Campus privacy officer

Last updated

The campus privacy officer (CPO) is a position within a post-secondary university that ensures that student, faculty, and parent privacy is maintained. The CPO role was created because of growing privacy concerns across college campuses. [1] The responsibilities of the CPO vary depending on the specific needs of the campus community. [1] Their daily tasks may include drafting new privacy policies for their respective college campus, creating a curriculum that informs teachers and students about privacy, helping to investigate any privacy breaches within the university, and ensuring that the university is abiding by current state and federal privacy laws. [1] CPOs are also responsible for connecting with student and faculty groups across the entire campus in order to understand the privacy concerns of the campus. [1] The role of CPO is an expanding profession within the United States and other countries, such as Canada and South Africa. [2] [3] There are numerous organizations that exist to provide training for CPOs and support them.

Contents

History

It is difficult to determine the date on which the first campus privacy officer role was created; however among the first formal references to the specific role of campus privacy officer comes in a 2005 executive order by the Chancellor of the California State University system. The order specifically requires universities in the system to, "[p]rovide the name, title and contact information for the campus privacy officer, if the campus is a HIPAA covered entity." [4]

Several years before that first reference to the campus privacy officer, the CPO acronym more commonly referred to the chief privacy officer, a senior-level executive within a growing number of global corporations responsible for managing risks related to information privacy laws and regulations. [5] As privacy concerns continued to grow during the Internet era, the role of the chief privacy officer began to expand into the public sector, [6] as well as in higher education.

The first higher education institution to hire a chief privacy officer was the University of Pennsylvania in 2002. [7] As the chief privacy officer role has continued to expand to encompass the full range of complex data governance issues that may face a modern educational and research institution, [8] the campus privacy officer role has, in some instances, become differentiated from that of the chief privacy officer to be more focused on the day-to-day privacy concerns of on-campus life, such as the privacy implications of the use of video surveillance and other security measures. [9] At other institutions, however, the titles of chief privacy officer and campus privacy officer have become interchangeable. [10]

Responsibilities

Creating privacy education

Campus privacy policy affects both the university administration that helps create the policies as well as the students within the university. CPOs are responsible for creating an education curriculum that helps inform students how they should ethically use data; [11] in order for students to learn this universities need to provide a curriculum that aims to teach them this skill. [11] There have been specific instances where professionals in IT jobs have made unethical decisions with data concerning others. CPOs help implement and design the courses that teach students how to practice making ethical decisions regarding data. [11]

Ensuring the university is abiding by existing federal and state privacy laws

Campus officials who work with student data must understand the federal and state regulations that are in place to ensure the protection of that data. [12] For example, the Health Insurance Portability and Accountability Act and Family Educational Rights and Privacy Act both impact how student data is handled on campuses. [12] The US Department of Education is always updating and altering these laws. [12] The campus privacy officer is responsible for understanding the updated versions of all federal privacy laws and communicating any changes in data policy to the school. It is crucial that the campus administration constantly abides by and follows federal laws on data protection. [12] The failure to do so can result in the public institution losing federal funding. [12]

Drafting new privacy policy

Campus privacy officers also help universities draft new policies that ensure student data is being collected in an ethical manner to ensure that student privacy is maintained. [13] Because of the advancement in recent technologies, new data collection and data analysis has drastically increased on college campuses within the last decade. For example, technologies, like learning analytics, collect student learning and instructor teaching data to analyze the effectiveness of teaching strategies. While using this technology, there must be set guidelines in place to guarantees trust between the student and the instructor. CPOs can help facilitate the creation of these policies. These policies aim for institutional accountability and transparency and the student's control and right of access to his data. [13] Campus officers are also in charge of meeting with school administrations to discuss the newly drafted privacy policies and make sure the school understands it. CPOs can foster a sense of privacy through educating students and school officials on the importance of privacy in education, including document privacy, behavior privacy, etc. This can be done through privacy events and meetings with various stakeholders of the school system.

