Legislation and Ethics

Current privacy legislation is only the beginning. The 2018 rollout of privacy legislation with both GDPR and the California Consumer Privacy Act of 2018 (CCPA) kickstarted much of the major privacy conversations and planning that have occurred in higher education over the past several years. Although more than 120 state laws currently pertain to student privacy in the United States (most of them focused on K–12 education), the privacy professionals we interviewed said they expect new state and federal laws to continue to shape privacy policies in higher education over the next few years, and they urged their peers to keep an eye on future legislation to ensure they are prepared for what's to come. Ann Nagel, University Privacy Officer from the University of Washington, highlighted how her privacy office is "trying to address current laws and be forward thinking about laws that are coming down the road—especially in the state of Washington, where the Washington Privacy Act has been brought before the legislature in 2019, 2020, and will come back in 2021. Privacy programs in higher education need to be prepared to address the ethical and evolving legal aspects of privacy."

Respondents to our survey of privacy professionals reported a number of key working touchpoints with legal offices at their institutions (see figure 4). Unsurprisingly, 94% of respondents indicated that they worked with their legal unit when dealing with a breach notification and disclosure. More than two-thirds of respondents indicated that they collaborated with legal when dealing with any other kind of incident response and when setting and enforcing privacy policies at the institution. Foreign influence, Freedom of Information Act (FOIA) requests, and the process for data access without consent were reported as key working touchpoints by less than half of respondents; other positions across campus frequently manage these concerns.

Bar graph showing the percentage of respondents who indicated that an item is a key working touchpoint with legal.  Breach notification and disclosure	94%.  Incident response process	77%.  Setting and enforcing privacy policy	68%.  FOIA or state public records requests	42%.  Adjudication of privacy matters related to foreign influence	42%.  Process for data access without consent	39%.
Figure 4. Privacy person or office's reported key working touchpoints with legal

The best approach to compliance is continuous improvement. Interviewees consistently reported that achieving privacy compliance is a process that will persist and evolve over time, and there will always be more steps their institution can take to improve. New laws and regulations will continue to arise, privacy policies and trainings will need to be deployed and adapted, and conversations will need to take place to discuss proper data collection and use. A key factor in achieving progress and results is having a privacy person engaging in conversations and working to further privacy efforts. As an example, Doug Welch, the chief privacy officer at Baylor University, spoke about his steady efforts to identify twenty departments on campus that had access to the most PII data and how he "sat down with people at all twenty departments, walked them through a baseline privacy assessment questionnaire, and used those conversations to get people to understand where they currently sit and where they need to focus next."

Institutions should move beyond compliance. Even though compliance with legislation is important and a great way to develop privacy at a higher education institution, privacy professionals reported that transparency and student trust are more easily accomplished when a privacy policy reflects their institution's community values and ethics. Several interviewees from institutions with mature privacy programs highlighted the importance of values behind the design and deployment of their privacy plans. Proactively creating a privacy program and policies based on the institution's underlying values, which then lay the groundwork for meeting or exceeding future laws and regulations, is one of the best ways to prepare an institution for any such future legislation. In contrast, creating new policies and processes in response to new legislation will always keep a privacy program in the position of playing catchup.