The Campus Privacy Officer (CPO) is a position within a post-secondary university that ensures that student, faculty, and parent privacy is maintained. The CPO role was created because of growing privacy concerns across college campuses.[1] The responsibilities of the CPO vary depending on the specific needs of the campus community. Their daily tasks may include drafting new privacy policies for their respective college campus, creating a curriculum that informs teachers and students about privacy, helping to investigate any privacy breaches within the university, and ensuring that the university is abiding by current state and federal privacy laws. CPOs are also responsible for connecting with student and faculty groups across the entire campus in order to understand the privacy concerns of the campus. The role of CPO is an expanding profession within the United States and other countries, such as Canada and South Africa. There are numerous organizations that exist to provide training for CPOs and support them.
It is difficult to determine the date on which the first Campus Privacy Officer role was created; however among the first formal references to the specific role of Campus Privacy Officer comes in a 2005 executive order by the Chancellor of the California State University system. The order specifically requires universities in the system to, "[p]rovide the name, title and contact information for the campus privacy officer, if the campus is a HIPAA covered entity."[2]
Several years before that first reference to the Campus Privacy Officer, the CPO acronym more commonly referred to the Chief Privacy Officer, a senior level executive within a growing number of global corporations responsible for managing risks related to information privacy laws and regulations.[3] As privacy concerns continued to grow during the Internet era, the role of the Chief Privacy Officer began to expand into the public sector,[4] as well as in higher education.
The first higher education institution to hire a Chief Privacy Officer was the University of Pennsylvania in 2002.[5] As the Chief Privacy Officer role has continued to expand to encompass the full range of complex data governance issues that may face a modern educational and research institution,[6] the Campus Privacy Officer role has, in some instances, become differentiated from that of the Chief Privacy Officer to be more focused on the day-to-day privacy concerns of on-campus life, such as the privacy implications of the use of video surveillance and other security measures.[7] At other institutions, however, the titles of Chief Privacy Officer and Campus Privacy Officer have become interchangeable.[8]
Campus privacy policy affects both the university administration that helps create the policies as well as the students within the university. CPOs are responsible for creating an education curriculum that helps inform students how they should ethically use data;[9] in order for students to learn this universities need to provide a curriculum that aims to teach them this skill. There have been specific instances where professionals in IT jobs have made unethical decisions with data concerning others. CPOs help implement and design the courses that teach students how to practice making ethical decisions regarding data.
Campus officials who work with student data must understand the federal and state regulations that are in place to ensure the protection of that data.[10] For example, the Health Insurance Portability and Accountability Act and Family Educational Rights and Privacy Act both impact how student data is handled on campuses. The US Department of Education is always updating and altering these laws. The Campus Privacy Officer is responsible for understanding the updated versions of all federal privacy laws and communicating any changes in data policy to the school. It is crucial that the campus administration constantly abides by and follows federal laws on data protection. The failure to do so can result in the public institution losing federal funding.
Campus Privacy Officers also help universities draft new policies that ensure student data is being collected in an ethical manner to ensure that student privacy is maintained.[11] Because of the advancement in recent technologies, new data collection and data analysis has drastically increased on college campuses within the last decade. For example, technologies, like learning analytics, collect student learning and instructor teaching data to analyze the effectiveness of teaching strategies. While using this technology, there must be set guidelines in place to guarantees trust between the student and the instructor. CPOs can help facilitate the creation of these policies. These policies aim for institutional accountability and transparency and the student's control and right of access to his data. Campus officers are also in charge of meeting with school administrations to discuss the newly drafted privacy policies and make sure the school understands it. CPOs can foster a sense of privacy through educating students and school officials on the importance of privacy in education, including document privacy, behavior privacy, etc. This can be done through privacy events and meetings with various stakeholders of the school system.
Learning analytics entails collecting student data and monitoring specific aspects about the student within the educational environment. These aspects can include student performance on tests, retention data, enrollment data, and graduation rates. The mass collection of student data leaves the student's security extremely vulnerable. Higher education institutions have the responsibility to ensure that student information is always kept confidential.[12] Students are required to give up their information in order to attend at higher education institution. To ensure that students are not exploited, there must be campus policy in place that requires students to have an active role in the learning analytics process. When creating policy that guides learning analytics, CPOs must take into account the culture, technological capacities, and behaviors of the institution.[13]
In order to minimize the risk of a data breach, there must also be set policy in place that helps administration recognize the best ways to securely share data.[14]
General Data Protection Regulation is a law passed by the European Union that recognizes certain data privacy rights of EU residents and places various requirements on how personal data may be processed organizations.[15] The GDPR purports to regulate organizations that:
Failure to comply with GDPR requirements may result in penalties of up to €20 million or 4% of the worldwide annual revenue of the entity, whichever amount is higher.[16] Thus, privacy risks associated with potential GDPR exposure are likely to be an important component of a CPOs duties.
One notable aspect of the GDPR is a provision that, in certain circumstances, may require the appointment of a Data Protection Officer (DPO). Specifically, Article 37 of the GDPR states the factors that may require appointment of a DPO. The DPO within an organization may appear to be analogous to the role of CPO within a university, however a DPO differs in a number of significant ways and the two roles should not be confused or conflated.[17] [18]
The Family Educational Rights and Privacy Act (FERPA) enacted in 1974 ensures that universities provide students and parents with their respective education records. College students have the right to request their academic and personal records from their university and challenge the statements within those records if they are false.[19] FERPA also prevents universities from sharing student data, specifically personally identifiable information, with outside organizations without the explicit consent of the student.
