Last week I wrote about the weak points in higher education regarding advances in promoting privacy and information management. Today I would like to suggest three objectives every institution should strive to achieve to build awareness and promote good policies and best practices.
1. Reform the Family Rights Education Privacy Act (FERPA)
Congress passed FERPA in 1974. It is one of the first federal public privacy laws. Its age shows by comparison to more contemporary ones. It has no specific technical security safeguards, for example, and it famously has cost higher education much anxiety and yet not a dime.
To be sure, reputational consequences aid in making most registrars guard transcripts as if those documents were what’s inside Fort Knox. But when it comes to guiding faculty, for example, in the appropriate use of enterprise services with contractual FERPA protections, the lack of an individual right of action or meaningful administrative damages means that faculty for the most part are unmoved by institutional policies or guidelines. Research in the K-12 area, and experience in higher education, suggests that wholesale violations exist. College and universities should deploy their associations and government relations people to work with Congress to revise this law and make its practices consistent with the twenty-first century.
2. Designate or Create a Chief Privacy Officer
Each campus should have a Chief Privacy Officer (CPO). With all of the attention on how administrations should be “run like a business,” the resistance to the appointment of a CPO suggests either ignorance, which education can correct, or the influence of vested interests (registrars, institutional counsel, IT, risk management, etc.) that perceive the role as a threat to their proverbial “turf.” The latter resistance requires leadership at the highest levels to appreciate the significance of a CPO and to call the shot to appoint one.
What does this role do exactly? First, they grasp all of the international, federal and state law related to privacy – no small task! They grasp those laws and regulations sufficiently to facilitate bottom-line compliance practices. Examples range from how to manage the personally identifiable information of all constituencies on campus; assisting privacy and security officers of specific subject matter areas with compliance (registrars, GLBA, HITECH, HIPAA officers); making privacy practices consistent across different departments (to avoid breaches associated with shadow systems especially) and data sets (for example administrative and research data). In short, they facilitate the alignment of “information” and “technology.” In a large, distributed research university, this role should be well integrated with registrars, associated deans and vice presidents, university counsel, audit and IT (information systems, not just security and policy).
In addition to these responsibilities, a CPO should also be assisting the institution with higher-level privacy issues, such as the sale of email addresses, etc. to third parties (not an inconsiderable issue in athletics or bookstores, for example); institutional response to national policy issues related to electronic surveillance (also not an inconsiderable issue!); assisting in the development of institutional policies that involve privacy, such as network monitoring and disclosure of electronic media; and aligning technology and law in the practice of comprehensive privacy laws internationally. Any institution that claims to be “global” or “international” should be a leader in this area especially.
3. Create an Institutional Privacy Plan Uniting Academic and Administrative Players
In previous blogs the case has been made that privacy is a complicated but necessary-to-deal-with issue for higher education. That being said, senior management should set the expectations among both the administrative and academic side of the house that this issue be raised to a level of institutional awareness and with the subject matter expertise available on campus or in collaboration with national associations and other campuses.
Administrative and faculty expertise should work together to discuss the intersection of their respective work, research and best practices for the institution. Where an institution recognizes a gap, collaborate with other institutions or engage with national associations developing this expertise in this area. Take a page out of the book of accessibility advocates and have presidents issue something akin to a “President’s Accessibility Plan” but insert the term “privacy” to build momentum throughout campus. More than any other issue I can think of, this one requires lots of input from all areas of campus to understand its complex dimensions, help educate the academic community, and act in higher education’s best interests. It is also an invitation to international partners. The United States stands out “like a sore thumb” in the international privacy community for it “sector” privacy laws. Here is a very important and practical example of how we can learn a great deal from international partners.
These three recommendations should be enough to get a campus started. Later this week I will report on some concrete initiatives.