Campus privacy officer

The Campus Privacy Officer (CPO) is a position within a post-secondary university that ensures that student, faculty, and parent privacy is maintained. The CPO role was created because of growing privacy concerns across college campuses.^[1] The responsibilities of the CPO vary depending on the specific needs of the campus community.^[1] Their daily tasks may include drafting new privacy policies for their respective college campus, creating a curriculum that informs teachers and students about privacy, helping to investigate any privacy breaches within the university, and ensuring that the university is abiding by current state and federal privacy laws.^[1] CPOs are also responsible for connecting with student and faculty groups across the entire campus in order to understand the privacy concerns of the campus.^[1] The role of CPO is an expanding profession within the United States and other countries, such as Canada and South Africa.^[2][3] There are numerous organizations that exist to provide training for CPOs and support them.

History

It is difficult to determine the date on which the first Campus Privacy Officer role was created; however among the first formal references to the specific role of Campus Privacy Officer comes in a 2005 executive order by the Chancellor of the California State University system. The order specifically requires universities in the system to, "[p]rovide the name, title and contact information for the campus privacy officer, if the campus is a HIPAA covered entity."^[4]

Several years before that first reference to the Campus Privacy Officer, the CPO acronym more commonly referred to the Chief Privacy Officer, a senior level executive within a growing number of global corporations responsible for managing risks related to information privacy laws and regulations.^[5] As privacy concerns continued to grow during the Internet era, the role of the Chief Privacy Officer began to expand into the public sector,^[6] as well as in higher education.

The first higher education institution to hire a Chief Privacy Officer was the University of Pennsylvania in 2002.^[7] As the Chief Privacy Officer role has continued to expand to encompass the full range of complex data governance issues that may face a modern educational and research institution,^[8] the Campus Privacy Officer role has, in some instances, become differentiated from that of the Chief Privacy Officer to be more focused on the day-to-day privacy concerns of on-campus life, such as the privacy implications of the use of video surveillance and other security measures.^[9] At other institutions, however, the titles of Chief Privacy Officer and Campus Privacy Officer have become interchangeable.^[10]

Responsibilities

Creating privacy education

Campus privacy policy affects both the university administration that helps create the policies as well as the students within the university. CPOs are responsible for creating an education curriculum that helps inform students how they should ethically use data;^[11] in order for students to learn this universities need to provide a curriculum that aims to teach them this skill.^[11] There have been specific instances where professionals in IT jobs have made unethical decisions with data concerning others. CPOs help implement and design the courses that teach students how to practice making ethical decisions regarding data.^[11]

Ensuring the university is abiding by existing federal and state privacy laws

Campus officials who work with student data must understand the federal and state regulations that are in place to ensure the protection of that data.^[12] For example, the Health Insurance Portability and Accountability Act and Family Educational Rights and Privacy Act both impact how student data is handled on campuses.^[12] The US Department of Education is always updating and altering these laws.^[12] The Campus Privacy Officer is responsible for understanding the updated versions of all federal privacy laws and communicating any changes in data policy to the school. It is crucial that the campus administration constantly abides by and follows federal laws on data protection.^[12] The failure to do so can result in the public institution losing federal funding.^[12]

Drafting new privacy policy

Campus Privacy Officers also help universities draft new policies that ensure student data is being collected in an ethical manner to ensure that student privacy is maintained.^[13] Because of the advancement in recent technologies, new data collection and data analysis has drastically increased on college campuses within the last decade. For example, technologies, like learning analytics, collect student learning and instructor teaching data to analyze the effectiveness of teaching strategies. While using this technology, there must be set guidelines in place to guarantees trust between the student and the instructor. CPOs can help facilitate the creation of these policies. These policies aim for institutional accountability and transparency and the student's control and right of access to his data.^[13] Campus officers are also in charge of meeting with school administrations to discuss the newly drafted privacy policies and make sure the school understands it. CPOs can foster a sense of privacy through educating students and school officials on the importance of privacy in education, including document privacy, behavior privacy, etc. This can be done through privacy events and meetings with various stakeholders of the school system.

