The Chief Privacy Officer in Higher Education

Valerie Vogel, Program Manager, EDUCAUSE

Until recently, the chief privacy officer (CPO) role was more likely to be found in the private sector versus in higher education.¹ Yet over the past few years, colleges and universities have begun to hire a growing number of CPOs to devote time and attention to ubiquitous concerns about privacy and data protection on campus.

The way CPOs approach their role on campus has depended largely on institutional needs, academic missions, and individual styles. While most institutions are tackling privacy in an ad hoc fashion as they initiate a new privacy program or office, some well-established CPOs in higher education are taking a holistic approach by developing strategic plans and privacy principles that help further the mission and values of their institution.² One thing that CPOs are discovering, in spite of differing responsibilities and program maturity levels, is the growing number of common privacy issues that need to be addressed in higher education.

Lisa Ho, CPO, University of California, Berkeley, notes that "the CPO role is expanding beyond the realm of preventing data breaches to represent a fundamental institutional value and priority."

In recent discussions with several members of the Higher Education Chief Privacy Officers (HE-CPO) group, Ho and her colleagues produced a wealth of information about how they perceive their role, their concerns about privacy, and their expectations for the future of privacy officers in higher education.

Rise of the CPO

"The role of the CPO is evolving as the profession itself has matured, in no small part due to any number of data breaches,³ in addition to the ever-increasing amount of personal data that is collected by services and devices and the evolution of Big Data," according to Sol Bermann, CPO at the University of Michigan–Ann Arbor. "In the last 5–10 years, the role has gone from what was often an evangelist to one that is increasingly anchored in defined practices.⁴ CPOs now have communities, certifications, and more standardized best practices than they did a decade ago."

Chief information security officer (CISO) Cheryl Washington and campus privacy officer Lynette Temple at the University of California, Davis, "see the role as going from virtually nonexistent to one that is playing an increasing[ly] large role in helping the university manage its wealth of data." Similarly, Susan Blair, University of Florida's CPO, acknowledges that five years ago, the CPO's "scope and influence were more limited" than they are currently.

Privacy has moved to more of a central concern for higher education, rather than an afterthought, if it was considered at all 10 or more years ago. Not only have laws and regulations expanded to include privacy issues, but changing technologies have raised privacy concerns to a greater level of discussion and argument. Privacy has gained a stronger foothold in higher education as the conversations have expanded. Students in particular make up a vocal constituency in the data privacy conversation. Karen Meelker, access and privacy officer at the University of Manitoba, finds that she now has "an integral role in all projects. Consultation with the privacy officer has increased exponentially in the past five years."

"Five years ago, privacy issues and questions on campus were primarily FERPA-related, reactive, and handled by the General Counsel's Office," notes Mike Carr, CISO and director of Enterprise Architecture at the University of Kentucky. "Today, despite the lack of a dedicated resource, privacy is more of a mainstream topic; it is less clear-cut and covers more regulatory compliance issues than just FERPA." Further, as universities expand their interests internationally and work with more researchers overseas, privacy issues have become increasingly important in the face of other countries' varied laws and privacy norms, from the European Union to China and the Middle East. Blair points out that over the past decade, "stakeholder 'partnerships' greatly expanded and the need for international privacy expertise for global higher education initiatives has grown."

Another change is a clarification of the close relationship between privacy and security as more attention has turned to the increasing threats to data of all kinds. As the University of New Mexico's information security and privacy officer Jeff Gassaway shares,

"Leadership saw the interdependencies of information security and privacy and began cross-education of information security leadership and building and strengthening partnerships across campus with entities involved in privacy areas. As with information security, it is by building and strengthening our relationships that we are able to begin having the dialogs across campus entities that lead to culture change [about privacy]."

However, cautions Sarah Morrow, who served as CPO at Penn State for five years:

"Increased visibility has not yet made senior leadership recognize the importance of a separate CPO duty. Too often it is still another duty as assigned or given to IT Security, which is an inherent conflict of interest, and does not cover the elements of privacy that have nothing to do with IT."

A Day in the Life of a CPO

During our discussions, we learned that typical responsibilities for a higher education CPO include:

• Establishing privacy policies, notices, standards, and processes with stakeholders across the institution.
• Ensuring that the institution complies with applicable state, federal, and international laws, campus policies and procedures, and industry privacy standards.
• Developing and managing privacy training, education, and awareness for students, faculty, and staff.
• Advising and counseling campus constituents on best practices, new technologies, privacy complaints, and potential institution-wide risks.
• Assisting with investigations and responses to campus privacy breaches or incidents.