CPOs are responsible for helping their respective university abide by the guidelines of FERPA. If a student or parent believes that his university is not complying to FERPA's standards they are allowed to file a complaint to the Family Policy Compliance Office (FPCO) in the U.S. Department of Education. If the Office investigates a complaint about a university and discovers that the school is violating FERPA, the Office will contact the university and explain the steps it must take to comply with it.[20]
Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996. This law protects all "individually identifiable health information".[21] It directly impacts how student health information is used by the university. In most cases, student health information is still governed by FERPA. CPOs are responsible for creating educational tools that ensure campus officials who work with student health data are trained properly. Failure to abide by the HIPAA laws can result in reduced funding for the university.
The main goal of these organizations is to provide CPOs with educational resources to help them stay updated with current privacy policy. Additionally, these organizations provide CPOs with a network of other privacy professionals to connect with and learn from. Below are examples of prominent organizations that support CPOs:
International Association of Privacy Professionals (IAPP) is the largest global community of privacy professionals. This nonprofit organization, founded in 2000, helps privacy professionals improve their understanding of privacy policy. IAPP provides training resources to help privacy professionals fight against privacy risks such as data breach and identify theft.[22] It also connects privacy professionals with a network of other officers within their field. IAPP also offers three certification programs to privacy professionals, which include the Certified Information Privacy Professional (CIPP), Certified Information Privacy Manager (CIPM), and the Certified Information Privacy Technologist (CIPT). Their members also conduct research on privacy policy and release their findings through the IAPP Westin Research Center.[23]
Educause is a nonprofit association that aims to help information technology (IT) leaders in education tackle issues regarding data protection and information privacy policy.[24] Before Educase was created, CAUSE and Educom were the two major information technology associations within higher education.[25] Both organizations were initially created in the 1960s. In 1986, the advent of the Macintosh computer by Apple made it possible for administrative and student academic computing to be done on the same device. This prompted the two organizations to collaborate and release training that helps prepare higher education professionals to use this technology. The increase of internet users in the 1990s also led to CAUSE creating resources to help their members navigate the policy surrounding internet use. CAUSE and Educom officially merged in 1998 to create Educause.
Educause' current mission is to help provide privacy professionals with the resources and training they need to be successful in their roles. It also allows privacy professionals to connect with one another and share information about privacy policy. There are over 99,000 members who are a part of more than 2,300 organizations all over the world. Within the organization, members form committees that help Educause plan conferences about privacy or create strategies aimed at ensuring privacy is upheld. The specific committee aimed at Campus Privacy Officers is the Higher Education Information Security Council (HEISC) advisory Committee. The work and research from Educause members is published in the Educase Review. The publication releases information about the recent advancements in technology and their potential impact on higher education.
The Society of Corporate Compliance and Ethics (SCCE) is a privacy organization composed of more than 7,000 members.[26] The members are primarily composed of compliance officers, like CPOs, within both the private or public sector. SCCE members come from a variety of different fields, such as education, aerospace, banking, construction, entertainment, government, financial services, food and manufacturing, insurance, and gas and oil. SCCE helps their members stay updated on laws regarding privacy and ethics by hosting events or providing training videos and books. This ensures that the officers are complying with the current regulations. On top of providing members with educational resources, the organization also provides opportunities for compliance officers to meet and network with others within their respective industry. Members can also receive the Corporate Compliance & Ethics Professional (CCEP) certification and the Corporate Compliance & Ethics Professional-International (CCEP-I) certification.
The Freedom of Information and Protection of Privacy Act (FIPPA) sets privacy guidelines for Canadian universities. This law was created based on the existing privacy policies within universities. A study done with students from two Ontario universities shows that both faculty and students alike are unaware of FIPPA and other current privacy policies within their country. Faculty were unaware of the existence of a university privacy officer or the means to contact the officer. Both faculty and students in this study emphasized the need to create educational tools that explain these existing privacy policies.[27] Campus Privacy Officers help make these tools for students and faculty and fill in these information gaps among students and faculty on campus.
The Protection of Personal Information Act (POPIA) protects the collection of student data. This law ensures that higher educational institutions remain transparent by informing students why their data is being collected and explicitly indicating the intended use of this data. However, a 2016 study on South African universities highlighted how higher education institutions are not yet equipped to manage student data in a secure way.[28] There currently is not a governance system within universities that outline how student data should be handled.
The role of Campus Privacy Officer falls under a variety of different titles on campuses across the United States as well as around the world. Here are some examples of privacy roles that are present within higher education:
USA | Auburn University | Director of Institutional Compliance and Privacy | |
USA | Duke University | Director of Privacy Compliance | |
USA | Indiana University Bloomington | Chief Privacy Officer | |
USA | Montgomery College | Information Security & Privacy Director | |
USA | New Mexico State University | IT Compliance Officer | |
USA | Rutgers, The State University of New Jersey | Director of Privacy | |
USA | University of Miami | AVP (Associate Vice President) & Chief Information Security Officer | |
USA | UC Berkeley | Campus Privacy Officer[29] | |
USA | University of Michigan-Ann Arbor | University Privacy Officer | |
USA | University of New Mexico | Information Security & Privacy Officer | |
USA | University of North Carolina at Chapel Hill | Chief Privacy Officer | |
USA | University of Texas System | Privacy Officer | |
USA | University of Washington | Institutional Privacy Officer | |
USA | University of Pennsylvania | University Privacy Officer | |
USA | Rowan University | Director of Information Security | |
USA | Stanford University | Chief Privacy Officer | |
USA | West Virginia University | Chief Privacy Officer | |
Canada | Queen's University | Chief Privacy Officer | |
Canada | University of Manitoba | Access and Privacy Officer | |
Japan | University of Tokyo | Chief Information Security Officer[30] |