Ask a Chief Privacy Officer [video]

min read

The Chief Privacy Officer for the University of Michigan answers our questions about the growing need for privacy management, the policies and laws in place to protect our privacy, and how big data has changed the game.

View Transcript

Gerry Bayne: What is the difference between a chief privacy officer and a chief information security officer?

Sol Bermann: First thing to know is that I consider the privacy officer role and the CISO role sort of flip sides of a coin; they complement each other, and really you can't have one without the other if you're going to have good data protection, good privacy and security practices. The CPO role, or the privacy officer role, I really break out around sort of policies and practices related to the collection and the use and the sharing of personal information, as well as a large swath of what I'll just blatantly call surveillance and ethical considerations that are particularly important in higher education.

Sol Bermann: The CISO role is really about protecting data, and sometimes it's protecting it according to law, protecting it according to the policies and practices that you'd have the privacy officer write for you. So you can't really do one without the other. I could have all the great policies and practices laid out before everybody, but if I'm not actually securing the data in the background, if I'm not encrypting it, I'm not using 2Factor, I'm not using those tools, the data could all go away. Flip side is, I could have all the greatest security tools and techniques and technologies implemented, but if my practice is to give away data the minute somebody asks me to share it, whether it's with business partners, law enforcement ... without certain other best practices to prevent such things, then you really don't have privacy, so they go hand in hand.

Sol Bermann: There's a lot that CISOs do that could be extremely privacy-invasive. We have a lot of tools and a lot of data that could tell the private goings-on. What does your email look like? What are you writing? Who are you writing it to? What websites are you surfing through? All those are in my power to review, if need be. It's why you need a privacy officer, to check that and strike the right balance in the relationship. So overall complementary roles; partnership and collaboration is everything between them, and a healthy amount of tension isn't bad, but ultimately they have to work together.

Gerry Bayne: What are the biggest privacy issues facing higher education institutions?

Sol Bermann: Some of the issues are just getting people to recognize that privacy is a value. It's a value that, particularly in higher ed, underpins and supports values like academic freedom, intellectual free expression, student growth and development. All those have privacy touches that are becoming more important as we move into an era of big data, data science, analytics.

Sol Bermann: By the way, officially there's privacy-related laws we all have to pay attention to, whether that's FERPA around student data, HIPAA around health and medical data; the Common Rule, which talks about human subject research data. They all have strong privacy touches. None of them are just there for privacy; maybe the Common Rule's closest. But there's a whole compliance piece that we have to think about in the privacy world. That said, when I think about privacy in the higher ed context, it does go back to what I call the higher level math. So it's not just about meeting the spirit and letter of the law. If that's the only reason I was doing privacy in higher ed, I wouldn't have come back. It's about things like academic freedom, freedom of expression, freedom of association, student growth and development. All of those have strong privacy components, and ethical data use components, that if we don't pay attention to them it changes what we do as higher education professionals.

Gerry Bayne: What do you think of the EU's GDPR? How do you compare it to US policies?

Sol Bermann: So as a privacy professional, and as someone who considers themselves a fairly strong privacy advocate, I'm all for GDPR in theory. And I think that something that many, in the US in particular, don't understand is sort of its genesis. So the way we have approached privacy in the US, versus much of the rest of the world ... not just the EU, but we'll stick with the EU. It's fundamentally different. We see privacy as a set of laws based on data that are things we don't want shared. Health information. Might be, "I want to protect my education records from my parents. I don't want to share my loan information." So it's something called a sectoral approach.

Sol Bermann: Privacy in the EU is fundamentally a human rights issue, so think back to World War II or even pre-World War II and the number of fascist dictatorships ... actually pre, during and post World War II, whether that's the Soviet Union, Nazi Germany, East Germany and the Stasi, Salazar in Portugal, Franco in Spain. The way they stayed in power was to devalue individuality, and to pry into people's affairs and be able to hold that against them to get them to conform. It's a human subject, or it's a human rights value, and that this is now being pushed as part of the conversation is really heartening to me. Aside from just it being difficult to actually comply with GDPR, in the US and the EU frankly, I worry that we treat it in the US more like HIPAA or FERPA. That it's going to be treated as a compliance thing, as opposed to the real ... again, that higher subject stuff. This is about human rights, and about valuing individuality as opposed to conformity.

Gerry Bayne: Some are saying that privacy is dead and that we should "get over it." How do you respond to this sentiment?

Sol Bermann: We have privacy as a value and as a concept, not just in our laws, but in parts of our constitution. While the word "privacy" doesn't exist, we have concepts like no illegal search and seizure. Are we going to throw that out? We have the Fifth Amendment, and you have a right to not self-incriminate yourself. Are we going to throw that out? Those are privacy values. So yeah, in a world of pervasive data collection, big data, data science ... and value in it. It's not just that it's being done against us; it's being done for us. I hate to throw out the concept that has gotten us ... it's fundamental in the way this democracy, and many democracies, have grown.

Gerry Bayne: How is big data affecting privacy?

Sol Bermann: Big data is actually breaking long-held privacy practices, so the US in the wake of Watergate and in the wake of the McCarthy era actually had a privacy commission that helped instantiate fair information practice principles. Those principles informed how the EU has approached privacy. And big note, big, important values in those principles were transparency; you tell people what you're going to collect, why you're going to collect it. Use limitation; you only use the data for the purpose you collected it. Don't share it with people you don't need to share it with. In the big data world that's turned on its head. We don't know what we want to use the data for. Of course we're going to use it for other purposes, and we want to share the data because there's such value in sharing of the data, whether that's to inform how government happens, how higher education happens, or even how we can take advantage of consumers in businesses.

Gerry Bayne: Can you share a privacy awareness success story from your institution?

Sol Bermann: The great part about being at Michigan is we have a number of faculty that are not just privacy-aware, but this is their field of study. Probably the biggest thing I can think of is, we had a data privacy day, so every year January 28th is International Data Privacy Day. So clearly, it's still a value out there, and a faculty member and I partnered to put together a half day worth of program that brought in expertise from both the university, as well as actually ... we had some international folks who videoed in, and it was a event that surpassed our expectations. We had hundreds of people attend; we had a lot of follow-up. We actually sparked some interdisciplinary conversations and research opportunities that, if that hadn't existed ... boy, things that might have been lost.

Sol Bermann: So that actually grew out of another privacy-related, faculty collaborative effort that I co-convened with some faculty members in our school of information and our College of Engineering, and other departments, where we on a periodic basis put together conversations about the confluence of technology, privacy, security, law, and policy. And so if you wanna look it up, Dissonance at UMich ... somewhere along those lines, if you use those two words in whatever your search engine of choice, it should come up. But we touch on a lot of the subjects, whether that's the Apple and FBI encryption debate, to privacy in the big data world or in an Internet of Things world.