In addition to the five core responsibilities listed above, CPOs encounter an array of challenges that may include:

• Responses to formal and informal requests for information.
• Records management, retention, and disposition.⁵
• Assistance and consultation on subjects such as social media and professionalism.
• Special investigations at the request of campus executives.
• Development of strategic IT policy and information governance.
• Compliance beyond privacy-related regulations and standards.⁶
• Management of IT policy, enterprise continuity, incident response, and disaster recovery.

But these daily duties can in fact vary widely depending on a number of factors, including how mature a privacy program is, what additional responsibilities a CPO might be tasked with outside of privacy, and the institutions' commitment to supporting privacy.

Mature vs. New Privacy Programs

The University of Florida's Privacy Office, led by CPO Susan Blair, is one example of a well-established privacy program. The University of Florida created the Privacy Office in 2003, and Blair, originally the institution's HIPAA Privacy Officer (starting in 2002), became its inaugural CPO in 2007. Now responsible for privacy and health privacy with a staff of six, the office has created a mission statement and specifications of its core responsibilities, primary challenges, and annual goals and objectives.⁷ Operational budget for the privacy office includes salaries plus $25,000 for non-labor expenses. This level of maturity for a privacy office or program, however, is not the norm for most colleges and universities.

Newer CPOs are tasked with launching a privacy program for their institutions, although typically they lack additional staff support in developing these fledgling programs. Bermann is the first dedicated CPO (outside of the health system) at the University of Michigan–Ann Arbor. His role includes beginning to "integrate the university community's privacy expectations into U-M teaching, learning, research, clinical, and business practices" while working with the university-wide information assurance council.

There are several notable distinctions between a more mature and a newer privacy program. The following information compiles responses from several CPOs.

	New Privacy Office	Mature Privacy Office
Privacy Role Established	Office not established yet; CPO may have dual roles, or there is not yet a dedicated CPO	Office established for at least 3–7 years; CPO formally appointed
Reporting/Organizational Structure	Part of the IT office; reporting line below VP level (e.g., CISO)	Part of operations, finance, general counsel, administration, audit or compliance; reports to a vice president or senior VP
Staffing	No formal direct reports, but additional resources may be available	Two or more staff members, plus liaisons in other departments
Governance Structure	Ad hoc; governance may still be in development	University-wide governance
Mission Statement and Scope of the Privacy Office	Mission statement may not be developed; scope not yet defined	Mission statement and scope are publicly available on the institution's privacy office website
Annual Goals/Strategic Planning	Annual goals and objectives are not yet defined	Annual goals and objectives are developed and published
Types of Training Available	Ad hoc and under development; typically includes data protection training to comply with FERPA and HIPAA requirements. Training may be limited to online offerings.	Targeted training; may include multiple versions on FERPA, HIPAA, use of SSNs, privacy in academia, Red Flag Rules, identity theft prevention, and mobile devices. Training options may be online, class-based, or both.
Next Steps	Formalizing a privacy office and/or a CPO and developing a roadmap. Establishing a robust privacy education and awareness program. Developing campus-wide partnerships. Creating privacy policies or notices. Regular program assessments.	Global research interfederations. FISMA compliance. Developing accreditation objectives for privacy, which will become part of the College Accreditation Assessment criteria.

System-Wide Privacy Program

A relatively new approach by the University of California (UC) system demonstrates its commitment to privacy by appointing a privacy official at each of the 10 campuses as part of the Office of the President's Privacy and Information Security Initiative. UC campus privacy officers include Lisa Ho (Berkeley), Kent Wada (UCLA), Lynette Temple (Davis), and Denise Dolezal (Santa Cruz). This strategy could potentially serve as a role model for other systems hoping to establish a privacy program with broader impact. According to Ho,

"In most cases, privacy was added as another responsibility for someone who already had full-time responsibilities in IT, Policy, Public Records, or somewhere else on campus. I'm fortunate to be able to focus exclusively on privacy. UC Berkeley's Chief Ethics, Risk, and Compliance Officer, Linda Williams, recognized the tremendous growth and evolution of the university's obligations and expectations regarding privacy and made the bold move of carving out a full-time position to support privacy's mission-critical role in upholding academic freedom and human dignity."

