ARL Executive Director Mary Lee Kennedy invited EDUCAUSE President and CEO John O’Brien to talk about the importance of privacy by design and the critical need for collaboration between IT and research libraries.
This interview is reprinted with permission from the Association of Research Libraries (ARL). It was first published as Mary Lee Kennedy and John O'Brien, "Three Questions about Privacy for EDUCAUSE President John O'Brien," Association of Research Libraries (website), May 30, 2019.
ARL executive director Mary Lee Kennedy invited EDUCAUSE president and CEO John O'Brien to talk about the importance of privacy by design, and the critical need for collaboration between IT and research libraries. EDUCAUSE is a significant partner of ARL's, including our co-sponsorship of the Coalition for Networked Information (CNI). This interview complements the recent issue of Research Library Issues on the current privacy landscape.
Mary Lee Kennedy: What is meant by privacy by design, and why is it important to talk about?
John O'Brien: The privacy landscape is changing rapidly and dynamically. "Privacy by design" captures the absolute imperative in 2019 and beyond to be proactive and not reactive. Concepts of privacy need to be considered before and while we make decisions about new technologies of all kinds, not after all the decisions have been made. If we succumb to hype and build or purchase software without asking and answering privacy questions, we are taking on unnecessary risk. For the purchasing pathway, we strongly recommend using the Higher Education Cloud Vendor Assessment Tool (HECVAT)—quite possibly the most ungainly acronym of the decade—for cloud products or a similar deliberate array of questions for other products. At this point, the HECVAT is more about security than privacy alone, but it is still maturing and a positive step forward. And, of course, the worlds of privacy and security are inextricably interconnected in so many ways (though security does not guarantee privacy), as Valerie Vogel and Joanna Grama wrote about recently in EDUCAUSE Review ("The Yin and Yang of Security and Privacy"). In any case, expecting vendors to answer questions about their data privacy policy, their privacy related training, and their compliance with privacy regulations and standards to protect data makes important sense. Going into purchases privacy-aware is critical, and, of course, that same level of awareness is true when you're developing your own products for internal use.
It's important for so many reasons…let me suggest a couple:
First of all, when we are talking about privacy related to student data, that's really a moral imperative. In our 2019 EDUCAUSE Top 10 IT Issues, privacy suddenly appeared for the first time on the list, and near the top of the list (#3), atypical for our top 10, where items typically work their way to the top over a few years. I think external explanations for privacy's dramatic entrance may have something to do with the European General Data Protection Regulation (GDPR) and with the number of mainstream headlines announcing that the privacy of millions had been affected by data breaches in 2018 alone, but the more important explanation is discussed in detail by Susan Grajek in her excellent top 10 article. She clusters the top 10 issues into three themes, and the first are issues and opportunities focused on serving/empowering students, counting on analytics and technology innovation to enable much-needed improvements in student retention, persistence, and graduation. This is closely followed by the need for, again, data—in this case "trusted data." Here she points out that institutional leaders are gathering, protecting, integrating, and standardizing data, with a focus on meaningful and ethical use. No one will question the need to improve student outcomes. We need to make it every bit as axiomatic that we need to ensure student privacy to the best of our ability. And that means "privacy by design."
Second, I think it goes without saying that our students give us all the reason we need to give privacy the attention it deserves. The growing and increasingly complicated regulatory landscape alone makes the case for privacy by design. A great many in our community devoted months of time and energy to prepare last year for GDPR requirements, focused on protecting privacy and giving control to individuals, not corporations or organizations. Meanwhile, a number of states in the US are taking legislative action to add or expand their own data privacy protections, like California's Consumer Privacy Act of 2018 set to take effect in 2020. With the attention and agitation so broadly discussed, Congress has also begun seriously exploring the possibility of passing comprehensive federal privacy legislation. The main sticking point at this point remains whether a federal law should support or supersede current and future state privacy laws, but legislators from both parties in both chambers seem intent on working this out and moving forward.
So, at this point, the complete ramifications for higher education of GDPR itself are not altogether clear, and the uncertainty around all the other regulatory and legislative actions and possible actions compounds the lack of clarity. In the face of this much uncertainty, the one thing we can absolutely do is aim for end-to-end privacy awareness and an intentional bias toward proactive action.
Mary Lee Kennedy: How should leaders prepare for and engage key stakeholders in reaching the best possible choice when designing privacy?
John O'Brien: Well, first of all, I really appreciate the question…the plural "leaders" part. It can be so discouraging to hear conversations in which it's either implied or flat-out stated the IT leader is responsible for privacy or that if we create a chief privacy officer position then that person will carry the water for the rest of us. In fact, everyone needs to do the "preparing" and "engaging" to effectively protect privacy. (See our Higher Education Chief Privacy Officer Primer, Part 2.) If we're going to name names for leaders with some responsibility for privacy, the list is a long one, including librarians, information security officers, privacy officers, HR officers, safety/police officers, compliance officers, registrars, internal auditors, faculty, research administrators, and staff from government relations, records management, risk management, and other areas. I wonder if the list of who probably doesn't have responsibility would be shorter?
