Strategic Annoyance: Why Privacy Matters for Higher Ed

min read

EDUCAUSE Shop Talk | Season 3, Episode 2

To mark 2026 Data Privacy Day, Sophie and Jenay talk with higher education Chief Privacy Officers Pegah Parsi and Tryphaena Hooper about building a privacy-forward culture, protecting and governing personal data, and understanding the autonomous nature of privacy.

Listen on Apple Podcasts Listen on Spotify

Takeaways from this episode:

  • As the digital world becomes increasingly complex in the age of data collection and AI, users should be willing to push back on entities collecting data to create a more privacy-forward culture.
  • Institutions have unique privacy responsibilities and hold large amounts of personal information, requiring them to think intentionally about how they protect, govern, and use data and educate faculty, staff, and students.
  • Privacy is fundamentally focused on autonomy and agency, and security alone does not guarantee privacy.

View Transcript

Sophie White: Hi everyone. The latest episode of EDUCAUSE Shop Talk, we recorded in honor of Data Privacy Day. And we had a really great discussion with two Chief Privacy Officers, Pegah Parsi and Tryphaena Hooper. I think you'll really enjoy this conversation. I thought it was fascinating. In it, we talk about how higher ed institutions kind of function like small cities. They have a huge range of personal information and data to protect. And in our increasingly complex digital world, we really have to think about how and why our data is being used. And then we had a little bit more of a philosophical discussion about what it means that privacy is a human right and how it is fundamentally different than cybersecurity, but how both of these fields interact together. And then at the end, you'll hear a bit more about how institutions with different levels of maturity in their data privacy programs can get started and some additional resources for how you can use EDUCAUSE resources and the community to get started in your data privacy work.

***

Sophie White: Hello everyone and welcome to EDUCAUSE Shop Talk. This is our EDUCAUSE podcast where we talk about important issues in higher ed and technology. I'm Sophie White. I'm a content marketing and program manager here at EDUCAUSE, and I am one of the hosts for today's show.

Jenay Robert: And I'm Jenay Robert. I'm a senior researcher at EDUCAUSE, and I'll be your other host.

Sophie White: Great. And this episode today is inspired by Data Privacy Day, which is an important day to think about how we look at data privacy in higher education and just across the world. We are really excited to have two wonderful chief privacy officers with us today to chat more about data privacy. So I'll introduce them and then we'll jump into it. First up is Pegah Parsi. Pegah is the Chief Privacy Officer at UC San Diego, where she focuses on ethics and privacy as a foundational human right. She is also of council at XL Law and Consulting and serves as a consultant for various advocacy organizations. Thanks for being with us, Pegah.

Pegah Parsi: Thanks for having me.

Sophie White: Great. And we also have Tryphaena Hooper. Tryphaena is the Chief Privacy Officer at the University of Chicago, where she leads institutional privacy strategy to protect personal information across the university's research, instructional and administrative missions. She also serves as co-chair of the Big 10 Academic Alliance's Privacy Officer Group and as a member of the EDUCAUSE HECVAT Advisory Committee. Thanks for being with us, Tryphaena.

Tryphaena Hooper: Thanks for having me.

Sophie White: Great. And the HECVAT advisory committee, can anyone name what HECVAT the acronym stands for?

Tryphaena Hooper: I’m so bad with acronyms. Higher education is the first two.

Sophie White: Good start.

Tryphaena Hooper: The V stands for vendor, and I think C is community, but I forget what the AT stands for off the top of my head.

Pegah Parsi: Under assessment tool.

Tryphaena Hooper: Assessment tool. Yay. That's right. That one.

Sophie White: Great job, everyone. That was a trick question, but-

Tryphaena Hooper: Teamwork makes the dream work.

Sophie White: Exactly.

Jenay Robert: How many higher ed leaders does it take to deconstruct one acronym in higher education?

Sophie White: For anyone who doesn't know, it's a really powerful tool that is community created to help with procurement in higher ed. So it's a way that institutions and vendors can work together to make sure that they're filling out the same survey, streamlining the procurement process to keep privacy and security in mind. I feel like I should explain what it is before we just talk about the acronym. So thank you both for being with us. I'm really excited about this conversation. I think privacy is such a fascinating discussion. And Pegah, I think I've been to two of your pre-conference sessions now at the Cybersecurity and Privacy Professionals Conference. And I'm just really amazed by how privacy officers have to think about the technical elements of data privacy, the ethics about the types of information we should be collecting, where it should be shared, the legal and compliance related subjects, and the technology and collaboration elements too of working across the institution with all of these different stakeholders. So I'm thrilled to have you both here to talk about it. And I'm curious, let's kick it off by just talking about and maybe defining privacy a bit. So from both of your perspectives, can you talk about what privacy is and if it still exists in our current day and age of AI rapidly changing technology and all of that? And then I'm curious if you think it is different in higher ed versus other places.

