When Kathleen Sutherland took the helm as Chief Privacy Officer for the University of Colorado in 2003, there weren’t very many people in higher ed she could turn to for guidance and advice. That’s because not many people had that role.
But things have changed dramatically over the last decade, as questions and concerns over privacy have emerged front and center in the public consciousness. And that’s led more universities to create designated roles for chief privacy officers (CPOs) who are taking on an ever-evolving responsibilities.
“I really think that people are now seeing it,” says Sutherland, who is now an audit manager for compliance at the University of Colorado. “They’re seeing the [return on investment] on that role and that this is an important thing.”
Brian Kelly, director of the cybersecurity program at Educause, a higher education and technology nonprofit, says the trend has followed other business sectors, and that higher ed has seen an uptick in the number of CPOs over the last two years in particular. “There are so many types of data on our campuses now that there’s a need for a privacy officer more so than in other enterprises,” he says.
Part of that shift has been due to regulatory changes like the upcoming California Consumer Privacy Act, which goes into effect in 2020, and the European privacy law known as GDPR, which has some institutions rethinking their approach to data collection, storage and privacy.
The trend has also followed increasing amounts of technologies in the higher-ed space—and the privacy concerns these new tools bring.
“Increasingly, educational technologies are done through outsourced platforms,” says Tracy Mitrano, principal of Mitrano and Associates, a consulting firm, and formerly the director of internet culture policy and law at Cornell University. “It is absolutely critical that the institution keeps its eye on what that outsourced platform is doing with this very valuable and often legally protected information.”
Part of her concern is around the potential for edtech companies to monetize student data without student or administration approval, like what happened at UC Berkeley in 2016 when technology staff weren’t aware that a free tool popular among faculty was selling off student data.
“We still don’t have good privacy laws,” says Mitrano. “My point is ultimately this: You need a privacy officer to keep an eye on a very complex portrait with a lot of moving parts.”
Chief privacy officers aren’t quite as rare in higher ed as they are in K-12. But the number of CPOs at colleges and universities is still relatively small. While not a complete tally, the Educause member committee of chief privacy officers consists of 30 members who work in the space.
Institutions that have a designated person in this role—whether the title is CPO or something similar—skew toward larger institutions with medical centers attached. That’s because under the Health Insurance Portability and Accountability Act, or HIPAA, medical institutions must designate a person to oversee privacy compliance of healthcare data.
Before Sutherland, of the University of Colorado, began working in higher education, she practiced healthcare law, helping state agencies in Colorado get up to speed with compliance in the early days of HIPAA. That included working with the state’s public higher education systems and the University of Colorado at Boulder, which has a medical campus attached.
Not long after, she transitioned to become the privacy officer for UC Boulder, and later pushed the university to create a CPO role to oversee privacy issues across the entire system, which covers four campuses.
“There was some resistance,” Sutherland remembers. “But I think a lot of the success or failure of whether there is a CPO or not, will depend on institutional culture and the bent of the senior administration.”
This was in 2003, before Facebook and other major technology companies had become the Silicon Valley giants that they are today—and major scandals such as with Cambridge Analytica that hurled data privacy issues into the mainstream.
Her story mirrors a small but growing group of officials who are first in their roles and shaping what privacy compliance looks like at higher-ed institutions.
Rachel Rudnick heads up privacy compliance at the University of Connecticut and UConn Health. Before she stepped into the role in February 2018, she was a privacy officer for the university only, where her work involved a mix of privacy compliance and overseeing public record requests.
In 2018, UConn decided to streamline its privacy protocols by creating a new office that would oversee privacy compliance across both the university and its medical center.
“We needed to think through privacy and GDPR and the overlap of all of these rules. It was really becoming much more than a full time job,” says Rudnick. The administration “really did give me an associate VP-level role as privacy officer, which is not common frankly in higher education. I’m grateful because this is a recognition, at the highest level, that this is important.”
Privacy vs. Security
While the number of CPOs has slowly increased over the years, it’s still far more common on campuses today to have someone in the chief information security officer (CISO) role. And privacy advocates stress that both are often necessary in today’s tech ecosystem.
Around 41 percent of colleges have a dedicated person responsible for information security, according to Valerie Vogel, senior manager for the cybersecurity program at Educause.
CPOs and CISOs often work together, but their responsibilities differ. Information security handles protecting information from attacks and unauthorized use. Privacy deals with the protection of information about individuals or users. As Mitrano puts it: “Technical safeguards are more in the security space, and the notice and consent procedures are more clearly in the privacy space.”
At institutions that have both a privacy and security officer, compliance for regulations like the Family Educational Rights and Privacy Act, or FERPA, would more likely fall under a CPO role, says Vogel. Schools that fail to comply with FERPA, which prohibits disclosure of personally identifiable data from education records, risk losing federal funding.
Many institutions can’t afford to hire both a CPO and CISO, or don’t have the huge amounts of HIPAA data like a university with a hospital does. In those cases, Mitrano says, privacy oversight such as FERPA compliance could fall under the registrar’s office, or a security officer might also take on these responsibilities as well.
As new technologies, data breaches and privacy concerns unfold, privacy advocates say more chief privacy officers are welcome—and needed. “Privacy is moving on the same continuum” as the chief information security officer role, says Vogel. “There will be more.”