The Privacy Landscape in the Academy (summary)

This is a summary of “The Privacy Landscape in the Academy” presented at the 2008 Mid-Atlantic Regional Conference by Lauren Steinfeld, Chief Privacy and Institutional Compliance Officer, University of Pennsylvania

This presentation was recorded for podcast and is available from the EDUCAUSE website. http://connect.educause.edu/blog/gbayne/educausepodcasttheprivacy/46109

A pdf of the slides are available at http://www.educause.edu/upload/presentations/MARC08/GS02/steinfeld%20privacy%20keynote%20MARC%2011608.pdf

Steinfeld discussed definitions of privacy, perspectives, privacy at the University of Pennsylvania and specific initiatives for an IT focus on privacy.

She began by defining privacy as the ability of a person to know about and often control information collected about them and the use and sharing of that information.  In addition, she said security is a major component of privacy because of the focus on protecting confidential data from unauthorized access and disclosure

We think of such questions as what is being done and what is being collected.  Is there a choice of opt-in or opt-out?   What is the access?  Why, when, and how can who can see what has been collected.  Privacy is different than security but they complement one another.

Steinfeld played an ACLU clip on what the world would look like to us if we had no privacy.   The clip is available at http://www.youtube.com/watch?v=RNJl9EEcsoE.

What we have in place to protect privacy include legal and other standards such as

FERPA, HIPPA, GLBC, PCI. FACTA, CAN SPAM, state breach notification laws, state SSN laws, Electronic privacy policies, and CCTV policy.

Beyond the multitude of legal standards there is significant public and press scrutiny on privacy matters which are sensitive issues to people of alls ages, incomes, ethnicities, political views, etc.  The sensitivity is because of the personal nature of the issues.

Personal privacy rights clearinghouse lists 19 issues biometric technologies to medical records, RFID and more.  (http://www.privacyrights.org/)

Per Ernst & Young the areas to look out for in 2008 are:

• Data classification
• Minimizing use of personal information
• Evolving use of encryption
• Standards for vendors and business partners
• Telecommuting
• Emergency preparedness
• Privacy procedures at home and abroad
• Keeping page with privacy management technology

Steinfeld discussed privacy in relation to public opinion/action.

She recommended Microtrends by Mark Penn who lives and breathes polls and surveys.  The book is based on counter-intuitive facts and findings.   In the area of Privacy it was found that, out of 43 polls, everyone cares about privacy (Internet security, privacy, SSNs) but when there is a security breach

• incidence of takers on credit monitoring services is very low
• little change in loyalty to institutions causing the breach

Also

• op-out rates  are very low
• online blogging, networking, etc, has increased putting private data out for public consumption

Steinfeld said the bottom-line is that there is a lot of variability in what people care about and what they actually do.

Steinfeld is one of many new privacy professionals.  She said America’s legal and operational “handling” of privacy has evolved over the last 10 years.  It has gone from reactive to proactive but it still siloed around laws, incident by incident.

Developments over recent decades that have contributed to the issues and growth of the profession include both the significant increase in countable databases from the 70s in which only a few industries had them to countless data sets of sensitive data in the hands of potentially millions today and innovation in IT business structures which has meant much newer collections and uses of data.  The potential for things to go wrong has driven the new push and this trend leads to more pro-active privacy structures and more coordinated approaches.

• The International Association of Privacy Professionals (IAPP) is only 6-7 years old and it has over 4,500 members across 32 countries. 
• Additionally, certifications for privacy professionals are now available.

See Privacy Protection and  Compliance in Higher Education:  The Role of the CPO http://www.educause.edu/ir/library/pdf/erm0654.pdf

Steinfeld went on to discuss Privacy at Penn

She described the higher education context:

• Wide variability in type of services and processes in higher education
• More types of data (re types of stakeholders – students, parents, grad students, staff, faculty, etc)
• More complex regulatory landscape
• Decentralized operation and distributed, more open systems (not locked down as in most of industry)
• Culture of independence in higher education takes various forms

and the Penn response:

• Privacy Office with CPO – part of office of audit, compliance, and privacy
• Privacy senior exec committee
• Privacy liaisons in 33 schools/centers
• Specialized committees and teams – IT privacy most active committee but also SSN remediation, SPIA coordination
• Other key partnerships – IT Audit, ISC Info Sec off of Human Relations, general counsel, IT roundtable, provost office

and policies, guidance, programs

• *Confidentiality of student records
• Conf of staff and faculty records
• Privacy of alumni data
• Policy on privacy in the Electronic environment – who can go into someone else’s computer and when
• CCTV camera policy
• (other policies)
• • Temporary workers policy
  • Incident response policy
  • Critical host policy
  • PCI policy
  • SSN Policy – new

