Table of Contents

This chapter of the Information Security Guide will serve as a clearinghouse for sharing higher education privacy materials. While privacy is a discipline distinct from information security, sharing privacy information in this resource is appropriate given the many collaborations necessary between higher education information security and privacy programs to ensure the comprehensive protection of institutional data.

The initial process in developing an institutional privacy program is to understand the institution's approach to privacy, understand the different types of data used at the institution, and identify which laws and regulations are applicable to the institution's use of data. You will also want to get to know your stakeholders and other institutional privacy supporters.

Learn more about the General Data Protection Regulation (GDPR) and how it may affect your institution starting in May 2018.

Top of page

Overview

In the past few years, higher education institutions have begun to hire a growing number of individuals, often called Chief Privacy Officers (CPOs), dedicated to campus privacy and data protection concerns. Higher education institutions collect, store, use, transmit, disclose, and dispose of a wide variety of data every day. The data are varied and include research data, academic data, medical data, financial data, and the personally identifiable data of faculty, staff, students, alumni, and any other person that comes into contact with the institution. Concerns about privacy and data protection have risen in conjunction with the emergence of new technologies, the vast amounts (and variety) of data at play in the higher education environment, and how that data is being used. (See our brief list of the most common federal data protection laws, or visit the Higher Education Compliance Alliance Matrix.)

At the outset, it should be noted that privacy concerns are very different from security concerns, even though the two concepts are often used interchangeably. Information security activities are focused on protecting the confidentiality (i.e., only those authorized to see certain data have access to it), integrity (i.e., the data remains unchanged while it is processed in IT systems), and availability (i.e., data is available/accessible to users when they need it) of data.  

Privacy, on the other hand, looks at the privacy rights of individuals and the laws, practices, and norms about how information is collected, used, and disclosed. Within that very broad definition are two concepts:

Source: UC Berkeley (2016)

In the higher education context, issues around privacy are encountered daily. Consider the following brief examples:

All of these examples include privacy issues that need to be addressed. Privacy also contains a compliance component, as there are many laws and regulations that include privacy requirements. In addition to state laws, some of the more well-known federal privacy laws mentioned in the higher education privacy space include:

As institutions consider privacy issues, a number of responsibilities have evolved for individuals responsible for campus privacy activities and/or programs. Those responsibilities include:

Note: This chapter of the Information Security Guide will serve as a clearinghouse for sharing higher education privacy materials. While privacy is a discipline distinct from information security, sharing privacy information in this resource is appropriate given the many collaborations necessary between higher education information security and privacy programs to ensure the comprehensive protection of institutional data.


Top of page

Welcome Kit and Roadmap for Chief Privacy Officers in Higher Education

The Higher Education Chief Privacy Officers Working Group has created this resource to serve as a welcome kit for CPOs in higher education. The CPO Primer (part one) is intended to provide an overview and introductory body of knowledge to help new CPOs (or those new to higher education) better understand their job and the challenges unique to colleges and universities. The main audience for this document is a CPO or person with primary institutional responsibility for privacyThe CPO Primer covers the following topics:


  1. Privacy’s role in higher education and how the privacy officer and privacy function fit within a college or university’s organizational structure
  2. Key areas of focus and components of a privacy programs
  3. The relationship between (and balance of) privacy and security
  4. Basic information about federal, state, and international privacy laws applicable to higher education (appendix A)
  5. Common privacy frameworks and standards (appendix B)
  6. Professional resources that provide support or guidance and a brief list of recommended readings (appendix C)

The CPO Primer (part two) is intended to build on the guidance offered in the welcome kit and provide a roadmap describing how to kick-start or enhance your privacy program in higher education and how to operationalize it using some of the frameworks, key components, and resources mentioned in the welcome kit. In addition to offering ideas for framing your program and activities at the starting gate—as well as at the 100-day and one-year benchmarks—this roadmap offers practical guidance on how to build a program to address day-to-day privacy concerns in a higher education setting.

Top of page

Resources

HEISC Toolkits/Guides

 EDUCAUSE Resources

Initiatives, Collaborations, & Other Resources

Top of page

Standards

ISO

NIST

COBIT

PCI DSS

2014 Cybersecurity Framework

HIPAA Security

ISO/IEC 29100:2011 (privacy framework)

800-53: Appendix J

N/A

N/A

Cybersecurity Framework: See methodology to protect privacy and civil liberties.

45 CFR 160
45 CFR 164
(note FERPA interplay in some instances)

Top of page


(question) Questions or comments? (info) Contact us.

(warning) Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).