8/11/2019 How to Be a Chief Privacy Officer When Your University Doesn't Have One Yet (237149412)
http://slidepdf.com/reader/full/how-to-be-a-chief-privacy-officer-when-your-university-doesnt-have-one 1/21
Security Professionals onference
May 7th 2014
Geoffrey S. Nathan PhD
Wayne State University
Bruce L. White MBA CRM PMP
Old Dominion University
1
8/11/2019 How to Be a Chief Privacy Officer When Your University Doesn't Have One Yet (237149412)
http://slidepdf.com/reader/full/how-to-be-a-chief-privacy-officer-when-your-university-doesnt-have-one 2/21
2
Textbook
Resources
Reality
8/11/2019 How to Be a Chief Privacy Officer When Your University Doesn't Have One Yet (237149412)
http://slidepdf.com/reader/full/how-to-be-a-chief-privacy-officer-when-your-university-doesnt-have-one 3/21
Geoff Nathan, Faculty Liaison, C&IT, WayneState University◦ informally, Chief Privacy Officer
◦ has been campaigning on campus for increasedawareness of privacy and the need for policy forseveral years
Bruce White, University Records Manager/HIPAA
Privacy Official, Old Dominion University◦ responsible for implementing a campus-wide records
management program
3
8/11/2019 How to Be a Chief Privacy Officer When Your University Doesn't Have One Yet (237149412)
http://slidepdf.com/reader/full/how-to-be-a-chief-privacy-officer-when-your-university-doesnt-have-one 4/21
More information collected
Regulatory environment expanding
Unauthorized Access
Breach notification and enforcement Personal mobile devices
Borderless technology
Cyber risk◦ Phishing◦ ‘Whoops, I must have dropped my thumb drive
◦ Apple Picking
4
8/11/2019 How to Be a Chief Privacy Officer When Your University Doesn't Have One Yet (237149412)
http://slidepdf.com/reader/full/how-to-be-a-chief-privacy-officer-when-your-university-doesnt-have-one 5/21
Management
Notice
Choice and consent
Collection
Use, retention and disposal
Access
Security for privacy Training
Monitoring and enforcement
5
8/11/2019 How to Be a Chief Privacy Officer When Your University Doesn't Have One Yet (237149412)
http://slidepdf.com/reader/full/how-to-be-a-chief-privacy-officer-when-your-university-doesnt-have-one 6/21
Federal:◦ Family Educational Rights and Privacy Act (FERPA)◦ Gramm-Leach-Bliley Act (GLB)◦ Health Information Portability and Accountability Act (HIPAA)
◦ Children's Online Privacy Protection Act (COPPA) ◦ Fair Credit Reporting Act (FCRA) ◦ Canadian-Personal Information Protection and Electronic
Documents Act (PIPEDA) State
◦ FOIA/Privacy◦ Recordkeeping requirements
‘Self’-Regulation◦ Payment Card Industry Data Security Standard (PCI-DSS)
6
8/11/2019 How to Be a Chief Privacy Officer When Your University Doesn't Have One Yet (237149412)
http://slidepdf.com/reader/full/how-to-be-a-chief-privacy-officer-when-your-university-doesnt-have-one 7/21
Make new friends:◦ Office of General Counsel
◦ Internal Audit
◦ HR Director
◦ Comptroller
◦ Provost
◦ VP Administration
And keep the old◦ CIO
◦ CSO
7
8/11/2019 How to Be a Chief Privacy Officer When Your University Doesn't Have One Yet (237149412)
http://slidepdf.com/reader/full/how-to-be-a-chief-privacy-officer-when-your-university-doesnt-have-one 8/21
Talk to your new friends (or at least the oldones)
Collect some scary stories◦ These days they are not hard to find:
Target
Heartbleed
The flood of phishing messages
Make a general plan, perhaps followingthese suggestions
8
8/11/2019 How to Be a Chief Privacy Officer When Your University Doesn't Have One Yet (237149412)
http://slidepdf.com/reader/full/how-to-be-a-chief-privacy-officer-when-your-university-doesnt-have-one 9/21
W5H
Categories:
CollectionPersonal Information
Uses
Maintenance, Storage and Deletion
Protection
Applicable Laws
Enforcement
9
8/11/2019 How to Be a Chief Privacy Officer When Your University Doesn't Have One Yet (237149412)
http://slidepdf.com/reader/full/how-to-be-a-chief-privacy-officer-when-your-university-doesnt-have-one 10/21
Applicable Laws
Official Unofficial Citations
20 USC §1232g
34 CFR Part 99
Virginia Freedom of
Information Act
COV §2.2-3705.4
Health Insurance
Portability &
Accountability Act (HIPAA)
45CFR Parts 160, 162, &
164
1) Scholastic records containing
information concerning identifiable
individuals
2) Confidential letters and statements of
recommendation placed in the recordsof educational agencies or institutions
respecting (i) admission to any
educational agency or institution, (ii) an
application for employment, or (iii)
1) Student
Health
Services
2) College of
Health
Sciences
3) Athletic
Department
4) Student
Counseling
1) Registrar
2) Provost
Highly
ConfidentialYes1) Medicat (SHS)
Governing
Jurisdiction
US
Family Educational Rights
& Privacy Act (FERPA)
Protected Information
Components/Elements
2) The name of the student's parent or
other family members;
3) The address of the student or
student's family;
4) A personal identifier, such as the
student's social security number, student
number, or biometric record;
1 Name
2) Postal address
3) All elements of dates except year
4) Telephone number
5) Fax number
6) Email address
7) URL address
8) IP address
9) Social security number
10) Account numbers
11) License numbers
12) Medical record number
13) Health plan beneficiary #
14 Device identifiers and their serial
US
Highly
Confidential
VA
Retention
Student Record -
Permanent
6 Years after last
Action
Student Record -
Permanent
Encrypt
Data?