Privacy Offices with Dual Roles

Another common model in higher education is for privacy officials to have dual roles. In her relatively new position as director of Export Control and Privacy Management at Case Western Reserve University, Lisa Palazzo is responsible for privacy and export control management. Similarly, Gassaway is responsible for both security and privacy at UNM, and Meelker serves as the access and privacy officer, "a position that is required by Manitoba (Canada) provincial access and privacy legislation and covers both freedom of information requests and protection of privacy." For Carr, and many other CISOs like him, his privacy responsibilities fall under the "other duties as assigned" category. Palazzo explains what it's like to juggle such distinct roles:

"In having more than one focus, I pay attention to making progress on building each separate compliance program while simultaneously addressing the transactions, or individual matters, that pop up along the way. I remember reading somewhere that managing a compliance program was like slaying the crocodiles while draining the swamp. Every day, I try to engage in activities that "drain the swamp", or make our university environment one in which compliance violations are less likely to happen. This includes training the various operational areas and building trust-based working relationships with stakeholders. The crocodiles are the problems that arise that we have to resolve—in my case, export-related problems or privacy-related ones. How do I juggle the two roles? I try to give an equal amount of time and effort to draining both swamps, and I deal with the crocodiles according to which is the largest (or closest!)"

Collaborations on Campus

No matter the roles and responsibilities of the CPO or maturity of the institution's privacy program, an essential component of this position is working with campus stakeholders–IT, information security, risk, audit, finance, HR, IRB–so all members of the campus community better understand privacy principles and the goals and objectives of their CPOs.⁸ The University of Florida CPO position description states that regularly collaborating with key university stakeholders about privacy-related issues is an essential function. The CPO may interact with deans, risk management, general counsel, information security, as well as the Board of Governors compliance officer and other external partners.

The Evolving Role of the CPO

How does the community of privacy and information security professionals see the role of CPO evolving over the next five to ten years? When asked this question, the CPOs surveyed identified two key changes that they expect in the near future: how privacy and security are connected, and attaining a leadership role on campus.

Privacy and Security: Distinct but Related

Privacy may begin to drive security. Carr anticipates that "the privacy function will determine data classifications and safeguard requirements, and the CISO will implement appropriate technical safeguards." He notes, "[Privacy] will be more closely related to the business and [the] academy than IT security (which will largely remain a more-technical discipline)."

Good security techniques are needed, however, to ensure privacy protections can't be thwarted. Gassaway hopes to see de-identification and anonymization techniques improve "so that future technologies don't allow re-identification to occur in big data/analytics work."⁹ Research has already shown the possibility of this re-identification, making data privacy issues core to big data and analytics. The possibility also introduces a significant security risk to the individuals and institutions affected.¹⁰

Over the next decade or so, Bermann envisions the evolutionary CPO arc continuing in the following ways:

"(1) On the somewhat mundane front, CPOs will continue to refine, grow, and mature their profession. (2) On the more challenging front, we will see CPOs grappling with the move away from traditional notions of privacy (for example, the ability to be anonymous) and increase the push for greater user oversight or control of their data, along with greater transparency and accountability for those organizations that collect and/or use personal information."

Washington and Temple see "the CPO playing a larger role in helping their university support its data governance activities." They also see the CPO "working more collaboratively with the university community to help the members better understand their privacy rights. This is particularly important for students who may not know how to manage data in ways that protect their privacy interests." The same comment could be made about their security interests.

As data breach incidents persist, the media will continue to publicly scrutinize organizations affected, big or small. "Bottom line is that with such large and open environments [in higher education], the bad guys will find a way in," says Morrow. "The 'keys to the kingdom' must be protected, and we ourselves are a big threat because we fail to purge files and purge them securely. Hopefully, within the next 5–10 years all universities will see the importance and value of having a privacy office and CPO to help them navigate the regulatory waters and handle incident response effectively."

Attaining a Leadership Role

Ho asserts that "Privacy will play an increasingly essential role in addressing the pressing issues facing the university, and the CPO will be called upon to help balance the multiple priorities, obligations, and values of the institution in those critical discussions."

To aid in dealing with privacy and security risks, the CPO should be recognized as a senior leader and partner on every campus, on a level similar to that of the CIO or the CISO.¹¹ One way to elevate the CPO is to move the reporting line outside of the IT department to a more visible position in operations or administration. This demonstrates that compliance, oversight, and enforcement are truly institution-wide and not just compartmentalized as an IT or legal issue. Meelker notes that "privacy considerations must be a part of almost every project and initiative on campus and building privacy in by design to every project will ensure security and privacy related risks are mitigated."

Another way to elevate privacy on campus is to formalize a separate privacy office with unique programmatic resources and responsibilities. Gassaway observes, "While Information Security must collaborate closely with the Privacy Office, as with Audit and Compliance, they should have separate independent management and resources so that each can accomplish its objectives without potential conflicts of interest, whether financial or otherwise."

