Privacy in Higher Education: A CPO's Perspective

Kent Wada

Kent Wada, Chief Privacy Officer and Director of Strategic IT Policy at UCLA, has been an active EDUCAUSE member and volunteer for nearly two decades, including as a member of the EDUCAUSE Higher Education Chief Privacy Officers working group and as a contributor to the recent paper "Security and Privacy," part of the ECAR series Big Data in the Campus Landscape.

Kent received the Privacy Leadership in Education Award from the California Information Security Office on September 30, 2015, and EDUCAUSE took this opportunity to interview Kent about his career, thoughts on key issues in privacy, and suggestions for others interested in working with privacy in higher education.

EDUCAUSE: Congratulations on your award! You are a luminary in this area, so who better to chat with about privacy as we get ready to celebrate Data Privacy Day on January 28?

KENT: Thank you! It was an honor to receive that award. If I've been successful, it's certainly related to privacy having been a part of the fabric of the University of California for a long time. But it's also very directly because of a unique confluence of factors at the UCLA campus. First, a vice provost — my boss — who believes privacy is as much a fundamental aspect of the academy as it is of the administration and works to bridge the two in many areas. Second, a complement of deeply engaged faculty and administrators who have engendered some of the richest and most enjoyable discussions I've had the privilege of being a part of. Third, an institutional structure, our Board on Privacy and Data Protection, which this month is celebrating its 11th year. The result has been something quite amazing not just for the campus but also for me personally.

EDUCAUSE: You have a background in security and policy. What led you to privacy? Did you intend to follow this path, and have you always been interested in this area?

KENT: I love the latest gadgets. But I've also always been interested in how new technologies impact society and change our lives, both for the good and the bad. Part of my personal commitment is to ensure civil liberties and social justice.

What makes this area so intellectually absorbing is that the "right thing to do" — particularly in the cyber context, where things are in constant flux — has a fractal-like complexity. Whether we're talking about privacy, information security, copyright, or IT accessibility, there are vexingly difficult public policy questions to work through. Zoom out from any of these areas and you see even more fiendishly complex policy issues when finding a good societal balance across domains. In the campus context, technology policies can articulate an institution's stance, a combination of its values, goals, and obligations. Collectively, they begin to give a view of what an institution stands for, what it believes is important.

Privacy sits at the intersection of many of these important societal questions. Issues of privacy and ethics are arising at the core of our mission of teaching and research. My focus has been on privacy issues for some time now, and I am interested in the area, so it wasn't a big leap for UCLA to align my title with my work. I feel exceedingly lucky that UCLA has afforded me the latitude not just to focus on today's fundamentals but also to actively participate in shaping the path in front of us.

EDUCAUSE: You are the first person to hold the chief privacy officer title at UCLA. Why did UCLA think it was time for a CPO?

KENT: It was 2012, and UC was close to issuing a report on how to balance the privacy and information security needs of the university. The report was the result of an intensive two-year initiative charged by then-President Mark Yudof and one of its recommendations was that every UC campus designate a privacy official. I became chief privacy officer before the report was issued, but it was entirely in alignment with the recommendation.

Once the report was issued from the task force and that recommendation had been accepted, I was joined by nine other privacy officials in the space of about a month. They come from a spread of areas: IT, information security, records management, compliance, legal, or the existing HIPAA privacy office. It's wonderful now to be part of a "local" community, and I'm very, very proud of everyone who put in so much effort along the way to make that moment a reality.

EDUCAUSE: Do you think that a focus on privacy is being reflected across the larger higher education landscape?

KENT: Yes, I think so. Five years ago, there were exceedingly few privacy officer roles in higher ed, though of course the reality is that, like me, there were people all over doing pieces of the role as part of their existing jobs. And it's not as if we didn't all have existing offices responsible for compliance with FERPA, HIPAA, and other obligations. But the notion of a role that considers privacy holistically, beyond compliance, and across the institution — the way a chief information security officer (CISO) does for information security — is newer.

Our ranks are growing steadily. I think it's reasonable to use the continual growth of the EDUCAUSE Higher Education Chief Privacy Officers Working Group as a metric in this regard: people who have institutional responsibility for privacy, whether or not privacy is actually in their title. Some are in charge of mature programs. Others have been charged with creating a privacy program for their institution because of their personal interest.

As we returned from the winter break and started 2016, I was delighted to hear that Geoff Nathan had been formally appointed the first privacy officer for Wayne State University, after informally building support for some time. I wrote him, "With your appointment, we're now up to a few dozen institutions with privacy officers. Only a few thousand left to go!"

