January 28 is Data Privacy Day. Throughout the months of January and February, the EDUCAUSE Cybersecurity Initiative will highlight higher education privacy issues. To learn more, visit StaySafeOnline.
When employees hear the terms “compliance,” “privacy,” and “security,” it is often difficult for many to fully understand how these terms and the aims of these business initiatives diverge. So, how do they differ?
As defined by Robert Roach, vice president and chief global compliance officer at New York University, “Compliance is a systematic approach to governance designed to ensure that an institution meets its obligations under applicable laws, regulations, best practices and standards, contractual obligations, and institutional policies.”1 In other words, “compliance seeks to achieve accountability and transparency in all institutional operations.”2
In this vein, compliance is often viewed simply as “complying with the law,” and although this is perhaps true in many respects, compliance professionals would argue that compliance programs should seek to go a step further. Compliance professionals, especially those with an added ethics responsibility, often seek to communicate compliance as a “commitment to doing the right thing.” Getting employees to understand that being committed to doing the right thing will ultimately result in complying with the law is arguably the primary goal of a compliance function.
The generally accepted elements of an effective compliance function are seen as the tools that a compliance professional can use to accomplish this mission. Examples include the development of policies and procedures so that individuals have the information they need to make the right decisions, as well as training and education so that employees understand the policies and procedures and how to apply to their daily responsibilities. As we know, in a highly regulated sector such as higher education, there is a myriad of laws, regulations, and agency guidance with which institutions must comply. But, as compliance professionals often state, compliance with these requirements is a business function and not the responsibility of the compliance office. The compliance office supports operational compliance by acting as a portfolio manager of the regulatory matrix, leveraging the compliance program to ensure that all of the institution’s obligations are met by the subject-matter experts at the operational level.
As stated by Louis Brandeis and Samuel Warren, privacy is often defined as the right to be left alone, or freedom from interference or intrusion.3 However, in today’s digital environment the word has evolved to include a number of concepts including data privacy, in addition to the individual privacy alluded to by Brandeis and Warren.
Data privacy is generally focused on the use and governance of personal data and personally identifiable information. It might include putting policies in place to ensure that personal information is being collected, shared, and used in appropriate ways.4 For instance, there are legal and regulatory requirements (e.g., the Family Educational Rights and Privacy Act [FERPA] and the Health Information Portability and Accountability Act [HIPAA]) that colleges and universities must comply with throughout their daily operations. Here, privacy looks familiar to other compliance topics, similar to meeting obligations for campus safety reporting (e.g., the Clery Act), research (e.g., human-subject safety, conflict of interest), and other requirements.
However, the role of privacy offices in higher education may extend beyond merely complying with regulations at the institutional level (although this is also an important responsibility). The privacy officer is often also seen as an advocate for privacy at the individual level as the representative for the College’s constituents, including students, faculty, and staff. Data collection and use, monitoring, and physical surveillance may all be controls that help the institution comply with certain regulations, but these activities potentially implicate the ever-increasing considerations of privacy.
This is another area where privacy is distinct from compliance but necessarily overlaps with compliance initiatives. The privacy officer seeks to promote forward-thinking privacy considerations in college or university operations by considering the concepts included in various privacy frameworks, such as the Fair Information Privacy Principles, in particular the ideas of notice, transparency, and choice. These privacy concepts are also implicated in the operations of the college, where compliance may not have as big a role due to a current lack of regulation in a particular area. For example, the increased use of student learning analytics is not yet a regulated activity, but certainly there are privacy considerations in using these data for various purposes, including assessing higher education programs and activities, student engagement, and academic program achievement.
Security is important for both compliance and privacy. Security, as the primary responsibility of the Information Security Officer, is generally understood to focus on protecting data from impermissible access, including intentional malicious attacks.5 Certain regulations, such as HIPAA and the Gramm-Leach-Bliley Act (GLBA), require that security protocols exist. Compliance with these regulations requires an institution to put specified security controls in place.
For privacy, security is a well-known important principle. Institutions maintain the privacy of their constituents’ data by having security protocols in place to prevent against external threats and data breaches. Institutions also maintain simpler controls, such as ensuring that internal data use is appropriate. Physical security is also important for privacy, including surveillance and access control to data centers and/or hard-copy record rooms. But it is important to recognize that security is not the same as privacy. In other words, security is necessary for protecting data, but not always sufficient for addressing privacy.
As a brief example, consider surveillance systems. Surveillance videos may provide a sense of security to individuals on campus. But what about potential privacy concerns implicated by this particular security activity? An institution may have state-of-the-art electronic security software and protocols to protect any electronic data recorded. However, a privacy officer may ask what data are being collected? Where are individuals being surveilled? Where are cameras located? Why is surveillance necessary, and how are any data collected being used?6 Institutions must consider basic privacy principles, such as notice of data collection and consent to data collection, before collecting and using data.
By breaking down and understanding each of these important initiatives separately, it becomes clearer that while compliance, privacy, and security necessarily overlap and complement each other in a number of ways, they are separate and distinct disciplines with potentially different responsibilities. The compliance, privacy, and security functions within an institution must work together and at times be able to work through conflicting goals and perspectives. Compliance may require a solution to which security agrees but privacy does not. More often than not, however, each function’s goals that aim toward achieving a more secure, privacy focused and compliant institution will align.
- See “Building an Effective Compliance Program: An Introductory Guide”, NACUA, November 2015: 9.
- Warren Samuel and Louis Brandeis, “The Right to Privacy,” Harvard Law Review 4, no. 5, December 15, 1890.
- See About the IAPP, “Privacy v. security…isn’t it the same thing?”
- For additional examples and further discussion of this topic, I highly recommend Michael Corn and Jane Rosenthal, “Privacy, Security, and Compliance: Strange Bedfellows, or a Marriage Made in Heaven?” EDUCAUSE Review,48, no. 1 (January/February 2013).
Gary F. Miller, Jr. is the director of compliance and privacy officer at The College of New Jersey.
© 2017 Gary F. Miller, Jr. This EDUCAUSE Review blog is licensed under the Creative Commons BY-NC-SA 4.0 International license.