They are providing guidance for the following situations:

• Requests for mailing lists
• Website privacy statements
• Email standards – CAN SPAM guidance
• Disposing data and documents for people who have left Penn (new) what do you do for people who have deceased?

and new programs:

Security and Privacy Impact Assessments (SPIA)

• Records destruction programs
• Awareness (major program)
• Almanac tips
• Student, faculty, staff guides
• Online training

She suggested visiting Penn’s privacy website (http://www.upenn.edu/privacy/)

The Privacy office works with IT daily on a number of things including:

• Policy development
• Policy compliance
• IT audits
• Scanning programs
• Self-assessment tools
• Incident response

How it plays out:

• Website privacy statements
• CAN SPAM guidance
• SSN policy
• SPIA
• Secure file and transfer data
• Login data – access and controls
• Using automated tools to find sensitive data
• Procedures for finding and/or wiping lost laptops (and when and when/what do you decide)
• Work at home rules
• PDA policy (currently in draft form)
• Encryption and laptops

Steinfeld says the successful program was started by top down influence and grass roots development made it work.  The environment is increasingly sensitive to privacy issues.  They are looking at:

• Risk equations – what risks, what controls, what challenges remain
• Volume of data including unnecessary data
• Number of people working with data
• Volume of rules and best practices
• Changing landscape

Virginia Tech’s STAR program was an excellent model for Penn’s development including SPIA. (process & tool)    The people process is intended to raise awareness deep in to the organization and one of the things they have done is to establish common vocabulary.  You can find information about how the program was developed on the Penn privacy website.  It includes a three year planning cycle – conduct risk assessments – current future state, probability times consequence scoring.   For each system they have a tool which includes types of threats, current state, possible safeguards, and more.

They summarize the findings via an annual executive level report process  which includes:

• Observations
• Impacts surpassed high expectations
• Number of people brought in to privacy and security discussions
• IT and operations components working closely together
• Self-assessment, voluntary aspect –‘for you - not to you’
• Opening dialogue
• Roadmap
• Community

Steinfeld mentioned that SSN cleanup is not an easy or overnight program

• Assignment of PennID broadly
• Conversion utility to convert
• Changes central systems for PennId
• Stronger security requirements
• Develop of local sec officer role

Their SSN policy includes:

• Third parties and institutional data
• Risks posed by 3rd parties
• Baseline protections – contract terms
• Additional due diligence
• Challenge to IT and privacy communities

In conclusion, Steinfeld said that the issues are numerous, distinctive, and changing.  Awareness and engagement are critical to the program because PEOPLE create understanding and change.

Q&A

Q:  Process gives form to something very complex, but how do you convince federal offices that your system is good even if it’s not the same?    A:  Just getting this question may be good because it will start other discussion.

Try to match SPIA controls with security controls

Q:  How do you navigate between paranoia and reason? A:  FTC is the watchdog for us on the credit reporting services.

Can’t tell what is legit and what isn’t quite often – but there are some indicators of who you can trust. 

Q:  How does a Chief Privacy Officer relate to the Chief Security Officer?  A:  Many of the project/programs are in concert – they don’t report to the same boss and expertise can be different but interest is the same.

Q:  To what do you contribute your success at getting attention?  (University of Minnesota has great awareness pieces)  A:  People are concerned and they know that they don’t know where all the info and how to access it.  Do dog and pony shows.  People want to get in front of this because we’re nervous and we want to do the right thing and appreciate the road map to get there.

Q:  Do you have to alert people about the liability of what you find and do, or don’t do, about it?  A:  Be careful of what you write and what you promise.   (Don’t send proprietary information everywhere)

Q:  Spreadsheet of the spreadsheets (discussed earlier) – what about compiling the data and should it be used?   A:  Collective data with executive summary

People leading the effort will try to help manage the documentation

Q:  Grass roots approaches – do they pass muster with those who care?  A:  The privacy program is not a compliance effort – compliance efforts are separate – HIPPA etc., they have not put these out externally – it’s an internal tool.   Robust risk assessment tool and no one has asked for it.  If someone did ask for it, they could show HIPPA regulators the HIPPA documents but they not the same and are not the driver for the privacy efforts at Penn.

Q:  Doesn’t the IT audit also do this?  A:  Yes – and they might recommend SPIA.  They were very involved in the development of the tool.   Security Review & Assessment at VA Tech - even if not a compliance program it is still more helpful.