Tryphaena Hooper: Often when I would do trainings, the first slide is always about what privacy is, what does it even mean? Essentially, who are you? Why are you talking to me about this? And I would often explain it through the lens of people think of it in terms of the right to be left alone. Essentially your right to decide who can see what you're up to and when. And to a certain extent, we may or may not have that ability. But I think privacy will always exist as a concept because not only is it ... We understand it to be a fundamental human right, but we also know our level of comfort. There's some things that are for the public, some things that are not for the public, and I don't think that's ever really going to change. Surveillance culture changes certainly, but there's always, I think, running parallel with that people's idea and concept of what they're comfortable sharing out into the world at large and the level of agency they have in that share.

And I speak as somebody who's from the before times, before social media versus after. What you want to put out there, I think is essentially how I consider privacy to be and why I think it does still exist, even though there's a lot of reasons to believe that it doesn't exist in the same way that it used to.

Sophie White: Sorry. Oh, go ahead, Pegah. I was just going to say, I love the take on the right to being left alone, I think is so important and just a really helpful way to frame that. Pegah, do you want to add to that?

Pegah Parsi: Yeah. The way that we talk about privacy on my campus and in my trainings is about autonomy and agency over yourself, your various domains. And we split those domains into bodily or intimacy, privacy who has access to your body and for what purpose? We talk about territorial privacy, who has access to your space and for what purpose, communication privacy, who has access, you're getting the gist of what I'm saying, who has access to your communications and for what purpose? And finally, data privacy. Who has access to your data and for what purpose? So those three bodily, territorial, communication, and data privacy can comprise the full spectrum or all the different domains of what we mean when we talk about privacy and you having autonomy and agency to decide what happens to your body, your data, your comms, etc. So it is truly this foundational right that we have to our own personhood.

And I know that sounds really like, okay, now we're getting into philosophical hippie dippy land, but that is in fact what we're talking about when we talk about data privacy. It's not about protecting one row or data element. The real thing is we're trying to protect people and their livelihood and their personhood. And I think that it is very fashionable to say privacy is dead, look at all this big data, now we've got AI. But frankly, privacy is such an inherent part of being a human and interacting, being a social human that while it certainly does ebb and flow with times, with technology, with advances, with political situations, it never entirely goes away. There are lots of things that have changed our thoughts about what is private and what isn't. It used to be that toileting used to ... Many centuries ago was just out there.

It was not a private thing until we started having standalone rooms for toileting. Then it became a more puritanical thing about bodies and not having access to that. And it became a private thing. When photography and cameras were first invented, that was a huge privacy thing for folks where they were like, "Oh, you're actually capturing this essence of me." You can imagine if you've never had a photo of anyone taken and all of a sudden there's a photo of you that's going to outlast you, that you're going to die and that thing still exists, you can see where that would be like, "Oh, privacy is dead. It's all gone." So we've had so many different things that have changed our understanding of privacy and our tolerances and our sensitivities. Sometimes it goes up, sometimes it goes down, but it never goes away. To answer the last part of your question, which was, is it different for higher ed versus other industries?

I think, I don't know if it's so different, but we have in higher ed, we have just so much and such a variety of information about people. We think of ourselves as we're an educational institution. Sure. So we have educational data, but we also provide healthcare for folks. We house folks, we feed folks, we arrest folks, we give them entertainment. We're essentially an entire city. We're providing entire services for people and they're under a microscope for the period of time that they're with us. So to that extent, I think it's a little bit different than if you're an Uber or if you're a Netflix or something, it's a little bit different, but generally speaking, we all have the same obligations to folks to be careful.

Jenay Robert: I wonder if it would be helpful as we're talking about the essence of what privacy is. Something that was definitely an aha moment for me when I ... My background is education research, and so data privacy is part of that to the extent that it is for most researchers who do human subjects research, but I don't think I truly understood privacy as an independent construct until I came to EDUCAUSE and started working with your amazing community. And one of the aha moments for me was really some people explaining to me the difference between data privacy and data security, because I think that for the typical person on a campus, those two things often become conflated. I'd love to hear your impression of that. Maybe I have it all wrong. I think for me, I had just mushed those together, but what are some of those differences that might help people wrap their heads around these things?

