Nota bene: After the recent decision by the U.S. Supreme Court in Dobbs v. Jackson Women’s Health Organization, the authors debated whether this article, with its express call to action in support of privacy, was rendered moot with the court’s tacit elimination of constitutional privacy rights. Rather than fall victim to the cynicism and feeling of hopelessness that the recent decision has engendered in our hearts and our country, we choose to advocate on the side of privacy.
Having had the honor of watching the practice of privacy grow within higher education for the past 20 years, we argue there can be no better time to examine the role of the modern privacy officer in higher education and to propose a new paradigm to support our rapidly changing technology environment.
In the 20-odd years since Lauren Steinfeld created the pioneering privacy program in higher education at the University of Pennsylvania, chief privacy officers have become widespread as colleges and universities have struggled to comply with a host of privacy regulations. The dominant higher education model for the role of CPO is heavily borrowed from industry. At many colleges and universities, the privacy office and CPO role are closely aligned with the general counsel and information security and risk management offices. The focus of these roles is on the administrative and management functions of compliance and risk reduction, including involvement in privacy incident response, policy creation, data governance and employee training. At their core, these are compliance-related functions.
These compliance functions occupy the bulk of the operational duties of most privacy officers. Have we adhered to state or federal privacy regulations? Are we collecting consent as required by law or policy when collecting personally identifiable information? Do we have adequate privacy notices in place to meet our legal obligations?
We see many campus privacy officers relegated to privacy positions that focus only on compliance or risk management activities. Buried in legal counsel offices or sitting side by side with information security and technology professionals, the campus privacy officer becomes far removed from the appropriate use, advocacy and ethical issues that are at the heart of most debates about privacy. This outmoded model fails to account for the complexities of modern technology and the ethical questions regarding data use that higher education must confront.
Moving Beyond Compliance
Does this industry-based archetype fully serve higher education? We argue it does not. As an industry whose product is knowledge and research, the relationship between the institution and its data subjects—namely students, faculty and staff—is multifaceted and more tangled than that of a commercial transaction. Colleges and universities serve not only as educators, but landlords, food service providers, health-care providers, employers and research enterprises. And the rapid expansion of artificial intelligence and machine learning has brought ever-expanding challenges to the traditional compliance-focused campus privacy practice.
Consider the following examples of privacy-related questions that campuses confront daily:
- Should institutions analyze student learning data across many courses and in various information systems to support student success initiatives?
- Should technology-driven student success systems import “gray data,” such as network connection time, library access, dining hall food purchases and learning management system access, to paint a fuller picture of a student’s learning experience to offer remedial or additional services to the student? (We use the term “gray data” here to refer to unstructured data like automatically generated log data that may include an identifier that can be used to link that data to an identifiable person.)
- During a global pandemic, how much information should be collected from students, faculty and staff to perform contract tracing and verify testing and vaccination status? Should students, faculty and staff be required to wear a BioButton?
- What types of online proctoring solutions effectively combat online cheating and do systems that scan a student’s surroundings (like a bedroom) pose privacy concerns?
- Can device connections to campus Wi-Fi networks be used to study which campus areas are visited most frequently by different populations to analyze trends as disparate as crime rates or dining hall capacity?
- Can webcams share a feed on a publicly available webpage to show how busy a computer lab is?
- Should the institution share a wellness app with students, faculty and staff to try to proactively identify campus community members who are suffering from mental illness and may hurt themselves or others?
These questions are wicked hard. They are hard to solve because technology evolves quickly, different populations have wildly divergent views on privacy and how personal data should be used, and the “right” answer to the underlying question depends on institutional context. Embedded in these questions about the use of technologies on campus are issues of power (the power of the institution, and its faculty and administrators, to compel students to submit to certain technologies or surveillance); issues of agency (what ability do individuals have to place limits on the institution’s use of their data or likeness); and issues of equity (how does the use of certain technologies or data sets disadvantage already marginalized individuals?).
Privacy laws and regulations often only address one part of the analysis: Can we do this legally? They rarely help answer the second part of the analysis: Should we do this? The “should we do this” question is an imperative inquiry for higher education and speaks to two privacy-related functions that are critical: privacy advocacy and appropriate use.
