student-athlete kicking soccer ball as his image is held in the hand of a businessman

The data you collect from your student-athletes plays a key role in deciding how you help them develop. It’s also sensitive personal information, raising concerns about privacy and security. Institutions like yours rely on third parties to keep this information secure. So you need reassurance that student-athlete data is protected when it’s not solely in your hands.

The vendors you use should earn your trust by demonstrating that their internal controls and processes are sound. One of the most recognized ways to do this is through a system and organization controls report—also known as a SOC report.

Spurring the Discussion

Two early January news stories indicate that the 2020s will see heightened awareness around security and ownership of student-athlete data. Technology vulnerabilities, coupled with profit potential of evolving name, images and likeness regulations, will make this a hot topic.

This Forbes article, for example, discusses student-athlete data that details biometric physical performance. It cites that one major institution consented to the collection of this private data when it signed a deal with a major apparel company. Specifically, the deal “allows Nike to harvest personal data from Michigan athletes through the use of wearable technology like heart-rate monitors, GPS trackers and other devices that log myriad biological activities.”

Then you have this VICE story that cites a significant security flaw with a college athlete recruiting software company. An issue with their server exposed information on “more than 700,000 files to the open internet, including college athletes’ medical records, performance reports, driver licenses, and other personal information.”

These articles should raise serious questions for institutions regarding the security of student-athlete data, namely:

  • After student-athlete data is reviewed by the coaches, athlete, and others internally, what happens to it? What are institutions doing to consider protection of this sensitive data?
  • How does the athlete know the data is accurate, or whether it has been tampered with? How are they assured that their information remains private?
  • Who owns student-athlete data? And could someone profit off of it?

How can this information stay safe?

The answer to this question lies in part with SOC reports—internal control reports on the services performed by a third-party organization. These reports provide valuable information you need to assess and address the security risks of an outsourced service. Widely recognized as a gold standard of assurance, SOC reports serve as a testament to the integrity of processes and controls.

There are several types of SOC reports. We recommend that at a minimum, service organizations should have a SOC 2 report to provide to its users. While this level is not currently required by any specific regulations, these reports help service providers inform you about their controls. Such a report focuses its results around these trust principles:

  • Security – The system is protected against unauthorized physical and logical access.
  • Availability – The system is available for operation and used as agreed upon.
  • Processing Integrity – System processing is complete, accurate, timely and authorized.
  • Confidentiality – Information designated as confidential is protected as agreed upon.
  • Privacy – Personal information is collected, used, retained, disclosed and/or destroyed in accordance with established standards.

What should you do?

Any vendors with access to sensitive student-athlete data should have a SOC report prepared by an outside auditor. As a best practice, you should take an inventory of all sensitive data being shared with third party service providers. This includes where it is stored, who has access to it, and how it is used.

Then you should contact each of these providers to ask for the latest copy of their SOC report. If they do not have one, consider looking for other providers that do. In all new contracts with vendors, we recommend that you require a at least annually in the contract terms.

The James Moore higher education and collegiate athletics CPAs can help you identify your data protection risks and assess where your institution is vulnerable both internally and externally. When you have peace of mind over the privacy of your student-athlete data, you can spend more time focusing on other priorities of your athletics program.

All content provided in this article is for informational purposes only. Matters discussed in this article are subject to change. For up-to-date information on this subject please contact a James Moore professional. James Moore will not be held responsible for any claim, loss, damage or inconvenience caused as a result of any information within these pages or any information accessed through this site.