A Wealth of Data, and Nobody in Charge

Unlike corporations, few colleges have hired chief privacy officers

Article tools

Printer friendly	E-mail article	Subscribe	Order reprints
	Discuss any Chronicle article in our forums
Latest Headlines Universities Must Disclose More Data on Animal Research A court settlement requires the U.S. Department of Agriculture to make public more information about research on animals, prompting some academic researchers to worry about further attacks by animal-rights extremists. 2-Year Colleges Streamline Student Aid and Focus on Counseling For Provost Who Fled Lebanon, U. of Dayton Is His 'Village' Letters Home From World War II Soldiers Are Found in College Basement

By LISA GUERNSEY

Wanted: scout to look out for Big Brother and his cousin, Data Breach. Evangelist to spread the word about what information can be shared. A shredder abettor who knows what is nobody's business. This person should also be prepared to help our college recover from embarrassing headlines about Social Security numbers gone missing.

Colleges may soon be running ads something like that for chief privacy officers, a title so new in higher education that one campus public-relations official, when asked if his institution had a CPO, replied, "What in the blue blazes is that?"

Yet colleges capture a slew of highly sensitive information on everyone on campus. And while chief privacy officer has become a recognized title in the corporate world, higher education seems slow to pick up on the trend — a reluctance that could represent either head-in-the-sand thinking or fiscally prudent avoidance of bureaucratic bloat.

The International Association of Privacy Professionals, based in York, Me., shows only two college CPO's in its membership directory: Lauren B. Steinfeld, at the University of Pennsylvania, and Susan A. Blair, at the University of Florida. Some others have the responsibility without the title: Jane E. Rosenthal, for example, is privacy coordinator at the University of Kansas. And many other people, like those in academic medical centers, work on privacy issues from a departmental perspective.

Multifaceted Job

Compared with other organizations and businesses, colleges appear to have few employees dedicated to protecting privacy. The overall field is growing fast, says J. Trevor Hughes, executive director of the privacy association, which has 5,700 members and says it is adding 100 each month. But just 124 of those privacy officials are identified as from universities or colleges, according to Mr. Hughes.

"You can either be proactive about managing the risk at your institution, or you can pay the price afterward," says Rick N. Whitfield, a former vice president for audit and compliance at Penn and the University of Pennsylvania Health System.

Growing concerns about the potential for leaked information led Mr. Whitfield to hire Ms. Steinfeld in 2002. She is widely considered to be the first CPO in higher education.

It is a multifaceted job, she says: "You sometimes need to address IT, sometimes PR, sometimes law, sometimes customer relations, sometimes policy development, and often a combination of all of those." And don't forget paper trails: "You have to make sure you have a good shredding vendor."

A lawyer by training, Ms. Steinfeld served as a privacy officer in the Clinton administration's Office of Management and Budget. Before that she was an online-privacy adviser at the Federal Trade Commission.

At Penn, her office created a one-stop shop in 2005 for building privacy and security into databases and online systems. The program, called the Security and Privacy Impact Assessment, was designed to lead departments to consider how they handle and protect data.

Colleges must comply not only with health-privacy laws, like the Health Insurance Portability and Accountability Act (Hipaa), but also with laws on academic records, which are protected by the Family Educational Rights and Privacy Act (Ferpa), and laws on consumer information, which is covered by the Gramm-Leach-Bliley Act. And that compliance does not include state laws and campus regulations. With the impact-assessment program, Ms. Steinfeld says, departments don't have to draw their own map through the thicket: "We try to build it for them."

Ms. Steinfeld's hiring did not sit well with everyone, recalls Mr. Whitfield, who is now vice president and chief financial officer at Pace University. "There was a lot of passive-aggressive response to this position," he says. Criticism came from "within the university as well as nationally from peer institutions who basically went on record saying that we don't need this type of position."

Within two years major institutions, such as the University of California at Berkeley and the University of Texas at Austin, made headlines because of leaked or lost data. In 2006 a hacking incident at Ohio University exposed 20,000 Social Security numbers.

Still, there are real reasons behind the reluctance to hire chief privacy officers. Faculty members already complain about top-heavy administrations. The meltdown in the economy doesn't bode well for adding new positions. And a number of institutions already have specific Ferpa and Hipaa privacy officers; they may be leery of adding another person to the payroll.

That is particularly true if that person is called "chief." The median annual salary for privacy professionals is $137,000; for CPO's, it is $210,000, according to the privacy association.

Privacy Vs. Security

It's not unreasonable to ask why privacy protection cannot be simply added to the responsibilities of information-technology departments. After all, the siphoning of personal information from online databases looms as a common threat, and educational institutions regularly appear on lists that track security lapses around the country. More than a dozen data breaches in higher education are reported each month, according to Educational Security Incidents (http://www.adamdodge.com/esi) an online catalog compiled by Adam Dodge, assistant director of information security at Eastern Illinois University.

In 2007, Mr. Dodge says, employee mistakes were twice as likely as hackers to cause breaches, and the trend appears to be continuing this year. "One thing that continues to shock me," he says, "is this unauthorized disclosure of information, information that is just accidentally sent out to people."

In many places, information-security officers are responsible for plugging such holes. But privacy advocates say that is not enough. They argue that the job of security officers is to protect data that are already collected — not to ask whether the data should be captured and stored in the first place.

It is a misperception that tight security equals privacy protection, says Fred H. Cate, a law professor and director of the Center for Applied Cybersecurity Research, at Indiana University. Think about surveillance cameras, he says, and the equation falls apart.

"Security people would say, Give us audit logs of what everyone does online, and let's keep it for a year so that if we discover a worm in our system, we can really do forensics on it," Mr. Cate explains. "Privacy people would say, Get rid of that log on Friday."

Blockbuster, the video-store chain, he notes, "has policies in place that deal with those issues. But most of America's research universities don't."

What Data Can Be Shared

Privacy officers can also educate people about what information can be lawfully shared, says Paul M. Schwartz, a law professor and privacy specialist at Berkeley. In the months before Seung-Hui Cho's shooting rampage at Virginia Tech, in 2007, many people in contact with him were alarmed by his mental state. But, according to the Virginia Tech Review Panel, which investigated the massacre, they did not issue warnings or requests for help, because they believed they were bound by law to stay mum. "There is widespread confusion about what federal and state privacy laws allow," the panel's report said.

"A chief privacy officer," Mr. Schwartz says, "can clear up these misunderstandings." Virginia Tech does not have a chief privacy officer. (Larry Hincker, associate vice president for university relations, is the campus official who wondered what a CPO was.) Instead, Mr. Hincker says, it has an information-technology security officer. The general counsel's office handles privacy issues. After the massacre, the university installed a threat-assessment team to manage security risks of all kinds. It meets weekly.

Another alternative is to create a privacy committee, says Rodney J. Petersen, security-task-force coordinator for Educause, the higher-education-technology consortium. It might include representatives from the offices of the registrar and information technology, the general counsel, and the offices of housing, student affairs, public relations, and alumni relations, as well as research centers that use human subjects.

"Any part of the institution that collects, uses, and stores any part of information has a stake," Mr. Petersen says.

Pace University, where Mr. Whitfield now works, does not have a CPO either. While the top 25 research institutions in the country "need to focus on this in a full-time way," he says, Pace is smaller and has chosen to use internal auditors to search for risks and heighten awareness of privacy issues among managers, while assigning the information-technology officer to lead training programs in data handling.

But no matter who takes on the job, whether individually or by committee, privacy advocates emphasize that those responsible need the clout and resources to make changes. "What's important," Mr. Schwartz says, "is that they get to report to somebody that matters."