Tryphaena Hooper: I mean, I think most people do see them together, especially when you're talking about data breaches. And in those scenarios, people kind of think of security first, getting the system back to rights and privacy is often an afterthought because we come in after. And okay, so now that the dust has settled, what has been compromised? Who do we have to tell? What obligations do we have? I've heard it explained a number of ways. And the ones that stuck with me was you can have ... We are functions that are reliant on each other to be successful. I mean, obviously I could keep things private by sharing absolutely nothing, which would be very much a frustration of purpose of the mission of most institutions that need this data to do what they do academically, research-wise, and institutionally. But I've heard it explained as a faucet and the water that runs through it, that security enables privacy, that the deployment of their tools allows privacy to happen, but privacy is the decision about whether or not to turn the water on.

I've also used the example of in a bank, there's different controls. You may have security guards, but you also have the tellers that are doing that identity verification, and one kind of can't stand in the place of the other. You need all of those things to happen to make sure that your money is where it's supposed to be.

I mean, I never came up with a really good analogy, but I have always been a privacy nerd because that's how I started. My husband is in IT and does that stuff. And so I see the distinction really cleanly because we don't speak the same language. And I think that is also part of the conversation that we use similar terms, but not the same way. And I think for me, the most important distinction or what I usually try to focus in on is as a privacy professional, I'm also concerned about authorized uses of the data as well. I'm not necessarily always worried or only worried about somebody coming in who shouldn't be. I'm worried about our users and our uses of the data to make sure that they're in alignment with the promises that we've made. So I'm kind of like, when you have the lock on your front door and you let the person in, from the privacy perspective, I'm curious about what they're doing in my house and are they rifling through my drawers and stuff? That is a privacy problem, but not necessarily also a security problem because that person is authorized to be in there.

They're just not authorized to do what they're doing, which makes it my problem.

Pegah Parsi: I use a room and the lock analogy too, Tryphaena. So I think that one strikes people kind of get that image. One way that I ... I agree with everything that you said, so I'm not going to repeat any of that. Some of the examples that I give are, for example, when you think of the NSA, the National Security Agency, they're a very, very secure entity. Think about how secure they are, but would you ever equate them with privacy? That is one of the main things that you throw at the federal governments. It's like, "Oh, the NSA is spying out. Why are they collecting our information about our phone calls, etc, etc." So you can be incredibly secure and lack privacy. So you need security in order to have privacy. You can't have it without having security, but security is not sufficient.

Security is necessary for privacy. It is not sufficient for privacy. As Tryphaena was saying, there's a lot of questions around appropriate use, appropriate disclosures, minimum necessary collection of data. There's a lot of other things that have nothing to do with whether or not you locked the door and allowed access to the right people. There's a lot of other questions. Not to just throw the NSA under the bus, but also things like Facebook or 23andMe. Also very secure, not particularly privacy protective. So those are examples. Another one that I like to give is Grindr. Grindr a few years ago, that's an app that's popular with the LGBTQ community. Grindr asks its population, I don't know if it still does, but it used to ask its population whether they wanted to voluntarily disclose their HIV status, which you might want to do because it's relevant in a dating situation.

So you might want to have that as part of your profile that's shared with someone you match with. People were giving this voluntarily and Grindr was keeping it very secure, but part of their business practice was that they would license this information out to other entities. So they were selling or licensing out this information very securely. It was secured in transit and it was secured at rest, but they were sharing it and using it for purposes that people did not know. So that's another way or another example of how we can think about security versus privacy. There's plenty in the higher ed world too. Just because I'm a student there, can you use my data to make me a guinea pig for your research? Well, sometimes maybe, yes, and sometimes maybe not. If I'm there and you, whatever university you are, you have just a treasure trove of info about me.

Can you sell it to marketers? That's not a security question. That's a purely privacy one.

Sophie White: Oh, I think these are great examples to think about what privacy means in practice. And I like how you talked about the differentiation between something can be secure, but not necessarily private. I'm curious, Pegah, in your bio, you talked about being an advocate for privacy as a human right. And I feel like sometimes I hear from people something like, "Oh, I'm not worried about if anyone gets this data. I'm not doing anything bad, so it shouldn't be an issue for me." What would you say to someone to maybe convince them that it should be a foundational human right that is worth fighting for or thinking about or intentionally protecting?

