CHICAGO -- For attendees at the 2019 Educause conference this week, privacy was top of mind.
Scandals such as Cambridge Analytica, data breaches at ed-tech companies such as Chegg and an increasingly complex regulatory landscape have raised difficult questions about what data colleges collect, how they use them and with whom they are shared.
While many colleges have added chief information security officers to their IT teams in the past decade, relatively few have added chief privacy officers. Things appear to be changing.
“I think most colleges will have privacy officers in the next five to seven years,” Celeste Schwartz, vice president for information technology and chief digital officer at Montgomery County Community College in Pennsylvania, said in a session on privacy at the conference. “I think laws will almost dictate that.”
At institutions such as American University in Washington, there is no chief privacy officer.
“We view privacy as a shared responsibility,” said Cathy Hubbs, chief information security officer at the university.
American has created a privacy group to oversee compliance, follow policy developments and consider best practices. But Hubbs said the volume of work is challenging.
"We're doing a pretty good job, but we're not at maturity yet," she said
The University of Pennsylvania has taken a different approach; it added a chief privacy officer in 2001, making it among the first institutions in higher ed to do so. Scott Schafer, chief university privacy officer and institutional compliance officer, said the institution now has seven full-time privacy staff. These staff members monitor policy developments and ensure the university is compliant. They also play a role in technology procurement and in raising awareness of privacy issues on campus.
“Privacy is where security was 10 years ago,” said Ann Nagel, the privacy officer at the University of Washington. “I helped our institution build the security office, and now I’m building the privacy office.”
Privacy is not just about compliance, said Nagel. “We need to look at it from a humanitarian and ethical perspective,” she said. “There is a lot of data you might be collecting that is not protected by law or regulation. Laws have a difficult time keeping pace with technology.”
Schafer noted that privacy is a component of security, but it is not the same thing. Keeping data secure is important, but you also need to understand “why you’re collecting it, whether it’s for a legitimate purpose, who you’re sharing it with,” he said, adding that data are best shared on a “need-to-know basis.”
Jon Allen, interim chief information officer at Baylor University, agreed that privacy and security go hand in hand despite being different concepts.
“You have security without privacy, but you can’t have privacy without security,” he said.
In Educause’s annual list of top 10 IT issues last year, privacy was a new entrant at No. 3. On the 2020 list, which is yet to be published, privacy will take the No. 2 spot. California, Maine, Nevada, New York and other states have all recently introduced privacy protection laws, some inspired in part by the European Union’s General Data Protection Regulation.
The importance of baking data security, privacy and accessibility into contracts when purchasing new technology was widely discussed at the conference. In a session on teaching apps, representatives from the IMS Global consortium said that they are working to create a “Yelp for privacy” -- where higher ed users can share their reviews of the privacy standards of various products. Over 500 products have so far been vetted against IMS Global’s privacy rubric.
Doug Welch, chief privacy officer at Baylor, said that the institution is trying to be proactive about privacy. Disclosing how and why you’re using data can create a positive approach to privacy, he said. A recent investigation by The Washington Post found that many institutions that used cookies to track potential students did not disclose clearly what information they were collecting or why.
“A good rule is to ask yourself: If people knew we were doing this, what would they think?” he said.