Categories
Student Affairs Technology Uncategorized

Next Gen vpsa

Presenters

  • Josie Ahlquist, Research Associate and Instructor, Florida State University, @josieahlquist, josieahlquist.com
  • Dr. Ed Cabellon, Vice President for Student Services and Enrollment Management, Bristol Community College, @dredcabellon, edcabellon.com
  • Mordecai Brownlee, Vice President of Student Success, St. Philip’s College, @ItsDrMordecai
  • Angela Batista, Vice President of Student Affairs and Institutional Diversity and Inclusion, Champlain College, @drangelabatista
  • Dr. Tim Miller, @JMUTimMiller

Resources

This is my first session of the 2019 NASPA conference, and I’m well-rested and ready to learn! When I saw the title “Next Gen VPSA,” I knew I needed to attend this session 🙂 Today’s agenda: facilitated discussion around ” purpose-driven digital leadership.” Any omissions or errors are mine.

Change: digital leaders accept and embrace change, calling on others to fill knowledge and skills gaps with technology.

Connection: digital engagement for campus leaders is built around relationships for genuine community building

Personalization: A holistic approach humanizes both a leaders’ campus position and their use of social media tools.

Strategy: campus leaders need to have a clear, yet flexible strategy that aligns their values and personality, as well as university objectives.

Legacy: the theory, practice, and pedagogy of leadership can be applied in digital context to create meaning, build community and leaves a legacy.

Question 1: How do you define “Next Gen VPSA?”

MB: more courses are moving online. SoMe is important for providing a level of representation of who you are and what your institution is about. It’s going to be a norm soon.

EC: I’m an early adopter and my research was around use of SoMe and tech by leaders in higher ed. When I became a VP nine months ago, I thought I’d be able to continue using SoMe the way I’d always used it…that came to a screeching halt! I’ve had to rethink how and why I use SoMe. It really helps when your president and board “get it.” I’m using MailChimp to help measure staff and student interest.

AB: being intentional and strategic is important. We need to be there for our staff and we need to keep learning. Our communication tools are most useful when we’re intentional about HOW we use them. Using it to share your true self is important because it appears in how you “show up.” I was able to respond to a student recently who had a less than ideal experience who said the campus did not care about students of color. Because I was on SoMe, I was able to respond directly to that student’s post.

MB: we’re able to respond in an immediate way…our students want to hear from us. These are opportunities for us to share that we see our students’ concerns, we hear our students’ concerns, and we care about them.

How do you balance your personal and professional accounts?

EC: I’m in a state role now. Because my FB account is intertwined with my personal life, I had to separate things. I do have an assistant that helps me out with things, but it’s still a lot of work to have multiple accounts.

JA: FB and Instagram allow you to have “branded pages” which are underneath the main institutional account.

AB: I intermingle my personal stuff with my professional stuff. I often will share articles, but that does not necessarily mean that I endorse them. If you’re going to do a branded page, make sure that it actually has value.

MB: make sure your SoMe has purpose! Really look at it! You need to evaluate what you’re looking at…ALL of it. You’re never “off” as a VPSA. SoMe is not a place to rant and rave.

EC: if you’re on Twitter, have a look at what lists you’re on. This is a good measurement of how people view you online.

MB: You need to have purpose behind your presence. You also need to be aware of what kind of interaction opportunities each platform presents. Some do not allow you to control things beyond the initial post. I am not an endorser.

JA: Instagram stories are the biggest ROI for younger people. Different intents for different platforms.

How much time do you spend on your SoMe?

TM: I have an assistant who I’ve given all my favorite books, and she provide motivational quotes M-Th, and I do things on Friday. I spend about an hour a day on mine.

AB: I spend most of my time on FB. I post at every event that I go to on campus, which helps with the student voice. Students who want me to amplify their voice, I ask them to tag me so that I can help them. It’s not about quantity, it’s about intent. It’s my way to build relationships.

MB: I spend less than 30 minutes a day on average. I check at the end of the day for sure.