Back to your question: the progress we need most depends on collaboration across the communities we each represent. Privacy extends so very far beyond any single leader's sphere of influence, domain, silo, or however you want to describe it. Until we open lines of communication, we will continue to struggle with one campus domain area taking actions that meet one institutional goal while unintentionally causing problems in another area, like security or privacy. It's that old saw about privacy being everybody's business. Sure, it's a cliché, but it couldn't be a truer commentary on the leadership challenge for 2019. After all, these days all it takes for a department or even an employee to spin up an application that asks for, gathers, and manipulates (maybe even sells?) student data is a credit card—and sometimes not even that is required. So already you can see that IT is involved, the business office is involved, and improved awareness among all the departments along with that is essential if we want to point institutions toward what I earlier called end-to-end privacy awareness.
Mary Lee Kennedy: What is EDUCAUSE working on in the realm of privacy more generally, and how can research libraries be a good partner?
John O'Brien: I would say that EDUCAUSE is focused on an array of privacy-related topics. Data is both our greatest hope for addressing institutional challenges, and, in some ways, one of our greatest potential exposures. Fully half of the Top 10 IT Issues in 2019 directly involve data, along with the many challenges and opportunities it affords:
#1. Information Security Strategy: Developing a risk-based security strategy that effectively detects, responds to, and prevents security threats and challenges
#3. Privacy: Safeguarding institutional constituents' privacy rights and maintaining accountability for protecting all types of restricted data
#5. Digital Integrations: Ensuring system interoperability, scalability, and extensibility, as well as data integrity, security, standards, and governance, across multiple applications and platforms
#6. Data-Enabled Institution: Taking a service-based approach to data and analytics to reskill, retool, and reshape a culture to be adept at data-enabled decision-making
#8. Data Management and Governance: Implementing effective institutional data-governance practices and organizational structures
We are working with our community of volunteers to maintain the Privacy chapter in the Information Security Guide, which offers additional resources on privacy issues, common data protection laws, and useful information for chief privacy officers or those getting started in the privacy field. We offer a Privacy Community Group for broader discussions about privacy issues and challenges in higher education. To raise awareness, we are always on the look-out for opportunities. For example, we have promoted Data Privacy Day (January 28) to the higher education community in partnership with the National Cyber Security Alliance since 2012. In addition to encouraging institutions to show their support by signing up as Data Privacy Day Champions, we offer free privacy resources: webinars with privacy experts (most recently Elana Zeide, PULSE Fellow in Artificial Intelligence, Law & Policy at UCLA discussed "AI in Education: Legal Considerations and Ethical Questions"), guest blogs, and ideas for campus privacy awareness activities or events.
Of course, you'll also see sessions on all of these topics at the EDUCAUSE Annual Conference in Chicago in October, but our annual Enterprise Summit in April was deeply focused on analytics and the many aspects, including privacy, of making consequential use of data. The 2019 Enterprise Summit explored the future of analytics for higher education, with programming provided by EDUCAUSE and our partners, NACUBO and AIR. Finally—no surprise—our annual Security Professionals Conference features a substantive focus on privacy as well as security. This event is the best opportunity in the higher education world to connect higher education information security and privacy professionals.
Our privacy work is directly shaped by the strong voices of library professionals in general and research librarians in particular. In the special issue of EDUCAUSE Review covering the Top 10, there is an important article specifically illuminating library perspectives on privacy, and I think you can see here pretty clearly how research libraries can be key partners in this work. In the article, Wayne State University dean of libraries Jon Cawthorne says that librarians need to begin the work now to position themselves to be (if they are not already) leaders in campus conversations around privacy. Few have the expertise and knowledge of our research librarians, who have been designing and teaching the ethical management of information for a very long time, and I agree with Cawthorne that strong library voices in debates about privacy can help to "accelerate the process," especially given the unique trust students put in libraries. Research librarians can speak authoritatively when it comes to any number of aspects of privacy, and they can help to engender privacy concepts into the curriculum itself through their teaching and their advocacy.
As Swarthmore College librarian Peggy Ann Seiden notes in the same article, libraries are also directly in the fray themselves when it comes to their own integrated library systems, requiring all kinds of privacy considerations relative to anonymization of user data, what data to track (or not track), and so on.
Finally, I've been thinking a great deal about the considerable breadth and depth of digital ethics issues that extend even beyond issues of privacy. Whether we are thinking about the sweeping moral and ethical concerns related to artificial intelligence and machine learning, which may reinforce or amplify bias, or thinking about the potential for big data to become what Cathy O'Neil calls "weapons of math destruction," I believe that the academy must, can, and should lead the way in proactively engaging these topics. Ed tech hype and the potential for profit can at times create something of a frenzy in the market, and we depend on the deliberative thoughtful insights of academics, librarians, and technology and privacy professionals to lead the way in this brave new world of data and emerging technologies.
Mary Lee Kennedy is Executive Director at the Association of Research Libraries.
John O'Brien is President and CEO of EDUCAUSE.
© 2019 Association of Research Libraries. The text of this work is licensed under a Creative Commons BY 4.0 International License.