Personally identifiable information (PII) is data that can be used on its own or with other data to identify, contact or locate an individual. In a university setting, what constitutes PII can be complicated to define. However, it’s critical that universities carefully manage PII, as data breaches can significantly impact an institution.

Shane Reid, Director of Umlaut Solutions, says PII breaches can lead to identity theft, fraud and emotional distress. As a result, universities affected by data breaches have suffered substantial reputational damage. Once trust is lost in an institution, it can be hard to regain.

So what can universities do to protect themselves, their staff and students? We explore what is and what is not PII, the impact of PII data breaches and the role of AI and machine learning in PII protection at universities.

PII and non-PII in a university setting

In a university setting, distinguishing between personally identifiable information (PII) and non-PII is crucial for ensuring privacy and compliance with data protection laws. PII refers to information that can be used, either alone or with other data, to identify, contact or find a specific person. This could include the student’s name, ID number, phone number, email address, Medicare number and financial information.

Non-PII, on the other hand, is information that cannot be used alone to identify an individual. This might include aggregated or anonymised data or broad information such as job titles, course titles, general research data (not linked to an individual) and campus event information.

To understand what is and what is not PII in a university, it’s essential to consider the information and the context. Information that might not seem like PII alone could become PII when combined with other data. For example, while a unit of study might be considered non-PII, combining it with class schedules could narrow the identification to a single person.

Understanding these two categories of information is essential for university administrators to manage data responsibly.

PII laws and recent PII breaches

Each country has PII laws in place to protect information. In the UK, the Data Protection Act 2018 sets out principles for data protection and rights for individuals, including strict rules on handling personal data. It includes provisions on processing personal data, the rights of individuals and penalties for non-compliance.

The US does not have a single federal law governing data protection. Instead, it has a range of federal and state laws. However, The Privacy Act regulates how US federal agencies collect, maintain, use and disseminate PII.

In Australia, The Privacy Act 1988 is a Commonwealth law that regulates the handling of personal information by most government agencies and some private sector organisations. It outlines how information can be collected and used, including data security requirements and individuals’ rights.

Each of these laws has its own set of requirements concerning PII. International organisations must navigate these laws carefully to ensure compliance across different jurisdictions.

Shane says there have been several high-profile data breaches in universities around the world in the past decade. In 2022, hackers accessed and exposed University of Western Australia student photos and details. In the same year, 47,000 Deakin University students had their details revealed after a hacker accessed staff member information through a third-party provider.

In 2019, the University of South Carolina encountered a ransomware attack, impacting administrative systems and potentially exposing student information. One year earlier, Georgia State University reported a phishing attack that compromised employee credentials and exposed the Social Security numbers of over 80,000 students and employees.

How can AI and machine learning help universities protect PII?

Shane says artificial intelligence (AI) and machine learning (ML) technologies can significantly enhance PII protection as well as governance, risk management and compliance (GRC) in universities in several ways:

• AI systems can constantly analyse activity across systems. By learning regular patterns, AI can detect and flag unusual behaviour that indicates a cyberattack or unauthorised access attempt.
• ML algorithms can automate processes, accurately classifying data based on sensitivity and ensuring only authorised users have access.
• AI can analyse vast amounts of data from different sources, uncovering hidden threats and searching for vulnerabilities.
• AI can analyse user behaviour patterns and identify deviations that might indicate suspicious activity.
• ML algorithms can analyse historical data and industry trends to provide more accurate and objective risk assessments, helping universities focus their resources effectively.
• AI can continuously monitor university systems and processes, flagging potential compliance gaps.

Shane notes universities must be transparent for AI and ML to be used successfully for PII protection in an academic setting.

“Data privacy considerations need to be integrated into the development and implementation of AI and ML solutions,” he says. “It’s also important to establish clear governance frameworks, and collaboration between IT, legal and academic departments must be established. Engaging with external experts and industry bodies to stay abreast of best practices and emerging challenges is also wise.”

PII data protection solutions for your university

Protecting PII in universities is a legal necessity and crucial for maintaining integrity and trust. AI and machine learning technologies promise to enhance PII protection, but implementing technologies around data must be approached carefully.

Umlaut can help universities and education institutions implement PII and GRC solutions. Discover more about our PII protection solutions today.