How do you intentionally connect with staff and students?

AB: I don’t invite my staff to connect with me. If someone wants to connect, I really think about what that person wants from the relationship.

MB: if you’re a VP or senior student affairs officer, you should definitely have a conversation with your PR department. Be prepared to review your own personal material aligns with that of your institution.

How do you interact with your leadership team?

EC: Bring data to the table. Pick a platform that works best for your institution…even if it’s just one thing.

MB: I’m the only member of my cabinet that has a SoMe presence. You need to understand your campus culture…I push my president to be engaged with video and SoMe pictures.

AB: most of my colleagues are on SoMe, and they are growing their presence as a result of the posts that I’m making. In my opinion, it’s important to keep your opinions to yourself.

TM: I was the first on my cabinet to be on SoMe. Our PR team had an intervention with me. Students will pull you into very specific concerns…SoMe back-and-forth isn’t the place to resolve their concerns. However, I DO tell the students that I will meet with them individually to resolve their concerns.

Categories
Education Technology Uncategorized

Building Your Digital Transformation Ecosystem with LTI Advantage

This session moved pretty fast (and included some very dense slides which were impossible capture in text), so any omissions or mistakes in my notes are entirely my fault!

Presenters

  • Rob Abel, CEO, IMS Global Learning Consortium
  • Michael Berman, Chief Innovation Officer and Deputy CIO, California State University, Office of the Chancellor
  • Vince Kellen, Chief Information Officer, University of California San Diego
  • Jennifer Sparrow, Senior Director of Teaching and Learning Technology, The Pennsylvania State University

Resources

What is LTI Advantage and IMS Global?

LTI Advantage (and Insights – for analytics) is a strategy as much as an interoperability standard. It’s an integration standard for LMS and tools that connect to an LMS.  It’s based on OAuth2 and JSON web objects, plus extensions for names & roles provisioning, assignment and grade services, deep linking and custom extensions.

There are 25 LTI Advantage early adopters, which include the usual suspects like D2L, Canvas, etc.

LTI Insights

Which LTI-enabled tools are being launched?

  • How frequently and when?
  • For which courses?
  • Are the tools actually being used? By how many unique users?
  • What are the usage trends?
  • What types of devices? Mobile?
  • Which LTI-enabled tools received PII, and what information is shared, exactly?

Why is this important?

LTI addresses 5 of the top 10 EDUCAUSE 2018 top 10 issues. Our orgs are often working with hundreds of suppliers, and integration is a BIG challenge.

JS: If a tool is IMS-compliant, it’s much easier for us to fast-track tools into our ecosystem.

MB: in our case, our system is a lot more decentralized so we’re trying to explain the value that LTI brings to our campuses.

VK: we want to make sure that our entire edtech ecosystem is LTI-compliant. It’s complicated and it’s not owned by any one entity. Standards of integration will help us to deliver a better teaching and learning environment.

JS: having the data streams come out in a way that does NOT require a lot of manipulation is a huge benefit for us and allows to be more precise with our predictive analytics and help us get our students to graduation.

RA: integration and analytics together – which LTI provides – allow us to do our jobs more effectively. Any supplier or institution can participate, which is probably unique to higher ed.

VK: data integration is a real rate limiter.

Question: what about extending LTI beyond the LMS, say, to the SIS? We’re working on that via the IMS EduAPI. EduAPI a set of industry standard extensible APIs to support user provisioning, common source ID and administrative data exchange.

 

Categories
Education Technology Uncategorized

Gravitas and Grit: How IT Leaders Inspire Peak Performance

Presenters

  • Dianna Sadlouskos, Strategic Alliance Partner, Next Generation Executive Search
  • Joanna Young, Principal, JCYCIO
  • Melissa Woo, Senior Vice President for IT & CIO, Stony  Brook University
  • Brendan Guenther, Director for Academic Technology, Michigan State University
  • Russell Beard, Vice President of Information Technology, Bellevue Colllege

NOTE: any errors, omissions or inadvertent misrepresentations are completely my fault. This conversation moved quickly and there was a lot of audience participation my fingers weren’t quite quick enough to catch – I beg your indulgence, dear reader. – Paul

DS: No powerpoint today (yay!), we’re focusing on conversation today. Provided definition of “Grit” by Angela Duckworth (too long to capture).