Example policy issues

Learning analytics

Learning analytics entails collecting student data and monitoring specific aspects about the student within the educational environment. These aspects can include student performance on tests, retention data, enrollment data, and graduation rates. The mass collection of student data leaves the student's security extremely vulnerable. Higher education institutions have the responsibility to ensure that student information is always kept confidential.^[14] Students are required to give up their information in order to attend at higher education institution. To ensure that students are not exploited, there must be campus policy in place that requires students to have an active role in the learning analytics process.^[14] When creating policy that guides learning analytics, CPOs must take into account the culture, technological capacities, and behaviors of the institution.^[15]

In order to minimize the risk of a data breach, there must also be set policy in place that helps administration recognize the best ways to securely share data.^[16]

Laws that Campus Privacy Officers must track

International Laws

General Data Protection Regulation

General Data Protection Regulation is a law passed by the European Union that recognizes certain data privacy rights of EU residents and places various requirements on how personal data may be processed organizations.^[17] The GDPR purports to regulate organizations that:^[17]

1. Operate within the EU and collect EU resident personal data;
2. Operate outside the boundaries of the EU and collect personal data from EU residents; or,
3. Provide online services to EU residents that involve personal data.

Failure to comply with GDPR requirements may result in penalties of up to €20 million or 4% of the worldwide annual revenue of the entity, whichever amount is higher.^[18] Thus, privacy risks associated with potential GDPR exposure are likely to be an important component of a CPOs duties.

One notable aspect of the GDPR is a provision that, in certain circumstances, may require the appointment of a Data Protection Officer (DPO). Specifically, Article 37 of the GDPR states the factors that may require appointment of a DPO.^[17] The DPO within an organization may appear to be analogous to the role of CPO within a university, however a DPO differs in a number of significant ways and the two roles should not be confused or conflated.^[19][20]

US Federal Laws

Family Educational Rights and Privacy Act

The Family Educational Rights and Privacy Act (FERPA) enacted in 1974 ensures that universities provide students and parents with their respective education records. College students have the right to request their academic and personal records from their university and challenge the statements within those records if they are false.^[21] FERPA also prevents universities from sharing student data, specifically personally identifiable information, with outside organizations without the explicit consent of the student.^[21]

CPOs are responsible for helping their respective university abide by the guidelines of FERPA. If a student or parent believes that his university is not complying to FERPA's standards they are allowed to file a complaint to the Family Policy Compliance Office (FPCO) in the U.S. Department of Education.^[22] If the Office investigates a complaint about a university and discovers that the school is violating FERPA, the Office will contact the university and explain the steps it must take to comply with it.^[22]

Health Insurance Portability and Accountability Act

Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996. This law protects all "individually identifiable health information".^[23] It directly impacts how student health information is used by the university. In most cases, student health information is still governed by FERPA. CPOs are responsible for creating educational tools that ensure campus officials who work with student health data are trained properly.^[23] Failure to abide by the HIPAA laws can result in reduced funding for the university.

Organizations that aid Campus Privacy Officers

The main goal of these organizations is to provide CPOs with educational resources to help them stay updated with current privacy policy. Additionally, these organizations provide CPOs with a network of other privacy professionals to connect with and learn from. Below are examples of prominent organizations that support CPOs:

International Association of Privacy Professionals

International Association of Privacy Professionals (IAPP) is the largest global community of privacy professionals. This nonprofit organization, founded in 2000, helps privacy professionals improve their understanding of privacy policy. IAPP provides training resources to help privacy professionals fight against privacy risks such as data breach and identify theft.^[24] It also connects privacy professionals with a network of other officers within their field. IAPP also offers three certification programs to privacy professionals, which include the Certified Information Privacy Professional (CIPP), Certified Information Privacy Manager (CIPM), and the Certified Information Privacy Technologist (CIPT). Their members also conduct research on privacy policy and release their findings through the IAPP Westin Research Center.^[25]

Educause

Educause is a nonprofit association that aims to help information technology (IT) leaders in education tackle issues regarding data protection and information privacy policy.^[26] Before Educase was created, CAUSE and Educom were the two major information technology associations within higher education.^[27] Both organizations were initially created in the 1960s. In 1986, the advent of the Macintosh computer by Apple made it possible for administrative and student academic computing to be done on the same device. This prompted the two organizations to collaborate and release training that helps prepare higher education professionals to use this technology. The increase of internet users in the 1990s also led to CAUSE creating resources to help their members navigate the policy surrounding internet use.^[27] CAUSE and Educom officially merged in 1998 to create Educause.

