Legislation and Ethics
Current privacy legislation is only the beginning. The 2018 rollout of privacy legislation with both GDPR and the California Consumer Privacy Act of 2018 (CCPA) kickstarted much of the major privacy conversations and planning that have occurred in higher education over the past several years. Although more than 120 state laws currently pertain to student privacy in the United States (most of them focused on K–12 education), the privacy professionals we interviewed said they expect new state and federal laws to continue to shape privacy policies in higher education over the next few years, and they urged their peers to keep an eye on future legislation to ensure they are prepared for what's to come. Ann Nagel, University Privacy Officer from the University of Washington, highlighted how her privacy office is "trying to address current laws and be forward thinking about laws that are coming down the road—especially in the state of Washington, where the Washington Privacy Act has been brought before the legislature in 2019, 2020, and will come back in 2021. Privacy programs in higher education need to be prepared to address the ethical and evolving legal aspects of privacy."
Respondents to our survey of privacy professionals reported a number of key working touchpoints with legal offices at their institutions (see figure 4). Unsurprisingly, 94% of respondents indicated that they worked with their legal unit when dealing with a breach notification and disclosure. More than two-thirds of respondents indicated that they collaborated with legal when dealing with any other kind of incident response and when setting and enforcing privacy policies at the institution. Foreign influence, Freedom of Information Act (FOIA) requests, and the process for data access without consent were reported as key working touchpoints by less than half of respondents; other positions across campus frequently manage these concerns.
The best approach to compliance is continuous improvement. Interviewees consistently reported that achieving privacy compliance is a process that will persist and evolve over time, and there will always be more steps their institution can take to improve. New laws and regulations will continue to arise, privacy policies and trainings will need to be deployed and adapted, and conversations will need to take place to discuss proper data collection and use. A key factor in achieving progress and results is having a privacy person engaging in conversations and working to further privacy efforts. As an example, Doug Welch, the chief privacy officer at Baylor University, spoke about his steady efforts to identify twenty departments on campus that had access to the most PII data and how he "sat down with people at all twenty departments, walked them through a baseline privacy assessment questionnaire, and used those conversations to get people to understand where they currently sit and where they need to focus next."