A Day in the Life of a Chief Privacy Officer

January 28 is Data Privacy Day. Throughout the months of January and February, the EDUCAUSE Cybersecurity Initiative will highlight higher education privacy issues. To learn more, visit StaySafeOnline.

I’m currently the information privacy officer at Wayne State University Information.1 Privacy officers have several realms of responsibility. So, what do I do all day?

Policy and Compliance Activities

One area of responsibility involves policy and compliance. Like many colleges and universities, Wayne State is late to the “privacy party.” As a consequence, many universities have no policies that deal specifically with the protection of data, the appropriate stewardship of those data, or the data life cycle. In addition, there is often no single person in charge of scanning for changes in federal and state laws related to privacy and understanding emerging privacy risks that lurk in the IT landscape. Instead, several individuals might be looking at compliance with various laws and regulations, such as HIPAA, GLBA, and the Red Flag rules.2

As a result, one activity that takes up a great deal of my time is discovering what policies the university lacks, drafting those policies (or otherwise seeing that they are drafted), and shepherding them through the policy-making machinery.3 And how does one do that? That process typically involves a range of intermediate-level administrators (associate VPs, a dean or two), as well as faculty representatives, who would begin with a draft policy (which might come from another institution that already has such a policy). Various constituency groups — the academic/faculty senate or its leadership group, the council of deans, sometimes the student senate — will also need to review the policy. If you can cite applicable laws and the existence of policies at peer institutions, you will increase your odds of success. After the reviews, you’ll need to incorporate changes and might need to visit the president and/or the cabinet, who could ask off-the-wall questions or raise new issues. When the policy is final, you’ll need to work closely with marketing units to publicize it properly.

Another thing that may happen is that you will be known as the “policy guru,” and people will turn to you for help with other kinds of policies. For example, for the past six months I’ve been helping lead an initiative to enable “preferred names” for faculty, staff, and students. This turns out to be heavily IT-based but, as with strictly privacy-oriented policies, requires buy-in from many diverse groups (in this case including student and staff interest groups such as LGBTX committees), who will need to be included from the outset as well.

Privacy Consultant

Privacy officers don’t spend all their time wrangling committees. They also serve as consultants. As a policy officer, you will frequently be called in to consult on assorted privacy-related issues that arise, from data breaches (if there is personally identifiable data involved) to research-oriented conversations with faculty who are seeking grants.

Although many grants do not have special privacy-related implications, faculty at institutions with medical schools (or schools of social work, nursing, or pharmacy) might ask to handle large amounts of sensitive information (patient records, disease incidence, results of therapy sessions, DNA databases with individual DNA records, and so on). You might need to consult with faculty members, the CISO, and perhaps a lawyer about how a server is required to be set up or who should be allowed access to it. Recently I consulted with our CISO and our research IT specialist on how Ethernet cables should be connected to a server that had DNA data that the supplier had put strong constraints on.

One way that you can keep up with the changing landscape is to connect with privacy officers in your region and around the country, particularly those in the education field. The International Association of Privacy Professionals maintains a useful website. Their local meetings will also connect you with other privacy officers in banks, medical facilities, and large-scale industries — for example, I’ve gotten to know privacy officers in the automobile industry because I live and work in the Detroit area.

Finally, you may find you serve many masters, and that can involve meetings with two or more direct supervisors. I report to both the CIO and our VP and general counsel. As a result, I attend leadership team meetings in IT and staff meetings with the Office of the General Counsel.

Thanks to all these varied activities, you will need to get to know a large number of players across campus, from faculty researching “metabolites of polyunsaturated fatty acids” to the police chief to the chair of the academic senate. You will need to be able to pick up the phone and identify yourself and hope they say, “Hi, how was your weekend?” (rather than “Who are you” or “Oh dear, what did I do now?”). On the other hand, you’ll make friends across the entire campus and beyond. Moreover, you will likely have a good time doing all these things...until you get a phone call that begins, “Just found a server that wasn’t patched, and it’s been hacked....”

Notes

  1. Thanks to Wayne State’s chief legal counsel and our former provost for helpful comments on an earlier draft of this document.
  2. Of course, compliance areas go beyond privacy, including Title IX, Federal I-9 rules and state wage and hour rules, scientific misconduct, and so on.
  3. This process is sometimes also referred to “sausage making.” Although this concept is attributed to Bismarck, it seems actually to have been said by poet John Godfrey Saxe (http://en.wikiquote.org/wiki/John_Godfrey_Saxe).

Geoffrey Nathan is the information privacy officer at Wayne State University.

© 2017 Geoffrey Nathan. This EDUCAUSE Review blog is licensed under the Creative Commons BY-NC-SA 4.0 International license.