Example policy issues

Learning analytics

Learning analytics entails collecting student data and monitoring specific aspects about the student within the educational environment. These aspects can include student performance on tests, retention data, enrollment data, and graduation rates. The mass collection of student data leaves the student's security extremely vulnerable. Higher education institutions have the responsibility to ensure that student information is always kept confidential. [14] Students are required to give up their information in order to attend at higher education institution. To ensure that students are not exploited, there must be campus policy in place that requires students to have an active role in the learning analytics process. [14] When creating policy that guides learning analytics, CPOs must take into account the culture, technological capacities, and behaviors of the institution. [15]

In order to minimize the risk of a data breach, there must also be set policy in place that helps administration recognize the best ways to securely share data. [16]

Laws that campus privacy officers must track

International laws

General Data Protection Regulation

General Data Protection Regulation is a law passed by the European Union that recognizes certain data privacy rights of EU residents and places various requirements on how personal data may be processed organizations. [17] The GDPR purports to regulate organizations that: [17]

  1. Operate within the EU and collect EU resident personal data;
  2. Operate outside the boundaries of the EU and collect personal data from EU residents; or,
  3. Provide online services to EU residents that involve personal data.

Failure to comply with GDPR requirements may result in penalties of up to €20 million or 4% of the worldwide annual revenue of the entity, whichever amount is higher. [18] Thus, privacy risks associated with potential GDPR exposure are likely to be an important component of a CPOs duties.

One notable aspect of the GDPR is a provision that, in certain circumstances, may require the appointment of a data protection officer (DPO). Specifically, Article 37 of the GDPR states the factors that may require appointment of a DPO. [17] The DPO within an organization may appear to be analogous to the role of CPO within a university, however a DPO differs in a number of significant ways and the two roles should not be confused or conflated. [19] [20]

US federal laws

Family Educational Rights and Privacy Act

The Family Educational Rights and Privacy Act (FERPA) enacted in 1974 ensures that universities provide students and parents with their respective education records. College students have the right to request their academic and personal records from their university and challenge the statements within those records if they are false. [21] FERPA also prevents universities from sharing student data, specifically personally identifiable information, with outside organizations without the explicit consent of the student. [21]

CPOs are responsible for helping their respective university abide by the guidelines of FERPA. If a student or parent believes that his university is not complying to FERPA's standards they are allowed to file a complaint to the Family Policy Compliance Office (FPCO) in the U.S. Department of Education. [22] If the Office investigates a complaint about a university and discovers that the school is violating FERPA, the Office will contact the university and explain the steps it must take to comply with it. [22]

Health Insurance Portability and Accountability Act

Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996. This law protects all "individually identifiable health information". [23] It directly impacts how student health information is used by the university. In most cases, student health information is still governed by FERPA. CPOs are responsible for creating educational tools that ensure campus officials who work with student health data are trained properly. [23] Failure to abide by the HIPAA laws can result in reduced funding for the university.

Organizations that aid campus privacy officers

The main goal of these organizations is to provide CPOs with educational resources to help them stay updated with current privacy policy. Additionally, these organizations provide CPOs with a network of other privacy professionals to connect with and learn from. Below are examples of prominent organizations that support CPOs:

International Association of Privacy Professionals

International Association of Privacy Professionals (IAPP) is the largest global community of privacy professionals. This nonprofit organization, founded in 2000, helps privacy professionals improve their understanding of privacy policy. IAPP provides training resources to help privacy professionals fight against privacy risks such as data breach and identify theft. [24] It also connects privacy professionals with a network of other officers within their field. IAPP also offers three certification programs to privacy professionals, which include the Certified Information Privacy Professional (CIPP), Certified Information Privacy Manager (CIPM), and the Certified Information Privacy Technologist (CIPT). Their members also conduct research on privacy policy and release their findings through the IAPP Westin Research Center. [25]

Educause

Educause is a nonprofit association that aims to help information technology (IT) leaders in education tackle issues regarding data protection and information privacy policy. [26] Before Educase was created, CAUSE and Educom were the two major information technology associations within higher education. [27] Both organizations were initially created in the 1960s. In 1986, the advent of the Macintosh computer by Apple made it possible for administrative and student academic computing to be done on the same device. This prompted the two organizations to collaborate and release training that helps prepare higher education professionals to use this technology. The increase of internet users in the 1990s also led to CAUSE creating resources to help their members navigate the policy surrounding internet use. [27] CAUSE and Educom officially merged in 1998 to create Educause.