DS – Question 1: How would you translate grit into your own personal path to leadership?

MW: “stick-to-it-iveness” was the key for me. I went through so many search committees, it was crazy. I incorporated feedback from coaches. Ask for feedback!

JY: first CIO job I applied for was an abject failure. The search consultant’s feedback was really helpful…it was tough, but amazingly helpful advice. Over prepare!  Every meeting you have with your president is a new interview.

RB: you have to have the ability to be patient and learn to breathe.

DS – Any essential grit stories to share?

(Audience member) It’s not only about grit, it’s about the people surrounding you. So many people said “you were great!” which was not helpful as I needed. I interviewed for 13 jobs before I got the one I have now. Just keep going.

DS: just because you don’t get a job, it’s OK, you may still be a very good candidate…you’e not a failure!

DS – Do you think that Grit is something you can develop in people?

BG: I think so. Everyone hits bumps in the road, sometimes you don’t bring the right people onto your team, you have to be able to adapt.

MW: you have to consider tough love. I tend to force people into projects that they are not comfortable with so that they have the opportunity to grow.

JY: job for life is no longer the case. You have to be able to force yourself into a role you’ve never had before. I had no telecom in my background, but I ended up running the largest broadband project in my state (having “wicked smaht” people around me was a great help).

DS – Interest and Practice: is there a difference in how you guide development of these attributes in mid-level managers versus millenials?

BG: the things that you are (where and how you grew up, etc.) have a lot to do with how you think.

JY: I now work for a millenial, someone I hired as an intern. We are learning so much from one another…he is completely fearless. People earlier in their career tend to have a higher degree of confidence (let ’em fail fast and learn fast). However, I want to give them guide rails to keep them from crashing and burning.

MW: at a conference I was at last week, keynote was about “radical candor.” Millenials are not as delicate as you think! Treat them as they are early career.

DS – is there advice you can give the group about how you inspire practice in aspiring leaders?

(Audience member) I don’t give advice, I ask a lot of questions. People with good social IQ pick up on what you’re doing, and will work through things in their head. Set parameters “here’s where I don’t want you to go.”

(Audience member) Give the person permission to fail, but coach them back to success.

DS – How to inspire mid-level managers to engage and re-invigorate their interest?

JY: get a different job and/or a different team.

RB: you’re prepared and need to manifest the presence to perform.

How does talent versus effort impact leaders?

JY: effort is great, but you need to apply effort effectively. Don’t use a teaspoon when a backhoe is the tool you really need. Talent is like a big “T” – you may have depth in tech, but you need to have breadth in business, how your campus works and more.

BG: you have to have the ability to identify talent. For effort, being able to identify the right talent sets among different people to work together.

DS: Can you share examples of staff who were talented but struggled?

DS: Tiger Woods vs. John McEnroe

JY: some of those staff are people who run with scissors who are very talented but are a danger to themselves. Often these people think of themselves as the smartest people in the room.

(Audience member) the smartest people in the room biggest issue is the fact that many of them are unable to be coached.

(Audience member) Coaching those team members is really helpful. For my team, when hiring, the skillset comes second to the ability to work within a team.

JY: rhetorical question: what’s more important: technical skills, or ability to work with faculty? (scattered callouts of “faculty”).

MW: you need to be able to have the difficult conversations to people.

RB: Honest feedback is important and one of the most important things we do as leaders.

How do you encourage staff to take risks and grow?

JY: influence your environment to make failure acceptable, so long as learning occurs.

BG: our role as coach/mentor is to help our staff pull the layers of failure apart so as to teach lessons that they can grow from. You HAVE to be there when your people fail.