Pegah Parsi: Yeah. Privacy, first of all, just to dispel that isn't just for people doing something wrong, it's not just for important people, it's not just for rich people, it's not just for people that want to cut the cord and go live off in the woods. It impacts each and every single one of us all day, every day. And if you don't understand why, here's the quick way that I explain it, is that there is just a gobsmacking amount of data collected about each and every single one of us all day, every day, from your phone to your interactions with just walking around the world, there's security cameras, everything is collecting information about you. This thing is no further than three feet away from me all day, every day. It asks about my location, it asks access to my photos, to my texts, to my camera, to this, that, the other.

Every app is collecting something about me. And all of that, you say, "So what? If you're not doing anything wrong, what do you care?" Well, it's not just about doing anything wrong. It's about taking that, selling it to data brokers, data aggregators who then package you into a digital you, right? There's various digital you. There's a digital Pegah that's made up of all the data about me or any data that someone can buy about me. There's a digital Pegah, there's a digital Sophie, digital Tryphaena, Digital Jenay, right? Many of them, and they're being bought and sold left and right. Advertisers are buying this so they can get just the right little nudge to you at just the right time. And they will profile you. They will say, "Oh, this is a person that is a depressive eater, or this is a person that is shopping in the middle of the night because of they're a new parent and they're terrified." So if they're searching something in the middle of the night, they're desperate and so we're going to hike up the price. So there's surveillance pricing. There's a reason why you get a different price when you search for a flight than I get to when I search for a flight.

They might tag you as a last minute voter. So in that case, just the right little nudge to you might make you stay at home on election day. So lots of different things happen to you that have nothing to do with whether or not you're doing anything wrong. You're just being moved around in the world and either manipulated or monitored or nudged or controlled or what have you at any part of that spectrum for lots of different things, whether it's to monetize your eyeballs, get a vote, get you to behave a certain way, sync a certain way. And I think that's incredibly important to our person.

Jenay Robert: I like to talk about how a few years after I got married, Facebook started advertising to me things like, "Do you need to sell your wedding ring? Are you looking for divorce?" And I'm like, "Have I reached some time threshold?" Is there something ... And I was really trying to think, and it's funny as a researcher, when these things you get certain advertisements or certain ... And then you start thinking, "Okay, what is it about my digital profile that made me receive this? And how can I manipulate my algorithm back again?"

Sophie White: Yeah, that's so helpful. It seems like a discussion about foundationally our own human agency over our own decisions and the fact that all of these different uses of our data can influence us in ways that we don't want to or necessarily consent to. So thanks for framing that. And I'm curious, thinking about the higher ed context a bit more and our mission as higher ed institutions to teach this next generation of students to learn about all of the things that they have in their academics, but also to be good global citizens, stewards of the environment, stewards of data, all of these really important things. How do you communicate to students about how they can protect their own data and maybe how to push back or challenge or question the institution and how they might be collecting and using data?

Tryphaena Hooper: I mean, I would defer to Pegah because that's something I've been working on since I've been in privacy in higher ed. And I am still a student. I'm working on a PhD, but when I had come in, I had just finished a master's as well. And so I saw it from that perspective that how no one had ever spoken to me about my privacy. I get one FERPA statement a year and how I didn't know what privacy was. If I had, I probably would've went into privacy sooner when I got out of law school, but I didn't know about it as a concept. So I would like to talk to students. I want them to feel empowered because I feel like that's a core principle that I want to espouse in the work that I do. I think it's mostly about people. And so if people don't know what their rights are, how are they supposed to access them? How are they supposed to object? And this isn't something that I know a clean answer to because there's this push-pull, and especially with regards to things like research where very often you want people to kind of ... If you ask them to opt in, they won't. And so there's this push to kind of like, oh, well, get passive. It doesn't feel good. It doesn't feel good. And I feel like if students got more clear messaging around it, there would be more conversation about it. And I think that there should be. But the number of times where I've seen an incident where student data was misused in front of the student and the student isn't the one who reported it because they didn't know that they had the right to complain or that that use wasn't allowed, it happened more than I wanted to see. So I don't know how do you engage with students effectively because I know they don't come to office hours and I know they don't want to sit through another training.

So what methods have you found, Pegah, that get them hooked in?

