Campus privacy officer


The Campus Privacy Officer is a position within a post-secondary university that ensures that student, faculty, and parent privacy is maintained. The role of the CPO originated from growing concerns regarding privacy across college campuses. The responsibilities of the CPO vary depending on the specific needs of the campus community. Their daily tasks may include drafting new privacy policies for their respective college campus, creating a curriculum that informs teachers and students about privacy, helping to investigate any privacy breaches within the university, and ensuring that the university is abiding by current state and federal privacy laws. CPOs are also responsible for connecting with student and faculty groups across the entire campus in order to understand the privacy concerns of the campus. The role of CPO is an expanding profession within the United States and other countries, such as Canada and South Africa. There are numerous organizations that exist to provide training for CPOs and support them.

History

It is difficult to determine the date on which the first Campus Privacy Officer role was created, however among the first formal references to the specific role of Campus Privacy Officer comes in a 2005 executive order by the Chancellor of the California State University system. The order specifically requires universities in the system to, "rovide the name, title and contact information for the campus privacy officer, if the campus is a HIPAA covered entity."
Several years before that first reference to the Campus Privacy Officer, the CPO acronym more commonly referred to the Chief Privacy Officer, a senior level executive within a growing number of global corporations responsible for managing risks related to information privacy laws and regulations. As privacy concerns continued to grow during the Internet era, the role of the Chief Privacy Officer began to expand into the public sector, as well as in higher education.
The first higher education institution to hire a Chief Privacy Officer was the University of Pennsylvania in 2002. As the Chief Privacy Officer role has continued to expand to encompass the full range of complex data governance issues that may face a modern educational and research institution, the Campus Privacy Officer role has, in some instances, become differentiated from that of the Chief Privacy Officer to be more focused on the day-to-day privacy concerns of on-campus life, such as the privacy implications of the use of video surveillance and other security measures. At other institutions, however, the titles of Chief Privacy Officer and Campus Privacy Officer have become interchangeable.

Responsibilities

Creating privacy education

Campus privacy policy affects both the university administration that helps create the policies as well as the students within the university. CPOs are responsible for creating an education curriculum that helps inform students how they should ethically use data; in order for students to learn this universities need to provide a curriculum that aims to teach them this skill. There have been specific instances where professionals in IT jobs have made unethical decisions with data concerning others. CPOs help implement and design the courses that teach students how to practice making ethical decisions regarding data.

Ensuring the university is abiding by existing federal and state privacy laws

Campus officials who work with student data must understand the federal and state regulations that are in place to ensure the protection of that data. For example, the Health Insurance Portability and Accountability Act and Family Educational Rights and Privacy Act both impact how student data is handled on campuses. The US Department of Education is always updating and altering these laws. The Campus Privacy Officer is responsible for understanding the updated versions of all federal privacy laws and communicating any changes in data policy to the school. It is crucial that the campus administration constantly abides by and follows federal laws on data protection. The failure to do so can result in the public institution losing federal funding.

Drafting new privacy policy

Campus Privacy Officers also help universities draft new policies that ensure student data is being collected in an ethical manner that ensures that student privacy is maintained. Because of the advancement in recent technologies, new data collection and data analysis has drastically increased on college campuses within the last decade. For example, technologies, like learning analytics, collect student learning and instructor teaching data to analyze the effectiveness of teaching strategies. While using this technology, there must be set guidelines in place to guarantees trust between the student and the instructor. CPOs can help facilitate the creation of these policies. These policies aim for institutional accountability and transparency and the student's control and right of access to his data.

Example policy issues

Learning analytics
entails collecting student data and monitoring specific aspects about the student within the educational environment. These aspects can include student performance on tests, retention data, enrollment data, and graduation rates. The mass collection of student data leaves the student's security extremely vulnerable. Higher education institutions have the responsibility to ensure that student information is always kept confidential. Students are required to give up their information in order to attend at higher education institution. To ensure that students are not exploited, there must be campus policy in place that requires students to have an active role in the learning analytics process. When creating policy that guides learning analytics, CPOs must take into account the culture, technological capacities, and behaviors of the institution.
In order to minimize the risk of a data breach, there must also be set policy in place that helps administration recognize the best ways to securely share data.

Laws that Campus Privacy Officers must track

International Laws

General Data Protection Regulation

is a law passed by the European Union that recognizes certain data privacy rights of EU residents and places various requirements on how personal data may be processed organizations. The GDPR purports to regulate organizations that:
  1. Operate within the EU and collect EU resident personal data;
  2. Operate outside the boundaries of the EU and collect personal data from EU residents; or,
  3. Provide online services to EU residents that involve personal data.
Failure to comply with GDPR requirements may result in penalties of up to €20 million or 4% of the worldwide annual revenue of the entity, whichever amount is higher. Thus, privacy risks associated with potential GDPR exposure are likely to be an important component of a CPOs duties.
One notable aspect of the GDPR is a provision that, in certain circumstances, may require the appointment of a Data Protection Officer. Specifically, Article 37 of the GDPR states the factors that may require appointment of a DPO. The DPO within an organization may appear to be analogous to the role of CPO within a university, however a DPO differs in a number of significant ways and the two roles should not be confused or conflated.

US Federal Laws

Family Educational Rights and Privacy Act

The Family Educational Rights and Privacy Act enacted in 1974 ensures that universities provide students and parents with their respective education records. College students have the right to request their academic and personal records from their university and challenge the statements within those records if they are false. FERPA also prevents universities from sharing student data, specifically personally identifiable information, with outside organizations without the explicit consent of the student.
CPOs are responsible for helping their respective university abide by the guidelines of FERPA. If a student or parent believes that his university is not complying to FERPA's standards they are allowed to file a complaint to the Family Policy Compliance Office in the U.S. Department of Education. If the Office investigates a complaint about a university and discovers that the school is violating FERPA, the Office will contact the university and explain the steps it must take to comply with it.