RB: questions like “you should think about” were great, not prescribing solutions was important for me.

Categories
Education Technology Uncategorized

Is Cloud Identity Ready for Higher Education?

Presenters:

  • Jon Allen, Assistant VP & CIO, Baylor University
  • Kevin Phan, Associate CIO, Pepperdine University
  • Mahmud Rahman, Director of Systems and Banner Services, Mills College
  • Dennis McDermott, CMO, SVP Global Marketing, Fischer International Identity LLC

Level Set

What was the state of your IDM efforts prior to your recent project? What were the biggest challenges you were addressing with your IDM deployment?

JA: we didn’t have a lot in the way of IDM. We had scripts, and Oracle database and batch files. Life cycle becomes difficult in situations like this! We knew we needed to manage it much better than we were. Should we build the car or drive the car?

KP: we’re similar to Baylor: disparate systems, everything was manual, Peoplesoft as system of record, AD authentication, batching and scripts for accounts management; no meaningful events for updating accounts. Going to an off-the-shelf system helped us manage things better.

MR: we had a pretty good system, fed data from Banner into LDAP. However, our system would breakdown, and our system didn’t do deprovisioning well.

Setting a Course

What components did you look for in an identity management solution? Which were most important to you and why?

JA: our search happened about four years ago. Traditional on-premises solutions were great and polished, but they didn’t necessarily work well with the systems we had on our campus. It was more a business and knowledge problem than a technical problem. Very few consultants understood our systems or what we do. We understood the routine functionality of in/out and when things were supposed to happen, but our edge cases were killing us. Audit was made difficult because access forms were being sent by email.

KP: it took us over a year to review the various vendors. Fischer’s system worked simply and easily for us…one connector to our Peoplesoft tables and we were ready to go.

MR: we’re a small school and we had to rely on others’ research to help guide us. We’ve been on hosted platforms for years now with Blackboard and Google, so our fear level was low. Vendors that understand the specific needs of students (meaning of stop outs, incompletes, etc.) was very important to us, and it’s surprising how few vendors actually do get this.

Resistance to Change?

How much resistance did you receive regarding outsourcing your IAM infrastructure? Who was resistant and how did you win them over? What would you say to those who prefer home-grown solutions?

JA: since I was the one bringing this project to the table, there was little resistance (I’m normally the one who slows projects down!). A big part of getting people on board was sharing what it would do for them as stakeholders, i.e. HR provisioning of new staff and faculty. Once HR saw what it would do for them, they were completely on board.

KP: we had political resistance. We overcame that by demonstrating cost savings with our CFO. We also were able to translate business value by showing reduction in number of help desk tickets. Convincing internal IT folk was the hard part…giving up control was WAY more challenging than it should have been.

MR: we had no resistance. Most people don’t see IDM as something important unless they can’t access resources. Sysadmins are no longer the ones who have to deal with the day-to-day ordinary functions. Our time spent on IDM is a lot smaller now.

Deployment

What was your approach for deploying IAM? How did you mitigate risk to achieve project success?

MR: we should have had more conversations with HR and Admissions first (there was turnover at the time, which continues). The people responsible for setting flags and attributes initially have moved on, so IT is playing a significant teaching role for the organization. The process allowed us to get a lot more granularity with respect to roles, which we accomplished before through creating exceptions (build exceptions into patterns).

KP: learning what our customers’ pain points were guided what we did first. Password management was a big problem, so we tackled that password self-service portal first. Second phase was the top 30 action codes in Peoplesoft. Most of the time, I had to “be a parent” to the project team when addressing challenges around control.

JA: we limited the scope of the systems to key systems first, including Banner and O365.

Sharing Outcomes

What are the top factors that made your project successful? What would you do differently? What would you say about home-grown IAM?

MR: we have a very smart Banner programmer! We also had a lot of cooperation from other IT staff, particularly sysadmins and the help desk. Our vendor also understood Banner well, which helped a lot. Also, my boss backed me up (huge). If I had to do anything differently, I would probably create more role granularity and more conversations with certain groups on campus like the provost’s office.