Educause' current mission is to help provide privacy professionals with the resources and training they need to be successful in their roles. It also allows privacy professionals to connect with one another and share information about privacy policy. There are over 99,000 members who are a part of more than 2,300 organizations all over the world. Within the organization, members form committees that help Educause plan conferences about privacy or create strategies aimed at ensuring privacy is upheld. The specific committee aimed at Campus Privacy Officers is the Higher Education Information Security Council (HEISC) advisory Committee. The work and research from Educause members is published in the Educase Review. The publication releases information about the recent advancements in technology and their potential impact on higher education.

Society of Corporate Compliance and Ethics

The Society of Corporate Compliance and Ethics (SCCE) is a privacy organization composed of more than 7,000 members.^[28] The members are primarily composed of compliance officers, like CPOs, within both the private or public sector. SCCE members come from a variety of different fields, such as education, aerospace, banking, construction, entertainment, government, financial services, food and manufacturing, insurance, and gas and oil. SCCE helps their members stay updated on laws regarding privacy and ethics by hosting events or providing training videos and books. This ensures that the officers are complying with the current regulations. On top of providing members with educational resources, the organization also provides opportunities for compliance officers to meet and network with others within their respective industry. Members can also receive the Corporate Compliance & Ethics Professional (CCEP) certification and the Corporate Compliance & Ethics Professional-International (CCEP-I) certification.

Role of CPO in different countries

Canada

The Freedom of Information and Protection of Privacy Act (FIPPA) sets privacy guidelines for Canadian universities. This law was created based on the existing privacy policies within universities.^[2] A study done with students from two Ontario universities shows that both faculty and students alike are unaware of FIPPA and other current privacy policies within their country.^[2] Faculty were unaware of the existence of a university privacy officer or the means to contact the officer. Both faculty and students in this study emphasized the need to create educational tools that explain these existing privacy policies.^[2] Campus Privacy Officers help make these tools for students and faculty and fill in these information gaps among students and faculty on campus.

South Africa

The Protection of Personal Information Act (POPIA) protects the collection of student data.^[3] This law ensures that higher educational institutions remain transparent by informing students why their data is being collected and explicitly indicating the intended use of this data.^[3] However, a 2016 study on South African universities highlighted how higher education institutions are not yet equipped to manage student data in a secure way.^[3] There currently is not a governance system within universities that outline how student data should be handled.

Examples of Campus Privacy Officers

The role of Campus Privacy Officer falls under a variety of different titles on campuses across the United States as well as around the world.^[1] Here are some examples of privacy roles that are present within higher education:

Country	University Name	Privacy Officer Title
USA	Auburn University	Director of Institutional Compliance and Privacy
USA	Duke University	Director of Privacy Compliance
USA	Indiana University Bloomington	Chief Privacy Officer
USA	Montgomery College	Information Security & Privacy Director
USA	New Mexico State University	IT Compliance Officer
USA	Rutgers, The State University of New Jersey	Director of Privacy
USA	University of Miami	AVP (Associate Vice President) & Chief Information Security Officer
USA	UC Berkeley	Campus Privacy Officer[29]
USA	University of Michigan-Ann Arbor	University Privacy Officer
USA	University of New Mexico	Information Security & Privacy Officer
USA	University of North Carolina at Chapel Hill	Chief Privacy Officer
USA	University of Texas System	Privacy Officer
USA	University of Washington	Institutional Privacy Officer
USA	University of Pennsylvania	University Privacy Officer
USA	Rowan University	Director of Information Security
USA	Stanford University	Chief Privacy Officer
USA	West Virginia University	Chief Privacy Officer
Canada	Queen's University	Chief Privacy Officer
Canada	University of Manitoba	Access and Privacy Officer
Japan	University of Tokyo	Chief Information Security Officer[30]

