Privacy has become “all the go” in conversations about governance, compliance and risk in higher education. That development is a positive one. Experience in this area makes me a little weary, however, of just how deeply the concept is sinking into change management processes. So far the attention brought to this issue, as expressed in publicity campaigns such as “Data Privacy Month,” seems a little too easy, somewhat glossy to me. Here, then, is some straight talk to get a deeper conversation going within our colleges and universities.
Because I grew up knowing that I was bisexual before it was fashionable – or even had a name in my culture of origin -- I prized privacy for self-protection. The subject therefore interested me in law school. Because I was a relatively early player with a law degree in information technology, I recognized from the start that privacy played a key role in every aspect of the development of the Internet and the implementation of technologies in our colleges and universities. When President Bush signed the USA-Patriot Act in October of 2001, only six months after I began work as the Director of IT Policy at Cornell, Brian Hawkins and Polley McClure tapped me to address the impact the legislation had on the intersection of law and technology in higher education. Privacy jumped out at me as the target issue at the core of balancing national security and civil liberties. While true for U.S. society in general, the issue was especially poignant for higher education because privacy undergirds the true efficacy of our missions. It is not possible to teach, do research or conduct meaningful outreach without intellectual autonomy. Intellectual autonomy requires privacy.
In my work as an administrator, I encountered many obstacles in making the case for “privacy.” The first obstacle is confusion about the concept of privacy and its many legal and cultural meanings. In previous blogs, I have attempted to break the legal concept down into five areas. This categorization enhancing understanding of the kind of privacy intended in the context of liability, compliance and information management. That understanding requires knowing at least the basics about fair information practices (notice, relevancy, transparency and security). Next, we need to know something about public privacy laws such as Family Education Rights Privacy Act, Financial Services and Health Insurance Portability and Accountability Acts, to name the most obvious ones. These laws are important because of the immediacy of the first to our bread and butter, and the last two because they have separate “security” and “privacy” provisions. With that information under our belt, we can move on to other areas of privacy that have meaning in institutional administration, for example regulatory issues such as F.T.C. (privacy policies for transactional web sites, not a minor issue given the role of athletics, on our campuses) or civil torts such as defamation (which can be brought via the concept of respondent superior against an institution). There is another maddening sub-issue worth mentioning. Some institutional counsel at private institutions think that any use of discussion of the term “privacy” will somehow compromise the rights and privileges belonging to a private corporation. In a word, that is baloney. If someone makes that claim, think to yourself, “what perceived territory are they protecting?” and move on. There is too much work to do to get caught up in such foolish semantics.
The second obstacle to serious conversations about privacy is how “security” concerns have overwhelmed consideration of “privacy.” This observation was especially evident in the last decade or so when “security incidents,” i.e. the failure of technical safeguards to protect both devices and the information, exponentially proliferated with script kiddies, criminals seeking personally identifiable information for the purpose of committing fraud, and nation-state threats pounding on our networks. Data breach notification laws caused university officials such as counsel, audit, risk management and public relations to ask CIOs to address the problem. CIOs looked to technical security specialists, i.e. directors of security and security engineers, to manage the administrative, logical and physical security lapses of these breaches. In other words, “security” overwhelmed an understanding that at its root is one of privacy. Consequently, a curious inversion occurred as a result: one of the four principles of fair information practices, “security,” became in the minds of most institutional administrators the ends of what needed to be done rather than the means of a higher goal, “privacy.” This inversion still plagues our understanding of comprehensive management of information in colleges and universities today. In fact, I will go so far as to say that until we unravel that inversion, we will never achieve effective governance, compliance and risk management in this area.
The third obstacle is in many ways the most interesting because it is about people, not technology. Vested interests get in the way of change. This axiom applies to any administrators who are unwilling to recognize and or work toward raising the level of how do to business that involves “information” and “technology.” So happens that is precisely how higher education or any other corporation does business in the twenty-first century, but you wouldn’t know it talking to many registrars, counsel, CIOs and other IT managers and professionals, data stewards or variety of vice presidents or deans who refuse out of ignorance or fear to listen, and who perceive change as capitulation of their authority. Often this intransigence filters down to their lieutenants, such as data steward delegates or college business officers, each group loaded for bear before anyone steps into a meeting to discuss policies or processes designed to align information and technology practices to meet compliance and business needs.
The combination of these three major obstacles confounds appropriate governance, complicates compliance and elevates risk. There are fixes. We need more education about the meaning of information privacy in our institutions. An already accepted term in the corporate arena, higher education lags tremendously. Senior administrators should find champions who will make information management the higher order of how to do business with technology, and, in turn, flip privacy back to the ends of why and how we make changes, rendering technical security the means. That flip will result in more concrete and appropriate fixes because it mirrors the law as well as the practices in the global corporate community. Finally, those same senior level administrators must set the proper tone within their administration. The message should be that change in this area is necessary. For the sake of the institution, personal intransigence must give way. In short, the players need to work together in a manner that is honest, collaborative and transparent … hmmm, a reiteration of some of the very values that privacy stands for in our society.
Not until higher education recognizes the obstacles that are in the way of necessary change will we begin the work to run our institutions in an efficient and effective manner becoming of the twenty-first century. In an era of intense competition among our institutions about which ones will be the winners and losers in ten, twenty or fifty years, I put my chip on this idea: those that embrace this change will not lose, no matter what their Carnegie Classification. For with this change comes the awareness of what privacy means for societies as well as for individuals. Higher education could speak to the larger goals, unlike the corporate sector that manages it for compliance purposes alone. That is why I shared with you my personal reasons why privacy became important to me. If, between the USA-Patriot Act and the Snowden disclosures, these events have taught us anything, it should be that privacy matters to everyone, it touches all dimensions of our lives, and, not least, it has a very special place and resonance in higher education.