No
No
1) Banner
2) Blackboard
3) Banner
Document
Management
4) Shared Drives
Highly
Confidential
Data Owner(s)
1) Registrar
2) Provost
1) Banner2) Blackboard
3) Banner
Document
Management
Data
Classification
Data/Document Repository(s)
1) Shared
Drives
10
8/11/2019 How to Be a Chief Privacy Officer When Your University Doesn't Have One Yet (237149412)
http://slidepdf.com/reader/full/how-to-be-a-chief-privacy-officer-when-your-university-doesnt-have-one 11/2111
8/11/2019 How to Be a Chief Privacy Officer When Your University Doesn't Have One Yet (237149412)
http://slidepdf.com/reader/full/how-to-be-a-chief-privacy-officer-when-your-university-doesnt-have-one 12/21
Privacy office structure
Stakeholder involvement
Policy and notice Embed into: IT system design and architecture
IT Security
Training and awareness Respond
12
8/11/2019 How to Be a Chief Privacy Officer When Your University Doesn't Have One Yet (237149412)
http://slidepdf.com/reader/full/how-to-be-a-chief-privacy-officer-when-your-university-doesnt-have-one 13/21
13
Governance
Models
Advantages Disadvantages
Centralized • Streamlines
Processes andProcedures
• Employees Not
Decision Makers
Local/Decentralized • Places Decisions atData Owner level
• Bottom to top flow
of information
• Potentially CreatesDuplication of Efforts
Hybrid • Offers Resources ofCentralized Program
• Decentralized DecisionMaking
• Less Big Picture Vision
8/11/2019 How to Be a Chief Privacy Officer When Your University Doesn't Have One Yet (237149412)
http://slidepdf.com/reader/full/how-to-be-a-chief-privacy-officer-when-your-university-doesnt-have-one 14/21
Key StakeholdersHuman Resources Information Security
Finance and Accounting Internal AuditLegalProvost/FacultyRegistrar
Create Steering Committee Establishing program parameters
14
8/11/2019 How to Be a Chief Privacy Officer When Your University Doesn't Have One Yet (237149412)
http://slidepdf.com/reader/full/how-to-be-a-chief-privacy-officer-when-your-university-doesnt-have-one 15/21
Mission and scope
Definitions
Responsibilities
Restricted information: Safeguards
Storage and use
Retention and disposal
Violation: Investigation
Response
15
8/11/2019 How to Be a Chief Privacy Officer When Your University Doesn't Have One Yet (237149412)
http://slidepdf.com/reader/full/how-to-be-a-chief-privacy-officer-when-your-university-doesnt-have-one 16/21
Ad hoc Program informal and inconsistently applied
Repeatable
Policies and procedures exist May not cover all areas
Defined Policies and procedures fully documented and
implemented
Managed Reviews conducted
Optimized Regular reviews and stakeholder feedback
16
8/11/2019 How to Be a Chief Privacy Officer When Your University Doesn't Have One Yet (237149412)
http://slidepdf.com/reader/full/how-to-be-a-chief-privacy-officer-when-your-university-doesnt-have-one 17/21
Decentralized – data controllers
Policies:HIPAA
Data Classification
Records Management
Student Record (FERPA)
Information Security
HIPAA Privacy Officer Assigned (Me)
17
8/11/2019 How to Be a Chief Privacy Officer When Your University Doesn't Have One Yet (237149412)
http://slidepdf.com/reader/full/how-to-be-a-chief-privacy-officer-when-your-university-doesnt-have-one 18/21
Assessment in early stages SSN Protection Steering Committee
Because of funding constraints, full-time CPOunlikely
AICPA MM Level - Repeatable
18
8/11/2019 How to Be a Chief Privacy Officer When Your University Doesn't Have One Yet (237149412)
http://slidepdf.com/reader/full/how-to-be-a-chief-privacy-officer-when-your-university-doesnt-have-one 19/21
Previous President, alarmed by FreehReport recommendation on data retentionpolicies (WSU didn’t have any)
Set up committee to develop a policy andframework (yours truly as chair)
Issues like COPPA and a Web privacy policybeing addressed on an ad hoc basis with
speaker as central core on eachUltimately will have a governance
structure, although a CPO still unlikely inthese budget days.
19
8/11/2019 How to Be a Chief Privacy Officer When Your University Doesn't Have One Yet (237149412)
http://slidepdf.com/reader/full/how-to-be-a-chief-privacy-officer-when-your-university-doesnt-have-one 20/21
International Association of Privacy Professionals(https://www.privacyassociation.org)
Privacy Program Management , Russell R.Densmore
American Institute of CPA’s – (www.aicpa.org) CIO.gov – (https://cio.gov/about/groups/privacy-
cop/privacy/ Electronic Privacy Information Center (epic.org)
StaySafeOnline.org HealthIT.gov Sample Video Surveillance Policy
20
8/11/2019 How to Be a Chief Privacy Officer When Your University Doesn't Have One Yet (237149412)
http://slidepdf.com/reader/full/how-to-be-a-chief-privacy-officer-when-your-university-doesnt-have-one 21/21
21
Questions?