Educause' current mission is to help provide privacy professionals with the resources and training they need to be successful in their roles. It also allows privacy professionals to connect with one another and share information about privacy policy. There are over 99,000 members who are a part of more than 2,300 organizations all over the world. Within the organization, members form committees that help Educause plan conferences about privacy or create strategies aimed at ensuring privacy is upheld. The specific committee aimed at campus privacy officers is the Higher Education Information Security Council (HEISC) advisory Committee. The work and research from Educause members is published in the Educase Review. The publication releases information about the recent advancements in technology and their potential impact on higher education.

Society of Corporate Compliance and Ethics

The Society of Corporate Compliance and Ethics (SCCE) is a privacy organization composed of more than 7,000 members. [28] The members are primarily composed of compliance officers, like CPOs, within both the private or public sector. SCCE members come from a variety of different fields, such as education, aerospace, banking, construction, entertainment, government, financial services, food and manufacturing, insurance, and gas and oil. SCCE helps their members stay updated on laws regarding privacy and ethics by hosting events or providing training videos and books. This ensures that the officers are complying with the current regulations. On top of providing members with educational resources, the organization also provides opportunities for compliance officers to meet and network with others within their respective industry. Members can also receive the Corporate Compliance & Ethics Professional (CCEP) certification and the Corporate Compliance & Ethics Professional-International (CCEP-I) certification.

Role of CPO in different countries

Canada

The Freedom of Information and Protection of Privacy Act (FIPPA) sets privacy guidelines for Canadian universities. This law was created based on the existing privacy policies within universities. [2] A study done with students from two Ontario universities shows that both faculty and students alike are unaware of FIPPA and other current privacy policies within their country. [2] Faculty were unaware of the existence of a university privacy officer or the means to contact the officer. Both faculty and students in this study emphasized the need to create educational tools that explain these existing privacy policies. [2] Campus privacy officers help make these tools for students and faculty and fill in these information gaps among students and faculty on campus.

South Africa

The Protection of Personal Information Act (POPIA) protects the collection of student data. [3] This law ensures that higher educational institutions remain transparent by informing students why their data is being collected and explicitly indicating the intended use of this data. [3] However, a 2016 study on South African universities highlighted how higher education institutions are not yet equipped to manage student data in a secure way. [3] There currently is not a governance system within universities that outline how student data should be handled.

Examples of campus privacy officers

The role of campus privacy officer falls under a variety of different titles on campuses across the United States as well as around the world. [1] Here are some examples of privacy roles that are present within higher education:

CountryUniversity NamePrivacy Officer Title
USA Auburn University Director of Institutional Compliance and Privacy
USA Duke University Director of Privacy Compliance
USA Indiana University Bloomington Chief privacy officer
USA Montgomery College Information Security & Privacy Director
USA New Mexico State University IT Compliance Officer
USA Rutgers, The State University of New Jersey Director of Privacy
USA University of Miami AVP (Associate Vice President) & Chief Information Security Officer
USA UC Berkeley Campus privacy officer [29]
USA University of Michigan-Ann Arbor University Privacy Officer
USA University of New Mexico Information Security & Privacy Officer
USA University of North Carolina at Chapel Hill Chief privacy officer
USA University of Texas System Privacy Officer
USA University of Washington Institutional Privacy Officer
USA University of Pennsylvania University Privacy Officer
USA Rowan University Director of Information Security
USA Stanford University Chief privacy officer
USA West Virginia University Chief privacy officer
Canada Queen's University Chief privacy officer
Canada University of Manitoba Access and Privacy Officer
Japan University of Tokyo Chief Information Security Officer [30]

Related Research Articles

<span class="mw-page-title-main">Family Educational Rights and Privacy Act</span> Act of the United States Congress

The Family Educational Rights and Privacy Act of 1974 is a United States federal law that governs the access to educational information and records by public entities such as potential employers, publicly funded educational institutions, and foreign governments. The act is also referred to as the Buckley Amendment, for one of its proponents, Senator James L. Buckley of New York.

A privacy policy is a statement or legal document that discloses some or all of the ways a party gathers, uses, discloses, and manages a customer or client's data. Personal information can be anything that can be used to identify an individual, not limited to the person's name, address, date of birth, marital status, contact information, ID issue, and expiry date, financial records, credit information, medical history, where one travels, and intentions to acquire goods and services. In the case of a business, it is often a statement that declares a party's policy on how it collects, stores, and releases personal information it collects. It informs the client what specific information is collected, and whether it is kept confidential, shared with partners, or sold to other firms or enterprises. Privacy policies typically represent a broader, more generalized treatment, as opposed to data use statements, which tend to be more detailed and specific.

