Data privacy has fallen under the umbrella of information security at many institutions, but it’s rapidly becoming an area of emphasis and expertise in its own right — as it should be, said Doug Welch, the chief privacy officer of Baylor University, at the annual EDUCAUSE Conference in Chicago.
He and Jon Allen, Baylor’s CISO and interim CIO, presented “One Year In: Establishing a Privacy Program on Your Campus” on Thursday.
Both predicted that privacy will continue to get more scrutiny in higher education, under pressure from both state and federal legislation and savvy constituents who will ask more questions about how institutions collect, use and protect their information. In coming years, Welch, said, data privacy will be an important part of institutional reputation and even branding.
“The way you treat the data of your constituents is a signal of what your institution’s values are,” he said.
Privacy, as distinguished from data security, refers to individuals’ right to keep their information safe from unauthorized access or inadvertent disclosure to third parties.
As Allen noted, security and privacy are often discussed interchangeably, but they aren’t the same. Security can exist without privacy, he said, but the reverse isn’t true: If institutions don’t have security in place, they can’t guarantee privacy.
“These overlap significantly,” he said, calling for IT leaders to help clarify the narrative about both concepts.
Strong Principles and Best Practices Should Inform Privacy Programs
While many institutions lack a formal privacy program, Welch argued that the elements are already there. Colleges already have individuals responsible for compliance with regulations such as FERPA and HIPAA and for managing sensitive information related to student loans and financial aid.
What is needed, he said, is a program — and a full-time position — focused on bringing those pieces together into a more cohesive, purposeful effort.
“The purpose of having a privacy program is to coordinate all of those discussions into one focused area and to have somebody who’s waking up every day thinking about those,” Welch said.
A privacy officer also provides day-to-day monitoring of compliance, training and enforcement, as well as advocacy for the principles of stronger data privacy, Welch said.
He applies five principles to guide data privacy practices at Baylor:
- Minimization: Institutions and employees think about what data they collect, why they need it, who has access and how long they keep it.
- Choice: Users can opt in to share certain information.
- Access: Users have the right to review, correct and possibly delete data held by the institution.
- Transparency: The institution discloses how it collects, uses and shares data.
- Security: The institution protects data from unauthorized disclosure or inadvertent access by third parties.
Several factors are increasing the pressure on data privacy, Allen said. One is the fact that the data landscape and compliance obligations have both increased exponentially, yet best practices have not kept pace.
“Where we sit today is where we were 10 years ago with security,” he said. “It is kind of the Wild West.”
That landscape now includes far more areas where data is an issue, Welch noted: Internet of Things devices, such as smart assistants in residence halls; data sets related to research and student success initiatives; contractual obligations; new state laws governing biometric identification data; and many other areas.
In this environment, Allen said, even a long-standing guideline such as FERPA is not, on its own, enough to provide the protection users deserve. While colleges have long treated privacy as “a gray area,” he said, that attitude is no longer sufficient to ensure institutions manage information in a way that is both legal and ethical.
A dedicated privacy professional can be a neutral advocate for best practices on campus, said Welch, while avoiding the potential conflicts of interest that might arise from an information security professional also trying to manage privacy.
Finally, Allen said, a chief privacy officer position is valuable because most employees simply don’t think about the implications of gathering and using data — even as data becomes a larger part of their day-to-day work.
Interviews with Data Stewards Yield Valuable Insights for New CPOs
Welch, Baylor’s first CPO, launched the program in mid-2018 by mapping out a plan to build a program from the ground up.
His initial steps included identifying privacy partners across campus, raising awareness of the program and conducting a baseline assessment to identify high-profile and high-risk areas, such as HIPAA information. He also interviewed data stewards and established a privacy committee.
Both speakers emphasized that data privacy will only become more important, so leaders should be proactive in dealing with it now. Compliance requirements aside, they also noted that strong privacy programs are a branding opportunity for colleges that want to address concerns before problems arise.
“As you look at differentiating your institution, being able to say, ‘We respect your privacy. We have a strong program around that’ — we have more savvy students and parents on these topics, and having a strong answer there is going to become important,” Allen said.
Key to that effort is transparency. As data collection becomes more sophisticated — for example, site trafficking tools that can tell colleges how many times a visitor browses the admissions website and how that relates to their likely enrollment — institutions will have to decide how much they share, said Allen.
Perspectives vary, he acknowledged: Are such tools a competitive advantage that institutions will want to keep confidential, or should they be openly disclosed? It’s a conversation that will be happening — and debated — more and more.
One question that can help leaders make those decisions, he said, is to ask themselves, “If people knew we were doing that, what would they think?”