Card, mobile credential, payment and security
Webinar explores the dangers and offers practical approaches to minimize risk
We all know campus card programs generate a constant stream of data, and each interaction creates a digital record. Protecting this data and the individuals involved –our students, faculty, and staff – is a crucial responsibility.
How institutions can best respond to this challenge was the focus of a recent NACCU webinar and article featuring by Erin Williams, Manager of Access & Privacy at the University of Calgary. Her message was clear: protecting data requires more than security controls – it demands strong information governance.
Information governance (IG) is the overarching framework that connects people, processes, and technology across the entire lifecycle of data. It goes beyond security or compliance alone, encompassing how information is created, stored, used, shared, retained, and ultimately destroyed.
“It is how we manage information and data in a way that complies with required regulations and best practices,” says Williams. “Think of it as like the rules of the road or the guardrails.”
Technology evolves faster than legislation, and campuses that lead with strong governance will be better positioned to meet both current and future requirements.
One part of that framework, data governance, focuses on structure and standards that protect individual privacy.
“Data governance is a subset of information governance that focuses on specifics like data quality and access,” she explains. “This role is often housed often in IT because they're usually the ones that manage the infrastructure, architecture, and data warehouses.”
Another part, security, provides the technical and administrative safeguards. While these disciplines are often discussed separately, Williams suggests that they must function together to build trust and reduce risk.
A key takeaway from the webinar was the need for a proactive mindset. Rather than waiting for regulations to dictate action, institutions should adopt best practices early. Technology evolves faster than legislation, and campuses that lead with strong governance will be better positioned to meet both current and future requirements.
Campus card environments are particularly challenging to govern due to their complexity. Both their reach and data are often decentralized, involving multiple departments with varying practices. At the same time, they are highly integrated, relying on third-party vendors and APIs that can introduce vulnerabilities.
Card offices frequently store data for extended periods “just in case,” which expands the potential impact of a breach.
Long data retention practices further increase risk. Card offices frequently store data for extended periods “just in case,” which expands the potential impact of a breach. The combination of decentralized ownership, deep integrations, and large data stores makes campus card systems attractive targets.
The article outlines a pragmatic approach that campus card programs can implement without significant new resources. It begins with creating a simple system and data map that identifies key systems, the types of data they hold, and access controls. This foundational step enables better decision-making across the organization.
Many breaches originate from third-party vendors, so it essential to have clear requirements around data handling and security.
Next, institutions should strengthen procurement and integration processes. Many data incidents originate from third-party vendors, making it essential to establish clear requirements around data handling, security, and breach response.
Reducing unnecessary data retention is another high-impact step. Routine cleanup of exported reports and files, along with defined retention schedules, can significantly limit exposure.
Preparation is equally important. Conducting regular tabletop exercises helps teams understand how to respond to incidents before they occur. These simulations clarify roles, communication pathways, and technical responses in a controlled setting.
To learn more about information governance for your card program and explore a detailed 90-day step-by-step plan to improve information governance, check out the article and webinar.
