The Evolving Landscape of Data Privacy in Higher Education

Privacy Management

Privacy is managed in a variety of ways and by a variety of people. As reported from the EDUCAUSE 2018 Core Data Service (CDS) survey, most respondents had zero full-time equivalent staff (FTEs) in a privacy role at their institutions. Additionally, privacy only accounted for a median of 0.01% of total 2018 IT budgets at CDS reporting institutions. To gather a more focused picture of how privacy is managed among those institutions with privacy staff, a survey was sent to the EDUCAUSE Privacy Community Group with questions focused on privacy responsibilities and key working touchpoints.

Respondents to this survey represented a mixture of privacy officers and IT decision makers with privacy duties (N = 36). They reported that, although many institutions have created privacy offices or privacy officer positions, multiple positions and people on campus still help manage privacy (see figure 1). Chief information security officers (CISOs) or other information security administrators are the second most commonly reported managers of privacy, with general counsel being the least common. For respondents who chose "other, please specify," most indicated that privacy duties are shared between multiple individuals and offices, with most mentioning the CISO and general counsel.

Bar graph showing the percentage of respondents who indicated that their institution manages privacy in each category. By a privacy office or privacy officer	62%. By the CISO or other information security administrator	39%. By general counsel	19%. Other	23%.
Figure 1. Where privacy is managed at institutions

When asked about their involvement with the Health Insurance Portability and Accountability Act (HIPAA), about half of privacy professionals reported managing HIPAA compliance, while the other half have a dedicated HIPAA privacy officer or person assigned HIPAA compliance in addition to other duties (the presence of a medical school was typically the main predictor of a separate HIPAA privacy officer). Even when HIPAA compliance duties fell to another position, interviewees and survey respondents reported regular coordination and collaboration between these privacy roles, with 74% of all survey respondents assisting in the setting and enforcement of HIPAA privacy policy.

Survey responses highlighted several other areas of major responsibility for the lead privacy officer at institutions (see figure 2). Three-quarters (75%) of respondents indicated that they are mostly or completely responsible for incident-response events in which institutions need to identify whether personally identifiable information (PII) was compromised and how policies or procedures have failed. Other major responsibilities include incident drafting and proliferation of policy (69% mostly or completely responsible) and data governance (64%). More than half of respondents indicated they are at least mostly responsible for procurement and contract review, as well as for identifying and protecting PII at the institution.

Bar graph showing the percentage of respondents who indicated that the lead privacy person is mostly or completely responsible for each function.  Privacy incident response	75%.  Drafting and proliferation of policy	69%.  Data governance	64%.  Formal stakeholder privacy training	61%.  Strategic, academic, and thought leadership on privacy principles	60%.  Procurement/contract review	58%.  Identifying and protecting PII	58%.  Enterprise architecture standards and reviews	36%.  Use of big tech and social media	22%.
Figure 2. Functions for which the lead privacy person is "mostly" or "completely" responsible

Two areas for which majorities of respondents indicated that the lead privacy person is not primarily responsible are the use of big tech and social media, such as Twitter and Facebook posting and the use of Google apps (75% said the lead privacy person is only somewhat or not at all responsible) and enterprise architecture standards and reviews (61% only somewhat or not at all responsible).

CISOs struggle to devote sufficient time to both privacy and security. At many institutions, the title and duties of a privacy officer have regularly been attached to the already existing positions of CISOs. Unfortunately, our interviewees who held both the CISO position and the privacy officer title or privacy management duties reported that the information security side of their job is so demanding that they can only dedicate a small portion of their time—on average 10%—to their privacy duties.

When asked about the key working touchpoints they shared with other units across the institution (e.g., legal, internal audit, compliance, IT, institutional leadership), respondents' most commonly identified touchpoints with the IT unit at their institution (see figure 3). CISOs' key working touchpoints are often very similar to those of privacy officers, which is one of the main reasons CISOs regularly are assigned privacy duties. In some instances, clear overlap exists between privacy and security duties, namely when reviewing contracts and ensuring proper policies are in place to protect student data. However, interviewed CISOs reported a need to focus on their other full-time duties to ensure secure infrastructure and management of other important data and information assets that are not associated with individuals. With all of that on their plate, CISOs usually have little time left to create privacy training, run privacy awareness campaigns, or have conversations about privacy with stakeholders across campus.

Bar graph showing the percentage of respondents who indicated each item as a key working touchpoint with IT. Incident response investigations	97%.  IT policies pertaining to privacy	97%.  Setting and managing IT controls related to privacy	94%.  Idenfication of PII across enterprise systems	90%.  Cross-institution data governance activities	74%.
Figure 3. Privacy person or office's reported key working touchpoints with IT

Building privacy awareness takes time and effort. One common theme that emerged from our interviews with privacy professionals is their struggle and effort to build required privacy policy and awareness during the first year or more of their tenure. Creating a privacy program entails numerous conversations with administrators across campus to ensure they understand how privacy can and should be involved in their plans and processes.

Additionally, while privacy officials work to build personal relationships, trust, and understanding with individuals across campus, a great deal of time and effort is required to create and distribute all the necessary privacy policies and to build privacy awareness campaigns and trainings for faculty and staff. The completion of any of these efforts is a worthy accomplishment, but most privacy professionals reported they are currently creating these processes, rightfully celebrating any concrete steps forward that they could manage.