Health Insurance Portability and Accountability Act

was enacted in 1996. This law protects all "individually identifiable health information". It directly impacts how student health information is used by the university. In most cases, student health information is still governed by FERPA. CPOs are responsible for creating educational tools that ensure campus officials who work with student health data are trained properly. Failure to abide by the HIPAA laws can result in reduced funding for the university.

Organizations that aid Campus Privacy Officers

The main goal of these organizations is to provide CPOs with educational resources to help them stay updated with current privacy policy. Additionally, these organizations provide CPOs with a network of other privacy professionals to connect with and learn from. Below are examples of prominent organizations that support CPOs:

International Association of Privacy Professionals

is the largest global community of privacy professionals. This nonprofit organization, founded in 2000, helps privacy professionals improve their understanding of privacy policy. IAPP provides training resources to help privacy professionals fight against privacy risks such as data breach and identify theft. It also connects privacy professionals with a network of other officers within their field. IAPP also offers three certification programs to privacy professionals, which include the Certified Information Privacy Professional, Certified Information Privacy Manager, and the Certified Information Privacy Technologist. Their members also conduct research on privacy policy and release their findings through the IAPP Westin Research Center.

Educause

is a nonprofit association that aims to help information technology leaders in education tackle issues regarding data protection and information privacy policy. Before Educase was created, CAUSE and Educom were the two major information technology associations within higher education. Both organizations were initially created in the 1960s. In 1986, the advent of the Macintosh computer by Apple made it possible for administrative and student academic computing to be done on the same device. This prompted the two organizations to collaborate and release training that helps prepare higher education professionals to use this technology. The increase of internet users in the 1990s also led to CAUSE creating resources to help their members navigate the policy surrounding internet use. CAUSE and Educom officially merged in 1998 to create Educause.
Educause' current mission is to help provide privacy professionals with the resources and training they need to be successful in their roles. It also allows privacy professionals to connect with one another and share information about privacy policy. There are over 99,000 members who are a part of more than 2,300 organizations all over the world. Within the organization, members form committees that help Educause plan conferences about privacy or create strategies aimed at ensuring privacy is upheld. The specific committee aimed at Campus Privacy Officers is the Higher Education Information Security Council advisory Committee. The work and research from Educause members is published in the Educase Review. The publication releases information about the recent advancements in technology and their potential impact on higher education.

Society of Corporate Compliance and Ethics

The Society of Corporate Compliance and Ethics is a privacy organization composed of more than 7,000 members. The members are primarily composed of compliance officers, like CPOs, within both the private or public sector. SCCE members come from a variety of different fields, such as education, aerospace, banking, construction, entertainment, government, financial services, food and manufacturing, insurance, and gas and oil. SCCE helps their members stay updated on laws regarding privacy and ethics by hosting events or providing training videos and books. This ensures that the officers are complying with the current regulations. On top of providing members with educational resources, the organization also provides opportunities for compliance officers to meet and network with others within their respective industry. Members can also receive the Corporate Compliance & Ethics Professional certification and the Corporate Compliance & Ethics Professional-International certification.

Role of CPO in different countries

Canada

The Freedom of Information and Protection of Privacy Act sets privacy guidelines for Canadian universities. This law was created based on the existing privacy policies within universities. A study done with students from two Ontario universities shows that both faculty and students alike are unaware of FIPPA and other current privacy policies within their country. Faculty were unaware of the existence of a university privacy officer or the means to contact the officer. Both faculty and students in this study emphasized the need to create educational tools that explain these existing privacy policies. Campus Privacy Officers help make these tools for students and faculty and fill in these information gaps among students and faculty on campus.

South Africa

The Protection of Personal Information Act protects the collection of student data. This law ensures that higher educational institutions remain transparent by informing students why their data is being collected and explicitly indicating the intended use of this data. However, a 2016 study on South African universities highlighted how higher education institutions are not yet equipped to manage student data in a secure way. There currently is not a governance system within universities that outline how student data should be handled.

Examples of Campus Privacy Officers

The role of Campus Privacy Officer falls under a variety of different titles on campuses across the United States as well as around the world. Here are some examples of privacy roles that are present within higher education:
CountryUniversity NamePrivacy Officer Title
USAAuburn UniversityDirector of Institutional Compliance and Privacy
USADuke UniversityDirector of Privacy Compliance
USAIndiana University BloomingtonChief Privacy Officer
USAMontgomery CollegeInformation Security & Privacy Director
USANew Mexico State UniversityIT Compliance Officer
USARutgers, The State University of New JerseyDirector of Privacy
USAUniversity of MiamiAVP & Chief Information Security Officer
USAUC BerkeleyCampus Privacy Officer
USAUniversity of Michigan-Ann ArborUniversity Privacy Officer
USAUniversity of New MexicoInformation Security & Privacy Officer
USAUniversity of North Carolina at Chapel HillChief Privacy Officer
USAUniversity of Texas SystemPrivacy Officer
USAUniversity of WashingtonInstitutional Privacy Officer
USAUniversity of PennsylvaniaUniversity Privacy Officer
USARowan UniversityDirector of Information Security
USAStanford UniversityChief Privacy Officer
USAWest Virginia UniversityChief Privacy Officer
CanadaQueen's UniversityChief Privacy Officer
CanadaUniversity of ManitobaAccess and Privacy Officer