Information privacy, data privacy or data protection laws provide a legal framework on how to obtain, use and store data of natural persons. The various laws around the world describe the rights of natural persons to control who is using its data. This includes usually the right to get details on which data is stored, for what purpose and to request the deletion in case the purpose is not given anymore.

Educause is a nonprofit association in the United States whose mission is "to advance higher education through the use of information technology". Membership is open to institutions of higher education, corporations serving the higher education information technology market, and other related associations and organizations.

<span class="mw-page-title-main">International Association of Privacy Professionals</span> Nonprofit membership association

The International Association of Privacy Professionals (IAPP) is a nonprofit, non-advocacy membership association founded in 2000. It provides a forum for privacy professionals to share best practices, track trends, advance privacy management issues, standardize the designations for privacy professionals, and to provide education and guidance on career opportunities in the field of information privacy. The IAPP offers a full suite of educational and professional development services, including privacy training, certification programs, publications and annual conferences. It is headquartered in Portsmouth, New Hampshire.

A chief information security officer (CISO) is a senior-level executive within an organization responsible for establishing and maintaining the enterprise vision, strategy, and program to ensure information assets and technologies are adequately protected. The CISO directs staff in identifying, developing, implementing, and maintaining processes across the enterprise to reduce information and information technology (IT) risks. They respond to incidents, establish appropriate standards and controls, manage security technologies, and direct the establishment and implementation of policies and procedures. The CISO is also usually responsible for information-related compliance. The CISO is also responsible for protecting proprietary information and assets of the company, including the data of clients and consumers. CISO works with other executives to make sure the company is growing in a responsible and ethical manner.

The Chief Privacy Officer (CPO) is a senior level executive within a growing number of global corporations, public agencies and other organizations, responsible for managing risks related to information privacy laws and regulations. Variations on the role often carry titles such as "Privacy Officer," "Privacy Leader," and "Privacy Counsel." However, the role of CPO differs significantly from another similarly-titled role, the Data Protection Officer (DPO), a role mandated for some organizations under the GDPR, and the two roles should not be confused or conflated.

Pseudonymization is a data management and de-identification procedure by which personally identifiable information fields within a data record are replaced by one or more artificial identifiers, or pseudonyms. A single pseudonym for each replaced field or collection of replaced fields makes the data record less identifiable while remaining suitable for data analysis and data processing.

LeRoy Rooker was the director of the United States Department of Education's Family Policy Compliance Office (FPCO) from 1988 to 2009. The FPCO primarily oversees implementation of the Family Educational Rights and Privacy Act (FERPA) and the Protection of Pupil Rights Amendment (PPRA).

Information governance, or IG, is the overall strategy for information at an organization. Information governance balances the risk that information presents with the value that information provides. Information governance helps with legal compliance, operational transparency, and reducing expenditures associated with legal discovery. An organization can establish a consistent and logical framework for employees to handle data through their information governance policies and procedures. These policies guide proper behavior regarding how organizations and their employees handle information whether it is physically or electronically.

On the subject of liability and student records in the United States there are various pieces of legislation at the local, state, and federal level that dictate the legal liability of any organizations or persons handling student data in an educational context. This article discusses that in the scope of the United States, and in the scope of educational institutions and their proxies in the handling of student data for children under 19.

Jules Polonetsky is an American lawyer and internet privacy expert from Brooklyn, New York, who currently serves as Chief Executive Officer of the Future of Privacy Forum. Polonetsky is co-editor of the Cambridge Handbook on Consumer Privacy, with co-editors Omer Tene and Evan Selinger.

<span class="mw-page-title-main">General Data Protection Regulation</span> EU regulation on the processing of personal data

The General Data Protection Regulation is a European Union regulation on information privacy in the European Union (EU) and the European Economic Area (EEA). The GDPR is an important component of EU privacy law and human rights law, in particular Article 8(1) of the Charter of Fundamental Rights of the European Union. It also governs the transfer of personal data outside the EU and EEA. The GDPR's goals are to enhance individuals' control and rights over their personal information and to simplify the regulations for international business. It supersedes the Data Protection Directive 95/46/EC and, among other things, simplifies the terminology.