Blair notes the likelihood of this rise in leadership responsibility happening: "As more institutions expand [their] research mission[s], global programs will push the CPO 'up the ladder' as key decision maker to help foster these programs."

The United States Department of Education took this approach by appointing Kathleen Styles as the first Chief Privacy Officer, with responsibility for advising the Secretary on policies and programs related to privacy and confidentiality. Styles is an attorney with a CIPP-G certification in government information privacy and previously managed privacy and confidentiality for the United States Census Bureau.

Top Privacy Concerns

In addition to the usual hot topics like bring your own device (BYOD) and the Internet of Things (IoT), CPO concerns range from competitive big data to international challenges arising from the growing number of global privacy laws.¹²

What most concerns Carr is

"the growing chasm between the administration's firm belief that any and all data collected by the academy belongs to the academy and the incoming student's belief that there should be no use of any data that is collected about a student's non-academic activities — and that such data should not be collected to begin with."

Big data is of great concern to Bermann, as well. "Whether it is learning analytics, human subject research, or clinical data, universities are exploring how to leverage big data to improve teaching outcomes, make discoveries, cure diseases, and improve the human condition." The problem with this is, "In a world of big data, de-identified datasets may yield personally identifiable information when enough of them are aggregated and combined. For this reason, and many others, traditional privacy concepts like notice and collection purpose are becoming difficult to implement."

For Blair, it is the risk of personal and medical identity theft, both internally and externally. With these activities growing exponentially, they pose "the single most [urgent] threat to university systems and reputation. [I]nternational criminal activities are outpacing law enforcement authorities."

Meanwhile, Ho is hoping "to engage the institution in conscious balancing of privacy with other competing institutional values, obligations, and priorities, such as information security, transparency, accountability, academic freedom, efficiency, functionality, convenience, and budget pressure." She explains that "UC Berkeley is currently taking on this issue with regard to network monitoring for information security operations (as described in the "Privacy vs Privacy" blog post.) Without deliberate attention to the impact of surveillance on autonomy, we risk causing a chilling effect on behavior as we attempt to mitigate the immediate and tangible risk of a data breach." As she points out, "It is imperative that we keep at the front of mind the critical role privacy plays in creativity and academic and intellectual freedoms, which are fundamental to our mission." She says the UC Statement of Privacy Values describes this goal: "These freedoms are most vibrant where individuals have autonomy: where their inquiry is free because it is given adequate space for experimentation and their ability to speak and participate in discourse within the academy is possible without intimidation."

Several issues noted by these privacy officers are top concerns for campus CIOs, CISOs, and other IT leaders, as well.¹³ For example, sophisticated hacking and spear phishing attacks pose a threat to the security and privacy of both end users' personal information and institutional data. Similarly, when faculty, staff, and students begin using the latest mobile devices, apps, collaborative tools, or file-sharing tools before campus officials have a chance to vet these new technologies, the privacy implications or consequences may be more far-reaching than the typical user may realize. Equally important are third-party or outsourced services that add more complexities to campus networks and may be outside the CPO's scope or jurisdiction. Finally, researchers' and IRBs' research data at home and abroad must be protected through every stage of the research process.

Also of concern, if less immediately urgent, are the needs to:

• Promote the management of digital identity (staff, students, and faculty) by communicating best practices and awareness of policies, taking privacy and ethical concerns into consideration.
• Raise general awareness about the CPO and services available to departments, steering committees, and other groups.
• Develop and implement privacy education and awareness programs.
• Assess established privacy programs on a regular basis.
• Embed privacy and privacy by design concepts into IT and operations.
• Take a less ad hoc approach to the identification and tracking of emerging privacy risks and laws.
• Participate as a stakeholder during campus sensitive-data inventories and work closely with data stewards.
• Safeguard data, whether protecting student records, research, financial aid, or health information, and respond to data breaches should the need arise.
• Communicate international responsibilities, whether in the context of research conducted abroad, international collaborations and travel, or assisting with a campus abroad.

New Opportunities for Privacy in Higher Education

The biggest opportunities for privacy in higher education can be obvious or subtle, but most CPOs — like Meelker — agree that whatever the task, there is always a chance to do it well.

"The fact that we are talking about privacy as an important topic in our conversations creates an opportunity to embed in our business and academic processes standards and procedures that support privacy," observe Washington and Temple.

