So Goes California

 Remember the old jingle about “…as General Motor goes, so goes the country…”?

For privacy laws, many have borrowed it to suggest that “…as California goes, so goes the country…” It was true for data breach notification, and with the addition of new attributes that constitute those laws, for example birth date.  A significant new variation relevant to higher education has just been published: Privacy and Information Security Initiative Steering Committee Report to the President.

The University of California system is the first major institution to set privacy as a high level objective. Academic values and institutional missions implicate privacy in practices such as free inquiry, respect for individual privacy and rules regarding surveillance.  Information management – both information security and privacy practices – support of those values. Finally, the Report lays out a road map for development and a time line for progress on making strides towards achieving those goals.

This framework is all anyone with an interest in privacy ever hoped that higher education would embrace. Of course, getting to this point has been a tremendous effort.  The U.C. landscape is geographically vast and collectively quite diverse, with branches into several campuses, hundreds of faculty, (some of whom are subject matter experts), staff, and the interests of students.  The distinction between individual and institutional interests, where they overlap and potentially conflict, is a keen contribution to nettlesome questions that have stalled efforts in other institutions.  This distinction bridges personal-public divides and creates the foundation for the balancing factors to be used to judge cases.  The University of Kansas Board, which hopes to supports its controversial social media policy, might do well to look to these factors as a guideline to the conundrum it is in regarding provisions that, if misused, would be overbroad, stifle speech, and might violate existing NLRB rulings on this topic. Finally, the Report translates give privacy principles meaning:  privacy by design; transparency and notice; information review and correction; information protection; and accountability. A diagram provides a quick take away of the project.

The Roadmap is modest and sensible. The remainder of this year is devoted to socializing the report, creating boards and designating a privacy officer for each campus. This year and next, the boards move into an active stage of building out programs and collecting metrics.  Into next year the work moves towards defining and executing the plans more narrowly, sharing experiences of the “balancing cases” among campuses, and instantiating a review process.

Keeping in mind that institutional diversity and autonomy are hallmarks of higher education in the U.S., this framework is nonetheless a model for every college and university in the country. And it is work that higher education as a sector must do. Highfalutin reasons, such as the personal autonomy necessary for teaching, learning, original research and meaningful outreach meet basic compliance and risk management. Vested interests that don’t want their fiefdoms disturbed must step aside and allow progress. More than once I have used this blog to advocate for leadership at the highest levels to promote privacy and information management. This Report demonstrates that obstacles can be overcome. Administrative units together with faculty and staff can work together toward a common goal to support fundamental values that inform our missions and create a path by which to move forward. My hat is off to University of California Office of the President!