<span class="mw-page-title-main">Campus card</span> Student identification document

A campus credential, more commonly known as a campus card or a campus ID card is an identification document certifying the status of students, faculty, staff or other constituents as members of the institutional community and eligible for access to services and resources. Campus credentials are typically valid for the duration of a student's enrollment or an employee's service.

Health care analytics is the health care analysis activities that can be undertaken as a result of data collected from four areas within healthcare; claims and cost data, pharmaceutical and research and development (R&D) data, clinical data, and patient behavior and sentiment data (patient behaviors and preferences,. Health care analytics is a growing industry in the United States, expected to grow to more than $31 billion by 2022. The industry focuses on the areas of clinical analysis, financial analysis, supply chain analysis, as well as marketing, fraud and HR analysis.

Privacy engineering is an emerging field of engineering which aims to provide methodologies, tools, and techniques to ensure systems provide acceptable levels of privacy. Its focus lies in organizing and assessing methods to identify and tackle privacy concerns within the engineering of information systems.

Privacy in education refers to the broad area of ideologies, practices, and legislation that involve the privacy rights of individuals in the education system. Concepts that are commonly associated with privacy in education include the expectation of privacy, the Family Educational Rights and Privacy Act (FERPA), the Fourth Amendment, and the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Most privacy in education concerns relate to the protection of student data and the privacy of medical records. Many scholars are engaging in an academic discussion that covers the scope of students’ privacy rights, from student in K-12 and even higher education, and the management of student data in an age of rapid access and dissemination of information.

A data protection officer (DPO) ensures, in an independent manner, that an organization applies the laws protecting individuals' personal data. The designation, position and tasks of a DPO within an organization are described in Articles 37, 38 and 39 of the European Union (EU) General Data Protection Regulation (GDPR). Many other countries require the appointment of a DPO, and it is becoming more prevalent in privacy legislation.

The right of access, also referred to as right to access and (data) subject access, is one of the most fundamental rights in data protection laws around the world. For instance, the United States, Singapore, Brazil, and countries in Europe have all developed laws that regulate access to personal data as privacy protection. The European Union states that: "The right of access occupies a central role in EU data protection law's arsenal of data subject empowerment measures." This right is often implemented as a Subject Access Request (SAR) or Data Subject Access Request (DSAR).

