleges consider where they could be vulnerable. Some of the scenarios:

  • If email communication to potential students includes an "opt out," and there is no response, should the potential student be considered to have opted out?
  • If a potential student is considered to have been properly added to a database based on one purchase of her information, and then her name comes in from another list, does the college need to again verify her willingness to be part of the college's database?
  • How should colleges consider test score information as it relates to GDPR? If a student has applied and, in doing so, indicated acceptance of the college having their information, what about those who send test information before they have submitted an application?
  • If a college uses third parties for applications, does that third party need to identify applicants from E.U. countries?

Next Story

A line of Texas State Troopers and other members of law enforcement face a line of pro-Palestine student protesters
Quick Takes
Police Arrest at Least 30 Protesters at UT Austin

Written By

Scott Jaschik

Found In

Traditional-Age Admissions

More from Traditional-Age

Two scantron sheets with bubbles filled in to look like dollar signs
Admissions Traditional-Age
What’s Behind the ACT’s For-Profit Pivot?

The testing nonprofit was bought by a private equity firm last month, raising concerns about accountability and illum

A sign reading “Free Tuition” is situation on a pile of money in front of an ivy-clad wall.
Admissions Traditional-Age
Is Financial Aid the New Affirmative Action?

Many highly selective colleges are pumping up their financial aid offerings.

Two men in suits sit at a table with microphones
Quick Takes
FAFSA Reprocessing Could Take Weeks