CBSSports.com College Nework
According to CBSSports.com College Network they partner with over 150 universities and athletic conferences to host over 175 official athletic sites. CBSSports.com services:
“…helps collegiate athletic departments protect and build their brand by deepening and expanding their fan base.”
Their services include a full range of editorial and web services including providing web hosting, interactive media and eCommerce services to sell branded products, tickets and auction services for ‘fan days’ and other fundraising activities.
As far as I can tell, they offer a fantastic, highly specialized and valuable service to universities which represents a potentially strong revenue stream. This is so specialized it might be difficult for the university IT department to provide a comparable level of service. That may be besides the point.
University of Wisconsin Athletics
Additionally, based on the CBSSports.com description of their Third Party Online Advertising practices, it would seem the Wisconsin Athletics site also runs a fowl of the Responsible Use of Information Technology Policy.
University of Massachusetts – UMASS Athletics
“Except as noted, the information below applies to University of Massachusetts Amherst Web sites, consisting of designated Web pages or publications of the university, its schools, colleges, departments, administrative offices, divisions, certain registered student organizations, and other units, as well as to the campus home page, or Gateway, at www.umass.edu.”
Just as an aside, I am also wondering if allowing third party advertising on an official university web site, controlled by CBSSports.com and the advertising networks, fits with university policy?
How Does This Happen
My guess as to how these things happen includes three main factors:
- Privacy in higher education is mostly associated with FERPA so there is a lack of broad oversight of privacy beyond FERPA.
- The CIO is not in the loop on purchases of external IT services which might be the best chance to catch these things.
- Most people don’t realize their obligations for privacy compliance and university policy enforcement doesn’t end just because you outsource to a third party.
5 Tips To Strengthen Privacy Controls
- Appoint or designate a Chief Privacy Officer. This should be someone who can see the broader picture of privacy beyond FERPA.
- Conduct Privacy Risk Assessments. The Chief Privacy Officer or compliance officer should require privacy risk assessments of all new applications and web services prior to purchasing them and again with regular frequency based on risk.
- Require SSAE 16 Audit Reports annually from all IT service providers as part of your vendor management program.
- Provide or expand annual FERPA privacy training to cover privacy controls more broadly making the distinctions between privacy and security.