Pegah Parsi: Yeah. So you are not alone. Neither are you alone nor are students unique. Meaning it's not that students somehow don't have knowledge that miraculously the rest of society has. The fact is that where we are right now in privacy is unprecedented. Where we are with the amount of data collected about an individual throughout their life is unprecedented. I talk as Sophie knows a lot about like, if you think about just a mere 30 years ago, the world did not look the way that it does now as far as data goes and as far as privacy goes. There was not this much information about me out there. My digital Pegah was limited.

We didn't have Facebook and Google and Amazon and ad tech and ed tech and etc, etc, in the way that we do today anyway. But thinking about the way that the world has changed in these thirty years, it's almost unfathomable. So, I think it makes sense that people don't know yet. It's okay. It's all right. It's not like, "Oh, we've been reading and doing arithmetics for millennias, so why don't you know it as a student? We need to teach you." It's not that. This is a brand-new thing. They're learning along with the rest of society. So, I go easy on trying to engage because it's a lot. They already have a lot on their plates. What I like to do is first of all, find my faculty champions that I know care about privacy. And I've had pretty good success with getting them to embed some privacy into their either syllabus or their class.

So they're pushing it out in a different way to their folks. I meet with our student body, both graduate and undergraduate. I go and do a presentation to them once a year just so they can get the word out that, "Hey, if something goes wrong or if you just feel like something is icky for you, there's a place to go ask that question, and that's a Pegah. We have a Pegah on our campus. Go ask her a question." So getting the word out just to be aware that there is somebody, if you have a question, can go a long ways. I have not found a way to get everyone to have the same understanding of privacy or to have even a robust understanding of privacy, but step-by-step, that's a societal work that we're trying to do.

Sophie White: I really liked your point about how students are maybe just a microcosm of how the rest of the world is thinking in regards to privacy and the way that we're increasing the amount of data about us. And I feel like what I always struggle with is how do you live in this digital world while keeping privacy top of mind? There's so many instances where we're encouraged to quickly scroll through a terms and conditions and then check the box. Or I was just thinking about this yesterday, I'm going to a bachelorette party in a few months and was asked to sign up for a class at a yoga studio I've never been to in another state and they asked for my birthday and my email address and all of these things and I needed to do it in order to sign this waiver that the group is doing.

How do I push back on that and still be friends with this person, be in the social world, make sure that I'm living in this digital world that we do now? So do you have thoughts on just how to meet that balance of being part of this digital ecosystem that we find ourselves in while still making sure we're protecting our own privacy?

It's not an easy question, but ...

Tryphaena Hooper: It's a daily struggle. I speak as somebody who ... I use 23andMe, but I also didn't sign the waiver for my campus about using my photo and things. I think a lot of it is about thinking about what is most important to you and also more practically, I don't give out phone numbers because I don't want to get called because I do in fact get called. And if you get into somebody's database, you're just there forever. Got a call from a vendor this morning, second time in six months from my personal phone number because I've used it professionally, whoops, never published it, someone got it, they still have it. And so that became something I was sensitized to. And now I will just ask, "Where'd you get it from? That's weird and icky and I don't like it. Please take it off." And sometimes I'm less sensitive.

It's just knowing where to look. And I recognized when it came down to reviewing vendor contracts, how dense the terms and conditions get and the purpose is for you to not really engage with it and not really look. The other thing, and I have a soapbox about this, this is a tangent that isn't really a tangent.

Sophie White: All right, go on the soapbox.

Tryphaena Hooper: Those privacy softwares, those privacy tools that cost money ostensibly to help pull you off of these lists, I don't believe in them and will not use them because they're not transparent about the nature of these databases, these data brokers, where do they get the data? Most of this is publicly accessible information. Did you buy a house? Do you own a boat? Do you have a car? Your information is somewhere. And it sort of resets month to month. So you're paying and they're saying, "We'll remove your data for you, " knowing they can never do that.

It will never be truly gone because it comes back. It just resurfaces over and over again. And that's the profit model, and I think that that's gross. And so I would say what is a core principle that I recommend for people is you can't third party your data. You can't outsource your data privacy concept. What do you care about? Because paying money isn't going to fix it. You have to be engaged with who you share with, what is the nature of your privacy settings? And that's site by site. And you've seen it if you spend any time on social media and try to figure out how do I remove this? Why am I getting these weird ads? There are settings, but they're buried and that's on purpose. And I don't blame anybody for not being in the weeds on it, but just know that it's there.

