Privacy in Federal Government: A CPO's Perspective

min read

Image 1 - Kathleen Styles

Kathleen Styles is the first chief privacy officer for the United States Department of Education. She currently serves as senior advisor to the Secretary on departmental policies and programs related to privacy and confidentiality, which includes managing the agency's privacy, Freedom of Information Act (FOIA), records, information collection clearance, and FERPA operations. EDUCAUSE spoke with Kathleen about her career, her thoughts on the state of privacy, and where the privacy officer's role is heading.

 


EDUCAUSE: You started as an attorney early in your career and worked at the United States Census Bureau for almost a decade. What first sparked your interest in privacy?

KATHLEEN: I really love working at the intersection of the law, policy, and technology. My interest developed naturally when I was working at my prior agency, the Census Bureau, because federal statistical agencies are leaders in data management and confidentiality. Of course, when I went to law school there were no classes on privacy or digital law or the like—this is a new field, which I enjoy.


EDUCAUSE: You are the first person to hold the chief privacy officer title at the Department of Education. What led to the creation of this role?

KATHLEEN: I think the department realized that the schools needed some help with privacy. Schools, like the rest of the world, are caught up in a digital revolution. They are collecting new types of data through the use of educational technology, and records that would formerly be paper are now digital. That's exciting and promising, but it points to a need to address fundamentals, like privacy.


EDUCAUSE: What would you consider your greatest accomplishments since taking on the CPO role?

KATHLEEN: I'm really pleased that we've been able to step up and help schools address privacy challenges proactively. When we started providing technical assistance around student privacy five years ago, we were the only ones doing this. Now a host of other organizations have stepped up to help schools with this work, and I welcome them to the field. But I think we blazed the trail, and I'm proud of that.


EDUCAUSE: Compared to five years ago when you first started as a CPO, how have the main privacy issues or concerns in higher education changed?

KATHLEEN: When I started almost five years ago I thought my job would largely be about state longitudinal databases. While we still work in that area, a large portion of our privacy work now relates to educational technology in the school setting. In the higher education field, in particular, we're putting a lot more emphasis on data security, given that colleges and universities typically have highly sensitive data about students.


EDUCAUSE: How might these privacy issues or concerns change five years from now?

KATHLEEN: I wish I had a crystal ball! My best guess is that technology will continue to dominate privacy issues in education. Particularly in higher education, we can expect that students will use technology in new ways, and that they will interact with their professors and each other differently using technology. Privacy professionals need to stay on top of changing technology—as well as changing attitudes about privacy—to be able to address these issues.


EDUCAUSE: We hear a lot about big data and how it can transform education. Does this raise any privacy issues?

KATHLEEN: It does. Many institutions of higher education are doing promising work using student information to improve the likelihood that students will graduate. EDUCAUSE, of course, has been a leader in providing guidance on these "student success systems." The point I like to make on these systems is that achieving FERPA compliance isn't enough. Schools need to make sure that student information is being used to help students, not to limit choice or to profile. And schools should be transparent with their students about how they are using their data.


EDUCAUSE: How might the latest FERPA rewrite affect CPOs in higher education? There are also many security provisions in the rewrite. How might those changes affect higher education, as well?

KATHLEEN: While many bills were proposed, Congress did not amend FERPA in 2015. Many of the proposed changes would have affected K–12 education more than higher education, but you are right to call out security provisions. I think it is safe to say that future legislative proposals are likely to stress data security, both for K–12 and for higher education. Colleges and universities typically have many data systems, and many of those systems have highly sensitive data, so focusing on data security seems appropriate to me.


EDUCAUSE: What plans do you have for your office? Any new initiatives you'd like to share?

KATHLEEN: I'm interested in continuous improvement. I think we've done a pretty good job on technical assistance, with helping schools protect privacy. But I think we've got more to do on developing policy, on being more explicit about what is and is not permitted, and on reducing our complaint backlog. We've got more guidance materials in the works for 2016. While some of it is more related to K–12 than to higher education, we will definitely finalize a Dear Colleague letter that we issued in draft in 2015 dealing with counseling records on campus. Anyone who wants to be sure to receive new guidance as we issue it can sign up for our e-mail list here.


EDUCAUSE: How can CPOs (and chief information security officers) work with your department to ensure the privacy and protection of institutional records?

KATHLEEN: Talk to us! We have a hotline where we answer questions, as well as extensive online resources. We will even send staff for a site visit to help schools address any particularly thorny topics. You can contact us at [email protected].


EDUCAUSE: Where do you see the CPO role heading in the future?

KATHLEEN: First let me say how happy I am to work with privacy officials at institutions of higher education. I learn a lot from them, and I applaud schools that have created a designated privacy function. My hope is that institutions are able to work their privacy officials into business processes more, to involve them early in the process, so that programs can have privacy "baked in," rather than superimposed after the fact.


EDUCAUSE: What advice do you have for people who want to learn more about working in the privacy field?

KATHLEEN: Privacy is a great field right now. In the past, people have typically entered the field from the legal profession, or the IT security field. I think we're going to see more people entering from other fields—public administration, software development, data management—you name it. So my advice is to talk to those in the field, investigate professional organizations, and be flexible. Your job will not stay the same!


Valerie M. Vogel is program manager for the EDUCAUSE Cybersecurity Program.

© 2016 Valerie M. Vogel. This EDUCAUSE Review blog is licensed under the Creative Commons BY-NC-SA 4.0 International license.