The Higher Education Chief Privacy Officer

Which one of these things is not like the other?^[1]

• Big data analytics
• Academic freedom
• Augmented reality
• Drones

The question isn’t exactly fair, and the answer is not entirely obvious, especially if you are a higher education Chief Privacy Officer (CPO). For the higher education CPO, all of these things have something in common: They are topics that a CPO must understand in order to advise her institution on a number of potential higher education privacy issues. For example:

• Big data analytics: Big data offers large data sets and sophisticated algorithms to make sense of the data. While there are a number of privacy concerns inherent in big data, one main privacy issue is that anonymization within the data set (or in combined data sets) could very well be impossible.
• Academic freedom: Higher education cherishes the concept of academic freedom for faculty members. Inherent in this concept are rights to privacy and freedom of expression–the ability to pursue research without fear of early disclosure or reprisal. How do institutions balance academic freedom with state open records laws that might otherwise compel production of faculty records?
• Augmented reality: Not to be confused with virtual reality, augmented reality integrates a user’s actual environment and additional digital input in real time.^[2] Augmented reality necessarily combines online and offline personal data and has the potential to record everything a user does. Augmented reality research at higher education institutions requires a concerted look into data collection activities such as notice and consent.
• Drones: Using its commonly understood definition, a drone is an unmanned aircraft. When outfitted with audio or visual recording equipment, they may have a number of privacy-implicating uses, such as data gathering, remote viewing, and site monitoring. On a college campus, where student safety is an important issue, drone-enabled spying on protected places, like residence halls, is a concern.

The CPO title is commonly used for the senior-most individual in an organization who is responsible for that organization’s privacy program. While likely lagging behind other industry sectors, the incidence of the role of the Chief Privacy Officer has been growing in higher education.^[3] As the role grows, so too do the responsibilities for higher education CPOs. Typical duties include:

• Working with institutional stakeholders to establish privacy policies, notices, standards, and processes.
• Creating an institutional privacy program to ensure that the institution complies with international, federal, and state privacy laws, campus policies and procedures, and industry privacy standards.
• Advising institutional leaders and other campus constituents on institution-wide privacy risks (e.g., risks introduced by new technologies, privacy complaints, etc.).
• Collaborating with information security teams to investigate and respond to campus data breaches or information security incidents.
• Educating and training the entire campus community (e.g., students, faculty, and staff) on important privacy concepts.^[4]

We know from our work here at EDUCAUSE that the job duties of the higher education CPO can be wide-ranging. This is true especially as the role evolves into one that is distinct from the duties of an institution’s Chief Information Security Officer. We also know that the way CPO’s approach their role is very much dependent on an institution’s mission and culture. Some institutions tackle privacy in an ad hoc manner as the need arises, while other institutions have well-established and mature privacy programs.

Create your privacy elevator speech so that you can highlight the importance of privacy issues in the higher education environment.

Our community of CPOs offers some advice to those new to the role of CPO at higher education institutions:^[5]

• Understand your job description and the scope of your responsibility and authority.
• Be a thought leader: Be sure to learn your institution’s current approach to privacy issues and help shape its desired aspirational approach.
• Be a champion: Create your privacy elevator speech so that you can highlight the importance of privacy issues in the higher education environment.
• Be an educator: Take the time to understand the resources that you have (staff, budget, privacy allies, and compliance tools) to make sure that you can deploy those resources effectively to highlight privacy issues and education.

We expect to see the role of the higher education CPO continue to grow as a thought leader, champion, and educator, helping campuses find the connections and balance between things that are important to us and the increasingly complex privacy issues. These things really do belong together!

***

Joanna Lyn Grama is the Director of Cybersecurity and IT GRC Programs for EDUCAUSE

^[1] Like many members of Generation X, Sesame Street was at the core of my formative learning. The song, “One of These Things,” appeared on The Sesame Street Book and Record (1970).

^[2] Google Glass is one of the best-known examples of augmented reality. See https://en.wikipedia.org/wiki/Augmented_reality

^[3] Vogel, Valerie. The Chief Privacy Officer in Higher Education. EDUCAUSE Review. May 11, 2015.

^[4] Vogel, Valerie. The Chief Privacy Officer in Higher Education. See note 3.

^[5] EDUCAUSE Chief Privacy Officers Working Group, The Higher Education CPO Primer, Part 2: A Roadmap for Chief Privacy Officers in Higher Education (forthcoming summer 2017). View more resources for CPOs at https://spaces.internet2.edu/display/2014infosecurityguide/Privacy