And also know that if anybody's trying to sell you a product that's going to fix it, they are just whistling Dixie. It's not real and it's not going to work. You may as well just pay yourself and give yourself thirty minutes a week to go through your sites and figure out all your ... The password managers and stuff like that. Every time there's a data breach, just go have a look at who you've signed up with. Go through your own email. Most of those systems that you pay for, that's all they're doing. Go through your emails. Have I bought anything from this vendor in the last three years? If the answer is no, go and opt yourself out of their mailings or delete the account. They don't need the information. Don't allow them to profit off of your data for no reason. But really it's like just look. Just have a look. Most of it isn't going to make any sense, but look for it like, do they sell your data? That's the key one that I look for. And most people, most businesses don't say that anymore. They don't say that they'll sell data. They usually will say, "Well, we may share with third parties to better your experience." That might be advertising. Have a look at it. But just not to be overwhelmed because that's what they want is for you to be so overwhelmed that you don't engage. So don't get so overwhelmed that you can't engage with your own privacy anymore because then you're allowing them to make the decisions for you.

Pegah Parsi: I think that's the strategy for a lot of places is just to confuse and confound until you're saying, "Yeah, okay, I need this thing. Let's go." I agree with that. At the same time, that's a lot for everybody to do. It's hard to ask people to do that amount of work. And I think that's something that we as a society and regulators and industry associations really need to be thinking about that are we really going to put the entirety of this on individual folks to figure out? That's like saying we're going to put the entirety of climate change on whether or not everybody recycles their cans. Well, that's not the main thing. You need to hold industry to account and corporations and etc, etc. So there has to be different ways of figuring this out. The other thing, Sophie, I long ago gave up trying to be the cool person in my friend group. I'm a pariah of my friend group. My friends hate me. They hate me. I won't Venmo. There's a lot of things that they're like, "Well, let's do the ... " No. And it's okay. It's all right. Because sometimes that ends up being an educational thing for them. They'll roll their eyes and continue using Venmo, but at least they know. For me, it really is doing a quick risk assessment for myself. How badly do I need this thing and are there other alternatives to it that I can use? And then taking a split second to think about the product that I'm choosing to do, sometimes it is inconvenient and I just say, "All right, I'm going to be the inconvenient one." Sometimes I say, "This one's kind of low risk." I'll give them a fake birthday. I've been pretending to be in my thirties still. I'll pretend to be in my thirties still. It's all right.

So doing a quick risk assessment for yourself in that way, some things you're just going to do and some things you're going to decide not to. The other thing that I think is important, though it does get you some eye rolls, is to ask businesses. I have asked yoga studios, "Why do you need that? " And sometimes they're like, "I don't know. My boss tells me it's on this form." I'm like, "All right, can we ask your boss at some point?" I mean, I'm not going to be all, let me talk to your manager or anything like that, but sometimes I will like, "I don't know if you all need that. Can I give you something else?" And that way businesses start to recognize that we care. If there's just one Pegah asking this, Pegah is a huge pain in the ass and we can ignore her.

But if there's a Pegah and Tryphaena and a Sophie and a Jenay and they all ask this week, maybe we look at our form and take off the date of birth for signing up for yoga class ones. So I keep so important that we all be a little bit, "Get on my team and be annoying a little bit."

Sophie White: Be annoying. I like that. That might have to be the title of this episode. It's perfect.

Tryphaena Hooper: I've been known to say that I like to be annoying on purpose and I'm not sorry about it. I haven't been any fun since law school. That's just the way that it is. I always ask why. And I think privacy is asking why. Well, what do you need that for? I'm not saying I'm never going to give my birthday. I'm just curious. What does that have to do with anything? What do you need it for?

Pegah Parsi: Precisely. And we do that here in higher ed too. I can't tell you how many people I consult with and immediately you look at their form. It's like home address. When was the last time you used their home address? Do you use it for anything? Oh, no. Okay. Then just streamline your form too. Why are you making people fill this out and you're saving it for no reason? And do you actually need their full date of birth, or do you just need to know in the band of 20, 25? Reduce. It's also just good asset management. It's also reduces the amount of stuff you have to be responsible for.

Sophie White: Right. And thinking about educating students, encouraging them to look through this line of inquiry is, again, good for all of us and especially students as they think about graduating from the institution and going out in the world. So I think that's a great point. I'm curious if you all have thoughts about, and Jenay, you might have thoughts on this too based on your research, but I've been thinking a lot since our EDUCAUSE Annual Conference and Dr. Joy Buolamwini's discussion. She wrote Unmasking AI and talks a bit about all of these privacy issues. She focuses specifically on facial recognition technology, but how they intersect with AI and obviously this huge proliferation of AI that we're seeing across higher ed and across the world. Do you think these conversations are the same in the midst of this AI hype that we're seeing, or do you see any elements changing as a result of the increase in AI technologies?