References

1. "The Higher Education CPO Primer Part 1: A Welcome Kit for Chief Privacy Officers in Higher Education" (PDF). August 2016.
2. Dowding, Martin (2011). "Interpreting Privacy on Campus: The Freedom of Information and Personal Privacy and Ontario Universities". Canadian Journal of Communication. 36 (1): 11–30. doi:10.22230/cjc.2011v36n1a2252.
3. Singh, D., & Ramutsheli, M. P. (2016). "Student data protection in a South African ODL university context: Risks, challenges and lessons from comparative jurisdictions". Distance Education. 37 (2): 164–179. doi:10.1080/01587919.2016.1184397. S2CID 58859571.
4. "Policy on University Health Services - Executive Order Number 943". California State University System. 28 April 2005. Retrieved 3 June 2019.
5. "The New Terminology for Privacy". The New York Times. 10 April 2019. Retrieved 2019-05-23.
6. Justine Brown (30 May 2014). "Rise of the Chief Privacy Officer". Government Technology. Retrieved 23 May 2019.
7. "First chief privacy officer named". Penn Today. University of Pennsylvania. 28 March 2002. Retrieved 2 June 2019.
8. Johnson, Sydney (25 March 2019). "Chief Privacy Officers: A Small But Growing Fleet in Higher Education". EdSurge. Retrieved 2 June 2019.
9. Massara, G. Haley (13 July 2014). "Campus privacy officer position created to protect information security". The Daily Californian. Independent Berkeley Students Publishing Company, Inc. Retrieved 2 June 2019. The position, posted Tuesday as a job listing, will require balancing the confidentiality of data about individuals held by the campus — termed information privacy — and the ability of individuals to act without observation, or autonomy privacy...
10. Vogel, Valerie (11 May 2015). "The Chief Privacy Officer in Higher Education". EDUCAUSE Review. Retrieved 2 June 2019.
11. Brooks, Rochelle (2010). "The Development of a Code of Ethics: An Online Classroom Approach to Making Connections between Ethical Foundations and the Challenges Presented by Information Technology". American Journal of Business Education. 3 (10): 1–14.
12. Rowe, Linda (2005). "What Judicial Officers Need to Know about the HIPAA Privacy Rule". NASPA Journal. 42 (4): 498–512. doi:10.2202/1949-6605.1537. S2CID 159549802.
13. Pardo, Abelardo, etc. al. (2014). "Ethical and Privacy Principles for Learning Analytics". British Journal of Educational Technology. 45 (3): 438–450. doi:10.1111/bjet.12152.
14. Prinsloo, Paul, and Sharon Slade (2016). "Student Vulnerability, Agency, and Learning Analytics: An Exploration". Journal of Learning Analytics. 3 (1): 159–182. doi:10.18608/jla.2016.31.10.
15. Macfadyen, L.P., Dawson, S., Pardo, A. & Gaševic (2014). "Embracing Big Data in Complex Educational Systems: The Learning Analytics Imperative and the Policy Challenge". Research & Practice in Assessment. 9: 17–28.
16. Goroff, D, Jules, P. & Omer, T. (2018). "Privacy protective research: Facilitating ethically responsible access to administrative data". Annals of the American Academy of Political and Social Science. 675 (1): 46–66. doi:10.1177/0002716217742605. S2CID 149238551.
17. Cliza, Marta-Claudia and Spataru-Negura, Laura-Cristiana (2018). "The General Data Protection Regulation: what does the public authorities and bodies need to know and to do? The rise of the data protection officer" (PDF). 8 (2): 489–501. {{cite journal}}: Cite journal requires |journal= (help)
18. "Administrative Fines". GDPR EU.org. Archived from the original on 12 April 2018. Retrieved 4 June 2019.
19. Coseglia, Jared (3 January 2019). "Coffee with Privacy Pros: DPO vs. CPO. Lawyer vs. Technician. The Dualities of Privacy". CPO Magazine. Data Privacy Asia Pte. Ltd. Retrieved 26 May 2019.
20. "Chief privacy officers may not be eligible to serve as data protection officers under the GDPR, says expert". Out-Law.com. Pinsent Masons LLP. 7 September 2017. Retrieved 26 May 2019.
21. Stahl, William M. and Joanne Karger (2016). "Student Data Privacy, Digital Learning, and Special Education: Challenges at the Intersection of Policy and Practice" (PDF). Journal of Special Education Leadership. 29 (2): 79–88.
22. "FERPA General Guidance for Parents". ed.gov. 26 June 2015.
23. Rowe, Linda (2005). "What Judicial Officers Need to Know about the HIPAA Privacy Rule". NASPA Journal. 42 (4): 498–512. doi:10.2202/1949-6605.1537. S2CID 159549802 – via 498-512.
24. "About the IAPP". 2018. Retrieved November 1, 2018.
25. "IAPP Mission and Background". Retrieved 2020-11-04.
26. "Educase: Mission and Organization". November 2018.
27. "CAUSE History". 2018. Retrieved November 1, 2018.
28. "About the Society of Corporate Compliance and Ethics". 2018. Retrieved November 1, 2018.
29. "HIPAA Privacy Compliance | UCOP". www.ucop.edu. Retrieved 2021-04-17.
30. "The University of Tokyo". The University of Tokyo. Retrieved 2021-04-17.