KP: top factors were understanding business value and translating to the business units. Understanding systems and data, looking a few steps ahead, identifying potential issues that might come up, having honest conversations with your team, all of these were important. What would I change? It took two years to complete because we didn’t apply enough resources to it.

Baylor Case Study

Why IDM? Security lifecycle, compliance, one of the main controls left. It’s the who, why, what, where, when of people accessing your systems. It’s the keys to the kingdom, it’s nothing sacred, it’s security.

IDM is hard! It’s the ultimate of integrations and it’s something we must have. Project failures are rarely technical. Systems worked where people understood higher ed and IDM. Consultants must know your business.

You need to clearly understand integration, UI (for follow-through and understandability), and you also need some flexibility to address special use cases.

Six months from start to Go Live. Staff must be bought in; testing is critical. Timelines are achievable if stakeholders are available and willing to work in a collaborative way.

Full provisioning: account creation, licensing managed and authorization. However, it doesn’t have to be completely automated. For example, we have a termination list: replaces non-interactive emails, allows for audit trail, deprovisioning the most critical part of the IDM. When we flipped the switch, we had to deal with the edge cases, which allowed us to clean up a lot of the data (source of authority).

IDM is a life cycle. Identity is constantly changing, and perfection is not possible.

Lessons learned: communication (need more of it), wrong assumptions (you can’t assume that HR understands their role – they’re worried about payroll), we want real time access (mistakes like name changes or account deletions are real-time too). Testing is good, but you’re not going to catch everything.

Going forward: more integrations, further refinement, expanding reach to applicants.

Great results: account provisioning/removal smoother, processes are documented.

Categories
Education Technology Uncategorized

Student Privacy Boot Camp

Presenters

  • Michael Hawes, Director of Student Privacy Policy, US Department of Education
  • Amelia Vance, Education Policy Counsel, Future of Privacy Forum
  • Rachel Rudnick, Privacy Officer / Assistant Director, University of Connecticut

Resources

What is your top privacy concern?

Attendees have many reasons for being here (several on GDPR, the European Union’s privacy law – something International students will care about). I’m specifically here to learn more about the use of student data within web applications. For example, how do we let students know how we’re using their data, beyond ToS (Terms of Service) or EULA (End User License Agreement).

Types of Risk

Keep in mind the “front page of the newspaper” kinds of risks, because that’s a significant driver on the perception side of things.

  1. An actual security or privacy risk
  2. Risk of not being in compliance
  3. Perception Risk

Michael Hawes’ Segment of the Session

By the end of this session, you’ll know a lot more about PTAC – Privacy Technical Assistance Center. This provides loads of guidance and tools you can use in your work.

ED’s role in protecting student privacy

  • We administer & enforce federal laws governing the privacy of student information (FERPA)
  • Raise awareness of privacy challenges
  • Provide tech assistance to schools, districts, states, colleges and universities
  • Promoting privacy and security best practices

What is Privacy?

Privacy and security are related, but not the same thing.

Privacy: the state of being free from intrusion or disturbance in one’s private life or affairs.” Components include:

  • Info
  • Bodily
  • Territorial
  • Communications

Privacy Principles (from NIST):

  • Authority and purpose
  • Accountability
  • Data Quality and Integrity
  • Data Minimization and Retention
  • Individual Participation and Redress
  • Security
  • Transparency
  • Use Limitation

IT Security:

  • Focused on confidentiality
  • Integrity
  • Availability

Privacy and Security overlap at Confidentiality & Integrity, plus Accountability, Audit and Risk Management

FERPA 101

  • 43 years old, passed in 1974
  • Applies to all institutions receiving federal funds under any program administered by the Secretary of Education
  • Gives eligible students the right to access and seek to amend their education records
  • Protects personally identifiable information (PII) from education records from unauthorized disclosure
  • Requires written consent before sharing PII – unless an exception applies

FERPA definitions

PII: is info that alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty.