EDUCAUSE: So, it's still a work in progress.

KENT: Yes, it is. I do feel as our community grows and we become more visible, more institutions are recognizing the value of having something in place. UC's report deliberately used the term "privacy official" instead of "privacy officer" in its recommendation to emphasize that a new or dedicated position wasn't necessary. Instead, it was more important as a first step to make privacy visible by naming it and identifying a point person.

I recently attended a dinner party where I introduced myself to someone as UCLA's chief privacy officer, and 10 minutes later that person introduced me to someone else as a security person at UCLA. It's quite common that an institution's CISO will also become its first privacy officer: generally, the first critical path will have to be to enhance and ensure data protection and incident response, and the CISO is already on that path. Simply adding "privacy" to the CISO's title somewhere implies we're talking about two different hats worn by one person. This sends a message to the community but also reminds us as practitioners that sometimes our roles will be in conflict with one another.

I'd assert that a primary function of the privacy officer role is to be the voice of the people whose data we steward, typically not a voice at the table in institutional deliberations. This doesn't mean that I see my job as "just saying no" in order to drive risk to zero — an out-of-office message that just replies "no" would be much cheaper if that were the goal. Regardless of our role, we each represent an area or interest, but ultimately we all need to come together to enable the institution's forward movement.

To quote UCLA's statement on privacy values, "UCLA recognizes that there is a constellation of values and of legal, policy, and administrative obligations that are always in play." Privacy is one of those values, and it's neither more nor less important than the other factors we must consider. The mechanism by which we converge on an institutional stance depends on the discussion we commonly call "governance."

EDUCAUSE: Where do you think the privacy role is heading?

KENT: Higher education's compliance obligations, in privacy as in every other realm, only continue to grow in scope and complexity. Being good stewards of information about people is crucial, no matter what sector you're in. Reputational loss is often one of the consequences of a data breach, but another way to put it is loss of trust.

Creeping people out is a way to lose trust: using data in a manner that surprises them, or having more data about them than they expected. We've traditionally relied on the fair information practice principles, in particular, creating transparency through notice and consent: describing what data we're collecting and why, how it's going to be used, etc., and asking for consent to do so (think about those HIPAA forms you sign every time you go to your doctor's office). Many people feel that notice and consent is no longer possible in the era of big data, where there is massive aggregation and reuse of data: you can't preconceive of every use of the data in advance, nor can you realistically go back and ask for consent every time you have a new idea about how to use data.

In our context, there are huge opportunities in analytics for student success, medical research, and more. Having a student drop out with crushing debt is the worst-case scenario. How far do we go to prevent that? We may never be Big Brother, watching our students' every move and prescriptively circumscribing choices to maximize their success. But what about "Big Mother," whose surveillance is for your benefit and who nags you to do this or that? How would the governance questions be framed when there are so many possibilities and so few guideposts? These are not my decisions, but as CPO I have an important part to play in the discussions.

To that end, UCLA administration and the Academic Senate have jointly charged a task force to look at data governance issues, particularly the appropriate and ethical use of data. I co-chair the task force with a faculty member. I hope we'll have some "answers" — and I use quotation marks on purpose — soon.

EDUCAUSE: Going back to your recent award — we know a lot of people would want to learn more about the CPO role from you. What would you say to someone aspiring to be a CPO or just tasked with defining such a position?

KENT: Find a community to help strengthen your voice. When I assumed the CPO role, I felt — not for the first time — that I was going to have to find a new community of people to talk to and be supported by and be supportive of. I found those through EDUCAUSE, the IAPP (International Association of Privacy Professionals) and the Privacy Law Scholars Conference, and now I have a personal network of people in higher ed who are, if not directly engaged with privacy, concerned with those issues. They are a continuous source of ideas and inspiration to help me move forward and keep my head above water in those moments of feeling overwhelmed.

Building community is just as crucial within your own institution: success requires collaboration. But I've been lucky at UCLA in having so many key people, both from faculty and in administration, being so supportive. They don't necessarily agree with everything or may agree to different degrees, but they have respect for me, as an individual, and for the area.

Valerie M. Vogel is program manager for the EDUCAUSE Cybersecurity Program.

Karen A. Wetzel is program manager for EDUCAUSE ECAR Working Groups.

© 2016 Valerie M. Vogel and Karen A. Wetzel. The text of this EDUCAUSE Review blog is licensed under the Creative Commons BY-NC-SA 4.0 International license.