A chief privacy officer shares four insights to help better understand several nuanced and easily overlooked dimensions of data privacy.
View Transcript
Pegah Parsi
Chief Privacy Officer
University of California San Diego
1. Privacy is much broader than just confidentiality.
Pegah Parsi: Privacy is much broader than just confidentiality. Okay. Many times when I engage with campus leaders or with vendors, what I hear is questions just focused on confidentiality and keeping things from being inappropriately disclosed, but privacy is much broader than that. We worry about things like individual rights, encroachments on civil liberties, consent, transparency. Here in the United States, we've gotten used to having a nice little checklist of things like names, social security numbers, email addresses, that we consider personal data, but we don't think about other things that count as personal data. Your location is very sensitive. Personal data, your demographics, your IP address, even your MAC address, things related to your device are all considered personal data, right? Biometric information, all of those things. So when we are reviewing for vendors, it's important to look beyond just that checklist of the obvious things like names and social security numbers. Instead, we should really be thinking about what goes into describing a human being. Personal data means data related to a human being, and that includes all of the things about them, their behaviors, their location, characteristics about them, their preferences, even how they smell, right? Right. As we think about virtual reality, for example, it's important to think about these things. So a very, very broad definition, and people don't tend to think that way.
2. Privacy is not the same as security.
Pegah Parsi: Universities, administrators, even faculty, good grief, don't quite understand what we mean when we're talking about privacy. They don't understand this broad landscape. So many times what I see, and I, I dare say, I think many of my other colleagues at other universities see the same thing where the organization equates privacy and security. Yes. I've seen that. Where they think, well, this has already gone through a security review. They've already filled out a HC vat. For example. We've already checked their encryption arrest and encryption and transit, so why do we need to talk to a privacy person? Or the other place where privacy's conflated with other reviews, this has already gone through an IRB review. Right. For research purposes, why does it need to go through privacy? Those are distinct and different types of things. Or we already have a data governance structure. How is that different than privacy? So having an understanding of the difference between privacy and security, difference between privacy and confidentiality, difference between privacy and data governance, and difference between privacy and the review. That an IRB does. Very important things to think about for an organization.
3. Privacy laws differ from country to country
Pegah Parsi: When we are working with vendors or anyone outside the institution, it's important to understand that we are dealing with totally different laws sometimes or multiple different laws applying at the same time to the exact same type of information. So we, again, I think we've gotten used to thinking this is HIPAA regulated information. This is FERPA regulated information. But then once we start engaging with others, once we start putting our data to different types of uses, we might be implicating multiple laws. It might be hipaa, ferpa, GDPR out of the European Union. It could implicate your state's license plate reader laws, your drone laws. It could really be anything. Your state's Information practices act if you're a state entity. So important to understand that it's a really convoluted world and it's much more than just one or two laws.
4. Privacy is old. Data privacy is new.
Pegah Parsi: Privacy has existed with us for millennia, for as long as we've been people. We understand our physical privacy, our space privacy, but data privacy is just so new and different that we're not speaking the same language. So we split privacy into four different things. Bodily privacy, territorial privacy, your stuffs, your space, communication, privacy, and then data privacy. Those first three, bodily territorial and communication privacy have existed with us for ever. Right. We get it. We've got laws on the books, they've worked their way through courts. We don't always agree, but we're speaking the same language. Data privacy, not at all. Okay. Not at all. If you think back 30 years ago, 30 years ago, it was a completely different world when it comes to privacy and data. We didn't have Amazon the way that we do now. We didn't have educational technology the way that we do now. We didn't have Facebook or Twitter or Google, or did I already say advertising, educational technology. All of these things just didn't exist the same way. But if you think about the amount, just the volume and velocity of the data collected about each and every single one of us in the last 30 years. Staggering, staggering, mind blowing. And most people don't think of it that way. They don't understand the gravity. Right? Right. They kind of tend to think of, okay, I've given this kind of information to my employer or this kind of information to Facebook or to Amazon. They don't understand the broad implication that many times those are exchanged. Those are bought and sold, and information about you is being again bought and sold and packaged and repackaged into different profiles of you. Essentially a digital profile, a digital footprint of you that is then used to make decisions about you, to manipulate you to, to give you services. Right. It, it's not all bad. Many times it's good, right, right. To monetize your eyeballs, monetize your clicks, get you to vote a certain way, give you information, give you disinformation so people don't quite understand what we mean when we talk about modern privacy. Yeah.