Education records are any records directly related to the student that are maintained by, or on behalf of, an educational agency or institution.

The Netflix Prize from a few years ago is a good case in point (algorithm to improve their movie recommendation engine). The de-identified data was able to be re-identified by data researchers, based on movie preferences! Favorite movie became highly identifiable information.

  • Directory information exception
  • Students don’t attend school anonymously
  • Allows schools to release certain information without consent. A few examples:
    • name, address, telephone, electronic mail address
    • date and place of birth
    • photographs
    • weight & height of athletes
  • Schools/Districts must designate data elements they consider to be directory information. Common uses: yearbooks, concert programs, telephone directories.
  • Students have a right to opt-out of disclosures under the directory information exception.

School Official Exception: schools or LEAs can use the school official exception to disclose education records without consent to a third party if the 3rd party:

  • performs a service / function the school would otherwise do themselves
  • under direct control of the school / district
  • uses education data in a manner consistent

Health or Safety Emergencies Exception

  • Disclosure necessary to protect health & safety of the student or others
  • Articulable threat to health or safety
  • Typically law enforcement

Parents of Dependent Students

  • A school may choose to disclose, without the students consent, a student’s ed record to that student’s parent if the student is sa dependent for IRS tax purposes.

Judicial Orders & Subpoenas Exception

  • School may disclose PII from ed records necessary to comply with a judicial order or lawfully issued subpoena
  • Reasonable effort to notify eligible student of the order before complying with it
  • Some judicial orders and subpoenas are exempt from FERPA’s notification requirement

Financial Aid Exception

  • Ed records may be disclosed in connection with financial aid

Studies Exception

  • Permits disclosure of PII that are for or on behalf of the school for developing, validation, or administering predictive tests
  • Administering student aid programs
  • Improving instruction
  • Must specify purpose, scope, duration

Attendee question: what counts as consent?

  • Must be written (electronic must be authenticated).
  • Has to specify PII that will be disclosed
  • Has to specify category of people it’s going to
  • Has to specify purpose
  • Has to be voluntary (for example, it cannot be waived in a “blanket ToS” at the beginning of the term)

Data Governance, Online Services, and Predictive Analytics

  • Increase in data silos at IHEs and the importance of Data Governance
  • Guidance on Protecting Student Privacy while Using Online Educational Services (2014) and Model Terms of Service (2015)
  • Be mindful of privacy and ethics when using predictive analytics in higher education

HIPAA

  • If an institution keeps student medical records, HIPAA (generally, but not always) applies, not FERPA
  • Student and treatment records can be very complex! Engage counsel when working with this data

As recipients of federal student aid, universities are financial institutions under the Gramm-Leach Bliley Act.

Audience question: is there a NIST standard for transmitting FERPA data? Yes! When in doubt, ask the school about their requirements for PII.

CASE STUDY 1: DATA BREACH

Knowing how to respond when you’ve had a data breach can be really helpful. Thank about each of the roles needed in your org. The full extent or impact of a data breach is rarely known up front. Don’t get ahead of yourself.

We broke up into groups and discussed the following:

  • Public & Internal communications/Messaging
  • Response Plan

Things to consider:

  • How can you prevent this in the future?
  • Policies & Procedures
  • Central # to call should they have questions
  • FERPA training implemented in any way? Whoever would respond to such breaches should definitely be trained.
  • Have reporting obligations changed?

Federal Laws and Actions

  • FERPA rewrite
    • Potential rollback of 2008/2011 updates
  • Several student data privacy bills introduced in Congress in 2015 and a FERPA re-write may pass in 2018. One bill has been re-introduced in 2017 so far.
  • 40 states have passed 126 laws since 2013
  • Over last 5 years, states have enacted over 100 laws governing how schools and their service providers collect, use, and protect student data

Unintended Consequences

  • Words matter: definitions and vague language; governance needed
  • Fear-based policies
  • Privacy problems with privacy legislation
  • Need for input
  • Penalties

Big case of unintended consequences: LifeTouch (a billion-dollar photo vendor) is impacted and engaged politically because photos can be classified as PII. What do they sell? Yearbooks.

