Do Universities Really Need Chief Privacy Officers?
They are still a relatively rare breed at institutions of higher education, but concerns about privacy and data protection mean that more and more universities are appointing chief privacy officers (CPOs).
At a university, the CPO is responsible for drafting and implementing policies and rules that will safeguard student, employee and stakeholder data against unauthorized access. Universities must also protect the privacy of the data under their management.
Universities are complex research-oriented institutions that receive and generate large volumes of sensitive and confidential data. Data that is very attractive to outside entities. Data that must be protected at all costs.
Already, we have seen high-profile data breaches at a number of universities, including the University of Maryland, University of Wisconsin-Parkside, George Mason University, and Butler University.
However, data management is only one of a number of factors that have led to the need for the appointment of CPOs at tertiary institutions.
In addition to the increased need for data protection, other factors necessitating the appointment of someone with the expertise to fulfill the role of a fulltime CPO, include:
- The need for regulatory compliance – various new laws regarding privacy are coming into effect soon, i.e. the California Consumer Privacy Act, and the European privacy law, known as GDPR. Academic institutions must comply with these new regulations.
- Higher education is involved in a wide range of new technologies, which bring with them their own privacy risks.
- Educational technologies are often done through outsourced platforms, which could pose a risk to sensitive data.
The CPO has a difficult job – rather like performing a balancing act. The CPO must ensure all privacy issues are addressed comprehensively across the entire enterprise, but without hampering academic freedom or innovation. And without endangering existing strategic collaborations with local and international partners.
Educause Review defines the five core responsibilities of a CPO as:
- Establishing privacy policies, notices, standards, and processes with stakeholders across the institution.
- Ensuring that the institution complies with applicable state, federal and international laws, campus policies and procedures, and industry privacy standards.
- Developing and managing privacy training, education, and awareness for students, faculty, and staff.
- Advising and counseling campus constituents on best practices, new technologies, privacy complaints, and potential institution-wide risks.
- Assisting with investigations and responses to campus privacy breaches or incidents.
Privacy issues have also moved to the forefront as universities form partnerships with academic and other institutions locally and internationally. These collaborations make for complicated privacy issues, which necessitates the service of a professional with the expertise to understand and interpret complex local and international privacy laws and regulations.
Within the campus community, the CPO has an important role to help all stakeholders better understand personal and public privacy rights issues. The entire campus community must know how to work with data in a way that keeps their privacy intact. It is the role of the CPO to take the lead in all aspects of privacy for the University, including providing privacy awareness and training for the entire campus community.
The need to protect privacy and ensure data security will not go away. Universities are data-based ecosystems that are vulnerable to security breaches and ensuing legal ramifications.
Increasingly academic institutions will find that they won’t be able to forego the services of a dedicated CPO to protect their operations.