Tryphaena Hooper: I mean, at their core, I feel like they're the same conversation, which is really, well, why? Is this algorithm better than a person is? Who's checking their work? What if they make a mistake? What's the impact on the people that this is being done to? Do the people who are being scanned? Do they know that when they walk into the building or then they walk past that lamppost that isn't really a lamppost? And if not, why not? What are you trying to get at? And to me, that's always going to be the case, although the questions certainly get more nuanced and more frequent with the integration of AI into things. But anytime I see a shift from human decision-making to automated decision-making, I get curious and uncomfortable at the same time because I really want to better understand, okay, so what is the value proposition here?

Because I can see the risk, but I'm trying to understand the why. And with the proliferation across all of the software, including ed tech and non-ed tech that basically is ed tech because every school has it, you're not getting a lot of choice either.

Jenay Robert: Yeah.

Pegah Parsi: Go ahead.

Jenay Robert: No, Pegah, go ahead. Please.

Tryphaena Hooper: I've been talking about-

Jenay Robert: No, no. I think that AI has shed a light on some things that have been issues or concerns for a long time around data governance. And so data privacy, I think I would put on a long list of things that many of us in higher ed have been yelling about for a long time, but it wasn't so tangible to people. And so when you have something as tangible as I had a conversation with a chatbot and it seems to know everything about everything and that's really creepy and what does it know about me? I think that at least from where I sit with my line of research, that's where it starts getting people into these really valuable conversations that we wanted to have with them all along. And I'll reiterate, it's not just about data privacy when it comes to AI.

There are plenty of other data governance issues that just weren't real for people until AI came along. And then yeah, I think as Tryphaena mentioned, the fact that AI technologies are being integrated into just about everything, it's becoming even harder to avoid than in the past.

Pegah Parsi: Yeah. You're just throwing gasoline on the fire. There's only a tiny fire happening. You threw gasoline on it and now risks that were maybe negligible are now significant. For example, risks of re-identification, very, very significant. Risks of accidental disclosures, very, very significant in a way that they wouldn't have been before. I'll give one example. So I think many of us started using various products, whether from Google or Microsoft, that have access to the entire portfolio, all of the modules that exist. They have access to your Teams and your Outlook and your SharePoint and your OneDrive and your email, etc. And we'll glean information from that and give you highlights of your day or meeting insights or whatever it is that we're using these things for. That's all great and it might be useful. It might be very good for efficiency, productivity, etc. But what we found was that for years and years and years, all y'all were putting documents into whatever OneDrive or SharePoint and not checking your access restrictions. So everybody, you were saying like, "Okay, I need to send this to Jenay, but her email isn't filling in right. Let me just give it access to everyone in my organization. Who's going to look? Who's going to look at this?" They have to go digging for it. No one's interested in all of our HR codes or whatever. So you give access to everybody hoping that nobody looks. And of course, in the before times, before we had these tools, nobody was like, "It took a long time to go digging through to find that one thing that Jenay put of her research subjects, blah, blah, blah." But now at the click of a button, because now these products have access to everything you have access to, the click of a button are pulling things that you actually should never have had access to. So now all of a sudden, they're very readily disclosing information that you just had forgot about or it shouldn't have been there to begin with. It was a kind of a minor risk because no one was looking for it that's now all of a sudden on fire and that's something to be really mindful of.

Sophie White: I'm grinning sheepishly because I've definitely never done that before, but that-

Pegah Parsi: I don't do any of these things. I will put-

Sophie White: No, that's a really great point when we think about how the large language models can comb through things at a speed and with the power that we haven't seen before. So just making sure those foundational secure and privacy-first practices are in mind. So, we don't have a lot of time yet. I'd love to wrap up just thinking about higher ed institutions maybe being at different levels of their data privacy and maturity scale. So, both of you are chief privacy officers, correct me if I'm wrong, but I'm assuming that that means there's some intentional privacy work being done at your institutions. We know that other institutions don't have chief privacy officers or dedicated privacy officers at all. Are there any maybe quick wins that you could think about an institution could implement to really start their data privacy journey and start maturing their programs to protect data across the institution? I know a quick win isn't ever easy, but how can they start their data privacy journey, I guess?

Tryphaena Hooper: I mean, low hanging fruit is to start with compliance. When you start with regulatory compliance, what regs apply to us and are we following them? FERPA is an easy one to look for. Do we do what we're supposed to do with that? That's a quick win. Building relationships with the other units is a quick win you can also do just to get your hands around the, what data are we sharing? What do we even have and what do we do with it? That is not quick, but it is certainly a win and it's the core of a functional privacy program. It's kind of what you're going to have to do one way or the other, regardless of maturity level.

Pegah Parsi: Yeah, I agree with that. I think that compliance for us, complying with the law is the floor for us. We're always going to comply with it. We're never going to go below it. So if you're going to do absolutely nothing else, do some compliance. But note that just doing that is leaving a huge mountain of ethical and unregulated stuff that are probably either creepy or problematic or causing harm to people. So if you can, go way above what mere compliance would require to do from a privacy setting. But if we are doing bare, just get going, look at your compliance program. The other thing is to get some bite-sized trainings and awareness. I shouldn't say training because you need to have good policies and procedures to actually train on those, but to get some awareness and education out. So people just understand what privacy is and who to go to for a question.

Maybe if you want to be a little bit more, step it up just a little bit more, you could do how do you issue spot with privacy so you can go ask privacy person. You don't have to do it all on your own. If you see a privacy thing, hey, that's a resource for you. The other thing, completely self-serving, but just so everybody knows, my privacy training educational programs, seminars and workshops are open to anyone wants to attend, they're free. I care about this so much that when I put them on, I put on privacy 101 for, again, anybody that wants to attend, it's not really even education, higher ed specific. When I teach as CPPC, it is higher ed specific. So it's a little bit different. But when I teach it generally, it's for anybody that wants to attend kids, people from other countries, people from other walks of life, anybody can attend. So if you are looking for some free privacy stuff, I teach at Privacy 101 and I do a GDPR training that's free for anybody to attend. And you can find those at privacy.ucsd.edu. But I would say training or some basic education is education awareness.

Sophie White: That's great. We'll link that in the show notes, Pegah, the link to your website. And we also, the EDUCAUSE community is a fantastic resource too. People are really excited to collaborate about this topic. So definitely check out the Privacy Community Group if you're an EDUCAUSE member. Are there other community groups that folks should know about? That's the one that comes to mind for me.

Pegah Parsi: So there's two different community groups in EDUCAUSE. There's the Chief Privacy Officers one. That is if you have that position, you're invited to join. And then there's just a regular privacy people. That's anybody that's interested in privacy at all can be a member of that community group and people ask questions all the time and get feedback from folks. If you are a bigger privacy nerd, there's the International Association of Privacy Professionals. Take a look at their website, their wealth of knowledge, they have certifications, etc. That's sort of the premier thing in the privacy space.

Jenay Robert: I'd also plug the Cybersecurity and Privacy Professionals Conference from EDUCAUSE for anybody. I was really surprised the first time I went and I have made no secret on this podcast in the past of my ignorance when it comes to privacy and cybersecurity. And yet every time I go to that conference, I learn so much that just helps me as a human, let alone a professional in higher education. So I just do want to put that plug out there for anyone in higher ed. You might think, "I'm not going to go to that conference because I don't work in those fields." You will learn a lot if you go.

Sophie White: I would second that. I don't think I ever would've thought twice about filling out that yoga class waiver if I hadn't been to that conference, and it really has made me reevaluate just how I do a lot of things related to technology in the world. So I think it can really benefit anyone's career regardless of whether you're a privacy professional.

Pegah Parsi: I'm sorry if I made you the annoying friend.

Sophie White: You made me annoying.

Jenay Robert: And also while we're on the record-

Sophie White: I'm a hermit now.

Jenay Robert: And while we're on the record, Pegah, I strongly disagree with your self-assessment of being not cool. I just want to say that I think you're so cool and a lot of people think you're cool too. So I don't want you to talk about my friend like that anymore.

Sophie White: Winning all of your-

Tryphaena Hooper: Seconded. I think Pegah is really cool because when I started privacy, one of the first intake forms I've ever seen was yours that was actually super detailed. And you even had algorithmic decision making back before ChatGPT was a thing. So I was starstruck a little bit. I was like, "She's so cool."

Pegah Parsi: We all have different definitions of cool.

This episode features:

Pegah Parsi
Chief Privacy Officer
University of California, San Diego

Tryphaena Hooper
Chief Privacy Officer
University of Chicago

Jenay Robert
Senior Researcher
EDUCAUSE

Sophie White
Content Marketing and Program Manager
EDUCAUSE