Interesting Trends

  • Governance
  • Transparency
  • Contracts
  • Opt-in or Out Requirements
  • Device and social media privacy
  • Audits
  • Training
  • Penalties (financial & criminal)

State Laws

  • Of 106 state laws passed on student privacy since 2013, only 26 are applicable to higher education.
  • Most laws discussing higher ed either do not differentiate between private or public institutions or higher ed, or only apply the law to state schools.
  • Reflects a perceived inability by state legislators to govern private institutions of higher education.

Lack of laws

  • 75% of data breaches occur in higher ed, so it’s surprising that there aren’t MORE laws governing data breaches in higher ed.
  • In total, 19 states since 2014 have passed laws that included at least one provision targeted at researches. Most of these are governance-focused, but some are far more restricted.

What is Driving These Laws?

Typical comments that encapsulate what’s driving these laws:

  • “What is ed research, and why do I care about it?”
  • “Researchers are able to get access to student data and use it for whatever they want”
  • “Parents should always be allowed to opt their child out of research that will not directly improve their child’s ed or help their child in some direct way”
  • Beyond IRBs

Rachel Rudnick, University of Connecticut Privacy Officer

I think of my role as mostly a compliance function. How many campuses have a privacy office and officer? It differs from campus to campus; there’s no one way to manage it.

Do you have a designated Privacy Officer?

  • What is a privacy officer?
  • Privacy vs. Information Security
  • Privacy Office
  • Centralized function vs. embedded?
  • Just part of someone’s job?

Where Should Privacy Report?

  • Compliance (good place to start, should have buy-in of C-suite)
  • Legal
  • IT
  • Audit
  • Provost
  • Registrar
  • President/Board
  • Nowhere? Everywhere?

Models to Consider

  • Compliance/regulatory function vs. Program
  • Centralized vs. distributed (embedded)
  • Big picture comprehensive program vs. regulation-by-regulation
  • Reactive vs. Proactive approach

What is Privacy?

This is a gross oversimplification, but this helps folk understand privacy a little better, especially when they need to call someone for help:

  • Privacy is the WHAT
  • Security is the HOW

What does a Privacy Officer Do?

  • Does not mean I have a “Do Not Disturb” sign on my door!
  • Knowledge of ever-evolving rules
  • Oversee program
  • Serve as privacy resource/Subject Matter Expert
  • Write and possibly enforce policies
  • Review/draft contract language
  • Assist/provide guidance to faculty, staff, students, constituents
  • Investigate concerns/complaints
  • Educate/conduct training
  • Breach mgmt
  • Internal/external communication
  • Create and maintain relationships/partnerships
  • Work hand-in-hand with the ISO
  • Be a team player > committees, committees, committees…

To manage privacy properly on a campus, you need great partnerships!

Partnerships & Collaboration with Stakeholders

  • ISO
  • Legal
  • Audit
  • Risk Mgmt
  • Senior Mgmt (buy-in, elevator speeches)
  • Functional Offices (registrar, bursar/financial aid, research compliance/sponsored programs, HR/Payroll, Health-related units, etc.)
  • Compliance Cowboys: liaisons to support your efforts; train the trainer

Tools

  • Data inventories
  • Records retention & Info Mgmt strategies
  • Privacy Impact Assessments (PIA)
  • Maturity Modeling
  • Nymity’s comprehensive approach
  • Beg, borrow and steal from colleagues

External resources

  • HE-CPO group (supported by EDUCAUSE)
  • IAPP
  • Law firms
  • Vendors (webinars, free tools)
  • NACUA/AACRAO
  • FERPA|Sherpa
  • PTAC

Want to Be a Privacy Officer?

EDUCAUSE has resources, search for Higher Ed CPO Primer, Parts 1 & 2 on their web site

 

%d bloggers like this: