Privacy Digest

A Wealth of Data, and Nobody in Charge - Chronicle.com: Via The Chronicle of Higher Education

Wanted: scout to look out for Big Brother and his cousin, Data Breach. Evangelist to spread the word about what information can be shared. A shredder abettor who knows what is nobody's business. This person should also be prepared to help our college recover from embarrassing headlines about Social Security numbers gone missing.

Colleges may soon be running ads something like that for chief privacy officers, a title so new in higher education that one campus public-relations official, when asked if his institution had a CPO, replied, "What in the blue blazes is that?"

Yet colleges capture a slew of highly sensitive information on everyone on campus. And while chief privacy officer has become a recognized title in the corporate world, higher education seems slow to pick up on the trend — a reluctance that could represent either head-in-the-sand thinking or fiscally prudent avoidance of bureaucratic bloat.

The International Association of Privacy Professionals, based in York, Me., shows only two college CPO's in its membership directory: Lauren B. Steinfeld, at the University of Pennsylvania, and Susan A. Blair, at the University of Florida. Some others have the responsibility without the title: Jane E. Rosenthal, for example, is privacy coordinator at the University of Kansas. And many other people, like those in academic medical centers, work on privacy issues from a departmental perspective.

Multifaceted Job

Compared with other organizations and businesses, colleges appear to have few employees dedicated to protecting privacy. The overall field is growing fast, says J. Trevor Hughes, executive director of the privacy association, which has 5,700 members and says it is adding 100 each month. But just 124 of those privacy officials are identified as from universities or colleges, according to Mr. Hughes.

"You can either be proactive about managing the risk at your institution, or you can pay the price afterward," says Rick N. Whitfield, a former vice president for audit and compliance at Penn and the University of Pennsylvania Health System.

Growing concerns about the potential for leaked information led Mr. Whitfield to hire Ms. Steinfeld in 2002. She is widely considered to be the first CPO in higher education.

It is a multifaceted job, she says: "You sometimes need to address IT, sometimes PR, sometimes law, sometimes customer relations, sometimes policy development, and often a combination of all of those." And don't forget paper trails: "You have to make sure you have a good shredding vendor."

A lawyer by training, Ms. Steinfeld served as a privacy officer in the Clinton administration's Office of Management and Budget. Before that she was an online-privacy adviser at the Federal Trade Commission.

At Penn, her office created a one-stop shop in 2005 for building privacy and security into databases and online systems. The program, called the Security and Privacy Impact Assessment, was designed to lead departments to consider how they handle and protect data.

Colleges must comply not only with health-privacy laws, like the Health Insurance Portability and Accountability Act (Hipaa), but also with laws on academic records, which are protected by the Family Educational Rights and Privacy Act (Ferpa), and laws on consumer information, which is covered by the Gramm-Leach-Bliley Act. And that compliance does not include state laws and campus regulations. With the impact-assessment program, Ms. Steinfeld says, departments don't have to draw their own map through the thicket: "We try to build it for them."

Ms. Steinfeld's hiring did not sit well with everyone, recalls Mr. Whitfield, who is now vice president and chief financial officer at Pace University. "There was a lot of passive-aggressive response to this position," he says. Criticism came from "within the university as well as nationally from peer institutions who basically went on record saying that we don't need this type of position."

Within two years major institutions, such as the University of California at Berkeley and the University of Texas at Austin, made headlines because of leaked or lost data. In 2006 a hacking incident at Ohio University exposed 20,000 Social Security numbers.

Still, there are real reasons behind the reluctance to hire chief privacy officers. Faculty members already complain about top-heavy administrations. The meltdown in the economy doesn't bode well for adding new positions. And a number of institutions already have specific Ferpa and Hipaa privacy officers; they may be leery of adding another person to the payroll.

That is particularly true if that person is called "chief." The median annual salary for privacy professionals is $137,000; for CPO's, it is $210,000, according to the privacy association.

Privacy Vs. Security

It's not unreasonable to ask why privacy protection cannot be simply added to the responsibilities of information-technology departments. After all, the siphoning of personal information from online databases looms as a common threat, and educational institutions regularly appear on lists that track security lapses around the country. More than a dozen data breaches in higher education are reported each month, according to Educational Security Incidents (http://www.adamdodge.com/esi) an online catalog compiled by Adam Dodge, assistant director of information security at Eastern Illinois University.

In 2007, Mr. Dodge says, employee mistakes were twice as likely as hackers to cause breaches, and the trend appears to be continuing this year. "One thing that continues to shock me," he says, "is this unauthorized disclosure of information, information that is just accidentally sent out to people."

In many places, information-security officers are responsible for plugging such holes. But privacy advocates say that is not enough. They argue that the job of security officers is to protect data that are already collected — not to ask whether the data should be captured and stored in the first place.

Read Original Article (Via The Chronicle of Higher Education .)