Carr notes that "the biggest opportunities lie in the discussions about data collection, data ownership, the right to be forgotten, and the academy's belief that helping students succeed via big data analytics is not only permissible, it is desirable and the administration's responsibility."¹⁴

Gassaway would like to see the community "building upon the relationships between EDUCAUSE and the IAPP to develop more accessible and formal privacy resources that address the needs of the higher education and research communities." Morrow echoes this: "[B]y nature, we learn and share the knowledge so that everyone can benefit."

Some privacy officers, like Palazzo, "have a great opportunity to reduce the magnitude of bad effects from phishing by providing training to our community members."

Students and faculty are another potential opportunity for CPOs. Bermann recognizes that

"the wonderful thing about higher ed is that you are in an environment where ideas and issues are explored, and the leaders of tomorrow are developed. Think of the potential if higher ed CPOs can even slightly impress upon students the importance that privacy plays in society, culture, politics, psychology, sociology, and history!"

The shared concerns and opportunities of these CPOs will play an increasingly important role in campus discussions as technologies that impact data collection continue to evolve rapidly. Having an established campus leader who is well-versed in privacy issues can only benefit an institution. Right now higher education has the opportunity to help strengthen the role of the CPO and increase the visibility of these positions on campus by creating and maintaining partnerships, providing networking and educational opportunities for the community, and conveying the institution's unwavering commitment to privacy and autonomy.

As Ho points out: "Academia has long defended academic freedom and autonomy as fundamental to our mission of knowledge creation. From this enshrined tradition we have an ideal platform to promote the profound importance of privacy."

1. Justine Brown, "Rise of the Chief Privacy Officer," May 30, 2014. IAPP. Survey of Fortune 1000 Chief Privacy Officers Predicts Increased Investment, Focus and Hiring In Corporate Privacy Programs. Web. 5 Nov. 2014.
2. For example, the University of California Privacy and Information Security Initiative Steering Committee Report to the President (January 2013) and the UC Statement of Privacy Values and Privacy Principles.
3. Joanna Lyn Grama, "Just in Time Research: Data Breaches in Higher Education," EDUCAUSE Center for Analysis and Research (ECAR) research report, May 20, 2014.
4. Joanna Lyn Grama, "Just in Time Research: Privacy Practices," EDUCAUSE Center for Analysis and Research (ECAR) research report, February 19, 2014.
5. For additional information on records management, retention, and disposition, visit these resources in the Information Security Guide: Electronic Records Management Toolkit and Records Retention and Disposition Toolkit.
6. Chief privacy officers are usually responsible for compliance with laws such as Family Educational Rights and Privacy Act (FERPA), Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA), and Red Flags Rule (Identity Theft Prevention Program). Responsibilities are now expanding to compliance with laws or policies such as export controls (ITAR/EAR), PCI DSS, and the Federal Policy for the Protection of Human Subjects ("Common Rule"). For additional resources, see the Information Security Guide's chapter on compliance.
7. University of Florida Chief Privacy Officer Position Description, September 2010. University of Florida Privacy Office Mission, Core Responsibilities, Goals, and Objectives, 2014.
8. For additional information on privacy principles, visit these resources: The AICPA/CICA Privacy Task Force's Generally Accepted Privacy Principles (GAPP) [http://www.aicpa.org/interestareas/informationtechnology/resources/privacy/generallyacceptedprivacyprinciples/pages/default.aspx] and Privacy by Design's 7 Foundational Principles [https://www.privacybydesign.ca/index.php/about-pbd/7-foundational-principles].
9. The Guidelines for Data De-Identification or Anonymization in the Information Security Guide can provide additional context regarding these concepts.
10. See Latanya Sweeney's work at Harvard on the identifiability of de-identified data. Also see Ann Cavoukian and Daniel Castro's June 2014 white paper, "Big Data and Innovation, Setting the Record Straight: De-identification Does Work."
11. Cathy Bates, Sol Bermann, Kim Cary, Hunter Ely, Jodi Ito, Kris Monroe, and Thomas Siu, "Evolution & Ascent of the CISO," December 2, 2014.
12. Learn more about the competitive advantage of big data. The Electronic Frontier Foundation provides additional information on international privacy standards.
13. Susan Grajek, "Top 10 IT Issues, 2015: Inflection Point," January 12, 2015. Joanna Lyn Grama and Valerie M. Vogel, "The Top 3 Strategic Information Security Issues," January 12, 2015.
14. Louis Soares, "The Rise of Big Data in Higher Education," EDUCAUSE Live! seminar summary, March 22, 2012.