Privacy Advocacy and Appropriate Use
In our opinion, privacy advocacy is the most essential function of the campus CPO, and perhaps the least mature function at most institutions. Technology now mediates almost all collaborative and academic work, and many of the questions facing higher education institutions are precisely at the intersection of instrumentation, artificial intelligence and machine learning, and human behavior. Personally identifiable information is the fuel for this complicated machine. Campuses need a privacy advocate who understands and applies privacy principles and the strategic use of this information. The campus CPO is in the best position to serve as an advocate for protecting the data and the individuals that the data represent.
Privacy advocacy activities also feed into questions of appropriate use of personally identifiable data. Appropriate use is well understood in the information technology context: it addresses the accepted and allowed uses of technology. There must be an appropriate use corollary within the campus privacy office that scrutinizes proposed data use on campus and ensures that use aligns with a campus philosophy regarding the acceptable use of the personal data of students, faculty and staff.
An effective CPO will recognize that the institution’s posture toward privacy is one of consensus and acknowledge the notion of shared governance as codified in the culture of higher education. In short, CPOs play a key role in discussions about appropriate use but cannot use their personal privacy philosophies as a proxy for the institution’s stance. The CPO instead drives institutional conversations and consensus around whether the intended use of personally identifiable data meets the institutionally established determination of appropriate use, moving the institution toward a shared culture that values privacy.
While it may seem counterintuitive to argue that privacy needs an advocate, many of the privacy issues facing institutions absolutely require a privacy advocate who has a keen sense of what constitutes appropriate use. The CPO essentially serves as an ombudsman to negotiate privacy concerns.
A Call to Activism: Designing the CPO 2.0
We argue that the role of the campus privacy officer should be restructured into two distinct and only loosely coupled roles with crisply defined scopes—that of a privacy compliance analyst and a chief privacy officer, version 2.0.
As its name implies, the privacy compliance analyst is an internally facing administrative position that addresses the privacy management functions discussed at the beginning of this essay. The CPO 2.0, on the other hand, is an academic officer occupied with questions about the appropriate use of data and charged with engaging the academy in a public privacy debate.
The division proposed here liberates the chief privacy officer to focus on the ethical, moral and core civil rights concerns around the appropriate use of personal information—“should we do this” concerns that are best addressed by a campus officer who is a member of the academy. The privacy compliance analyst, embedded in administrative structures focused on compliance and risk management, addresses legally permissible uses of data and answers the “can we do this” question. (Though, we note, this should not be understood as a prohibition on advocacy by the privacy analyst. Indeed, anyone who worries about data handling must find ways to speak for those whose data are at risk.)
The advocacy role called for in this essay not only acts as an ombudsman, representing the privacy interests of students, faculty, staff and other institutional stakeholders, but also acts as an institutional officer, balancing advocacy with the very practical needs of the institution. We saw this leadership role on display throughout the higher education response to the COVID-19 global pandemic. As universities raced to collect the information needed to perform contact tracing and testing, students, faculty and staff were disinclined to trust the institutional need for this information and were reluctant to share their information for fear that it would not be properly protected. Many of these campus community members were, and continue to be, skeptical of employers and educators encroaching into matters of medical records and health. This hesitation required aggressive communication campaigns to respond to the concerns voiced by our communities. During one of the most challenging times most of us will ever experience, we witnessed a rare opportunity for the chief privacy officer’s leadership role to be on full display at the highest levels of the institution.
Chief Privacy Officers as Public Intellectuals
We aim to create clarity around roles and responsibilities at a time when many institutions are pondering how to best place and rightsize privacy programs. We hope our proposal will energize our higher education communities to meaningfully engage with challenging questions of appropriate use of data while freed from the constraints of mere regulatory compliance.
As issues of data privacy rage across our headlines and the halls of Congress, universities can no longer spectate from the bleacher seats. We must stake our claim as a moral, civil and intellectual voice for privacy.
Privacy advocacy is closely related to the notion of academic freedom that higher education institutions hold dear. The exercise of intellect, the free and expansive exploration of thought, both personal and collaborative, forms the spine of the body academic. It is what permits our faculty to act as public intellectuals and counsel to government and society writ large.
While the global information ecosystem has become thoroughly dominated by the great corporate data brokers, higher education’s contributions to the national dialogue on privacy are most notable for their absence. Conversations about preserving privacy have lost out to questions of “how much” privacy can be clawed back. But higher education’s role has long been to help steer national policies that shape society. A community of chief privacy officers who are public intellectuals in the finest academic tradition creates the opportunity and space where academic engagement on the brutally complex and nuanced issues surrounding privacy, surveillance and our expanding digital identities can flourish.