References

  1. 1 2 3 4 5 "The Higher Education CPO Primer Part 1: A Welcome Kit for Chief Privacy Officers in Higher Education" (PDF). August 2016.
  2. 1 2 3 4 Dowding, Martin (2011). "Interpreting Privacy on Campus: The Freedom of Information and Personal Privacy and Ontario Universities". Canadian Journal of Communication. 36 (1): 11–30. doi: 10.22230/cjc.2011v36n1a2252 .
  3. 1 2 3 4 Singh, D., & Ramutsheli, M. P. (2016). "Student data protection in a South African ODL university context: Risks, challenges and lessons from comparative jurisdictions". Distance Education. 37 (2): 164–179. doi:10.1080/01587919.2016.1184397. S2CID   58859571.{{cite journal}}: CS1 maint: multiple names: authors list (link)
  4. "Policy on University Health Services - Executive Order Number 943". California State University System. 28 April 2005. Retrieved 3 June 2019.
  5. "The New Terminology for Privacy". The New York Times. 10 April 2019. Retrieved 2019-05-23.
  6. Justine Brown (30 May 2014). "Rise of the Chief Privacy Officer". Government Technology. Retrieved 23 May 2019.
  7. "First chief privacy officer named". Penn Today. University of Pennsylvania. 28 March 2002. Retrieved 2 June 2019.
  8. Johnson, Sydney (25 March 2019). "Chief Privacy Officers: A Small But Growing Fleet in Higher Education". EdSurge. Retrieved 2 June 2019.
  9. Massara, G. Haley (13 July 2014). "Campus privacy officer position created to protect information security". The Daily Californian. Independent Berkeley Students Publishing Company, Inc. Retrieved 2 June 2019. The position, posted Tuesday as a job listing, will require balancing the confidentiality of data about individuals held by the campus — termed information privacy — and the ability of individuals to act without observation, or autonomy privacy...
  10. Vogel, Valerie (11 May 2015). "The Chief Privacy Officer in Higher Education". EDUCAUSE Review. Retrieved 2 June 2019.
  11. 1 2 3 Brooks, Rochelle (2010). "The Development of a Code of Ethics: An Online Classroom Approach to Making Connections between Ethical Foundations and the Challenges Presented by Information Technology". American Journal of Business Education. 3 (10): 1–14.
  12. 1 2 3 4 5 Rowe, Linda (2005). "What Judicial Officers Need to Know about the HIPAA Privacy Rule". NASPA Journal. 42 (4): 498–512. doi:10.2202/1949-6605.1537. S2CID   159549802.
  13. 1 2 Pardo, Abelardo, etc. al. (2014). "Ethical and Privacy Principles for Learning Analytics". British Journal of Educational Technology. 45 (3): 438–450. doi:10.1111/bjet.12152.{{cite journal}}: CS1 maint: multiple names: authors list (link)
  14. 1 2 Prinsloo, Paul, and Sharon Slade (2016). "Student Vulnerability, Agency, and Learning Analytics: An Exploration". Journal of Learning Analytics. 3 (1): 159–182. doi: 10.18608/jla.2016.31.10 .{{cite journal}}: CS1 maint: multiple names: authors list (link)
  15. Macfadyen, L.P., Dawson, S., Pardo, A. & Gaševic (2014). "Embracing Big Data in Complex Educational Systems: The Learning Analytics Imperative and the Policy Challenge". Research & Practice in Assessment. 9: 17–28.{{cite journal}}: CS1 maint: multiple names: authors list (link)
  16. Goroff, D, Jules, P. & Omer, T. (2018). "Privacy protective research: Facilitating ethically responsible access to administrative data". Annals of the American Academy of Political and Social Science. 675 (1): 46–66. doi: 10.1177/0002716217742605 . S2CID   149238551.{{cite journal}}: CS1 maint: multiple names: authors list (link)
  17. 1 2 3 Cliza, Marta-Claudia and Spataru-Negura, Laura-Cristiana (2018). "The General Data Protection Regulation: what does the public authorities and bodies need to know and to do? The rise of the data protection officer" (PDF). 8 (2): 489–501.{{cite journal}}: Cite journal requires |journal= (help)CS1 maint: multiple names: authors list (link)
  18. "Administrative Fines". GDPR EU.org. Archived from the original on 12 April 2018. Retrieved 4 June 2019.
  19. Coseglia, Jared (3 January 2019). "Coffee with Privacy Pros: DPO vs. CPO. Lawyer vs. Technician. The Dualities of Privacy". CPO Magazine. Data Privacy Asia Pte. Ltd. Retrieved 26 May 2019.
  20. "Chief privacy officers may not be eligible to serve as data protection officers under the GDPR, says expert". Out-Law.com. Pinsent Masons LLP. 7 September 2017. Retrieved 26 May 2019.
  21. 1 2 Stahl, William M. and Joanne Karger (2016). "Student Data Privacy, Digital Learning, and Special Education: Challenges at the Intersection of Policy and Practice" (PDF). Journal of Special Education Leadership. 29 (2): 79–88.
  22. 1 2 "FERPA General Guidance for Parents". ed.gov. 26 June 2015.
  23. 1 2 Rowe, Linda (2005). "What Judicial Officers Need to Know about the HIPAA Privacy Rule". NASPA Journal. 42 (4): 498–512. doi:10.2202/1949-6605.1537. S2CID   159549802 via 498-512.
  24. "About the IAPP". 2018. Retrieved November 1, 2018.
  25. "IAPP Mission and Background" . Retrieved 2020-11-04.
  26. "Educase: Mission and Organization". November 2018.
  27. 1 2 "CAUSE History". 2018. Retrieved November 1, 2018.
  28. "About the Society of Corporate Compliance and Ethics". 2018. Retrieved November 1, 2018.
  29. "HIPAA Privacy Compliance | UCOP". www.ucop.edu. Retrieved 2021-04-17.
  30. "The University of Tokyo". The University of Tokyo. Retrieved 2021-04-17.