Privacy Management
Privacy is managed in a variety of ways and by a variety of people. As reported from the EDUCAUSE 2018 Core Data Service (CDS) survey, most respondents had zero full-time equivalent staff (FTEs) in a privacy role at their institutions. Additionally, privacy only accounted for a median of 0.01% of total 2018 IT budgets at CDS reporting institutions. To gather a more focused picture of how privacy is managed among those institutions with privacy staff, a survey was sent to the EDUCAUSE Privacy Community Group with questions focused on privacy responsibilities and key working touchpoints.
Respondents to this survey represented a mixture of privacy officers and IT decision makers with privacy duties (N = 36). They reported that, although many institutions have created privacy offices or privacy officer positions, multiple positions and people on campus still help manage privacy (see figure 1). Chief information security officers (CISOs) or other information security administrators are the second most commonly reported managers of privacy, with general counsel being the least common. For respondents who chose "other, please specify," most indicated that privacy duties are shared between multiple individuals and offices, with most mentioning the CISO and general counsel.
When asked about their involvement with the Health Insurance Portability and Accountability Act (HIPAA), about half of privacy professionals reported managing HIPAA compliance, while the other half have a dedicated HIPAA privacy officer or person assigned HIPAA compliance in addition to other duties (the presence of a medical school was typically the main predictor of a separate HIPAA privacy officer). Even when HIPAA compliance duties fell to another position, interviewees and survey respondents reported regular coordination and collaboration between these privacy roles, with 74% of all survey respondents assisting in the setting and enforcement of HIPAA privacy policy.
Survey responses highlighted several other areas of major responsibility for the lead privacy officer at institutions (see figure 2). Three-quarters (75%) of respondents indicated that they are mostly or completely responsible for incident-response events in which institutions need to identify whether personally identifiable information (PII) was compromised and how policies or procedures have failed. Other major responsibilities include incident drafting and proliferation of policy (69% mostly or completely responsible) and data governance (64%). More than half of respondents indicated they are at least mostly responsible for procurement and contract review, as well as for identifying and protecting PII at the institution.
Two areas for which majorities of respondents indicated that the lead privacy person is not primarily responsible are the use of big tech and social media, such as Twitter and Facebook posting and the use of Google apps (75% said the lead privacy person is only somewhat or not at all responsible) and enterprise architecture standards and reviews (61% only somewhat or not at all responsible).
CISOs struggle to devote sufficient time to both privacy and security. At many institutions, the title and duties of a privacy officer have regularly been attached to the already existing positions of CISOs. Unfortunately, our interviewees who held both the CISO position and the privacy officer title or privacy management duties reported that the information security side of their job is so demanding that they can only dedicate a small portion of their time—on average 10%—to their privacy duties.
When asked about the key working touchpoints they shared with other units across the institution (e.g., legal, internal audit, compliance, IT, institutional leadership), respondents' most commonly identified touchpoints with the IT unit at their institution (see figure 3). CISOs' key working touchpoints are often very similar to those of privacy officers, which is one of the main reasons CISOs regularly are assigned privacy duties. In some instances, clear overlap exists between privacy and security duties, namely when reviewing contracts and ensuring proper policies are in place to protect student data. However, interviewed CISOs reported a need to focus on their other full-time duties to ensure secure infrastructure and management of other important data and information assets that are not associated with individuals. With all of that on their plate, CISOs usually have little time left to create privacy training, run privacy awareness campaigns, or have conversations about privacy with stakeholders across campus.
Building privacy awareness takes time and effort. One common theme that emerged from our interviews with privacy professionals is their struggle and effort to build required privacy policy and awareness during the first year or more of their tenure. Creating a privacy program entails numerous conversations with administrators across campus to ensure they understand how privacy can and should be involved in their plans and processes.
Additionally, while privacy officials work to build personal relationships, trust, and understanding with individuals across campus, a great deal of time and effort is required to create and distribute all the necessary privacy policies and to build privacy awareness campaigns and trainings for faculty and staff. The completion of any of these efforts is a worthy accomplishment, but most privacy professionals reported they are currently creating these processes, rightfully celebrating any concrete steps forward that they could manage.