How to Be a Chief Privacy Officer When Your University Doesn't Have One Yet (237149412)

8/11/2019 How to Be a Chief Privacy Officer When Your University Doesn't Have One Yet (237149412)

http://slidepdf.com/reader/full/how-to-be-a-chief-privacy-officer-when-your-university-doesnt-have-one 1/21

Security Professionals onference

May 7th 2014

Geoffrey S. Nathan PhD

Wayne State University

Bruce L. White MBA CRM PMP

Old Dominion University

1



2

Textbook

Resources

Reality



Geoff Nathan, Faculty Liaison, C&IT, WayneState University◦ informally, Chief Privacy Officer

◦ has been campaigning on campus for increasedawareness of privacy and the need for policy forseveral years

Bruce White, University Records Manager/HIPAA

Privacy Official, Old Dominion University◦ responsible for implementing a campus-wide records

management program

3



More information collected

Regulatory environment expanding

Unauthorized Access

Breach notification and enforcement Personal mobile devices

Borderless technology

Cyber risk◦ Phishing◦ ‘Whoops, I must have dropped my thumb drive

◦ Apple Picking

4



Management

Notice

Choice and consent

Collection

Use, retention and disposal

Access

Security for privacy Training

Monitoring and enforcement

5



Federal:◦ Family Educational Rights and Privacy Act (FERPA)◦ Gramm-Leach-Bliley Act (GLB)◦ Health Information Portability and Accountability Act (HIPAA)

◦ Children's Online Privacy Protection Act (COPPA) ◦ Fair Credit Reporting Act (FCRA) ◦ Canadian-Personal Information Protection and Electronic

Documents Act (PIPEDA) State

◦ FOIA/Privacy◦ Recordkeeping requirements

‘Self’-Regulation◦ Payment Card Industry Data Security Standard (PCI-DSS)

6



Make new friends:◦ Office of General Counsel

◦ Internal Audit

◦ HR Director

◦ Comptroller

◦ Provost

◦ VP Administration

And keep the old◦ CIO

◦ CSO

7



Talk to your new friends (or at least the oldones)

Collect some scary stories◦ These days they are not hard to find:

Target

Heartbleed

The flood of phishing messages

Make a general plan, perhaps followingthese suggestions

8



W5H

Categories:

CollectionPersonal Information

Uses

Maintenance, Storage and Deletion

Protection

Applicable Laws

Enforcement

9



Applicable Laws

Official Unofficial Citations

20 USC §1232g

34 CFR Part 99

Virginia Freedom of

Information Act

COV §2.2-3705.4

Health Insurance

Portability &

Accountability Act (HIPAA)

45CFR Parts 160, 162, &

164

1) Scholastic records containing

information concerning identifiable

individuals

2) Confidential letters and statements of

recommendation placed in the recordsof educational agencies or institutions

respecting (i) admission to any

educational agency or institution, (ii) an

application for employment, or (iii)

1) Student

Health

Services

2) College of

Health

Sciences

3) Athletic

Department

4) Student

Counseling

1) Registrar

2) Provost

Highly

ConfidentialYes1) Medicat (SHS)

Governing

Jurisdiction

US

Family Educational Rights

& Privacy Act (FERPA)

Protected Information

Components/Elements

2) The name of the student's parent or

other family members;

3) The address of the student or

student's family;

4) A personal identifier, such as the

student's social security number, student

number, or biometric record;

1 Name

2) Postal address

3) All elements of dates except year

4) Telephone number

5) Fax number

6) Email address

7) URL address

8) IP address

9) Social security number

10) Account numbers

11) License numbers

12) Medical record number

13) Health plan beneficiary #

14 Device identifiers and their serial

US

Highly

Confidential

VA

Retention

Student Record -

Permanent

6 Years after last

Action

Student Record -

Permanent

Encrypt

Data?

No

No

1) Banner

2) Blackboard

3) Banner

Document

Management

4) Shared Drives

Highly

Confidential

Data Owner(s)

1) Registrar

2) Provost

1) Banner2) Blackboard

3) Banner

Document

Management

Data

Classification

Data/Document Repository(s)

1) Shared

Drives

10





Privacy office structure

Stakeholder involvement

Policy and notice Embed into: IT system design and architecture

IT Security

Training and awareness Respond

12



13

Governance

Models

Advantages Disadvantages

Centralized • Streamlines

Processes andProcedures

• Employees Not

Decision Makers

Local/Decentralized • Places Decisions atData Owner level

• Bottom to top flow

of information

• Potentially CreatesDuplication of Efforts

Hybrid • Offers Resources ofCentralized Program

• Decentralized DecisionMaking

• Less Big Picture Vision



Key StakeholdersHuman Resources Information Security

Finance and Accounting Internal AuditLegalProvost/FacultyRegistrar

Create Steering Committee Establishing program parameters

14



Mission and scope

Definitions

Responsibilities

Restricted information: Safeguards

Storage and use

Retention and disposal

Violation: Investigation

Response

15



Ad hoc Program informal and inconsistently applied

Repeatable

Policies and procedures exist May not cover all areas

Defined Policies and procedures fully documented and

implemented

Managed Reviews conducted

Optimized Regular reviews and stakeholder feedback

16



Decentralized – data controllers

Policies:HIPAA

Data Classification

Records Management

Student Record (FERPA)

Information Security

HIPAA Privacy Officer Assigned (Me)

17



Assessment in early stages SSN Protection Steering Committee

Because of funding constraints, full-time CPOunlikely

AICPA MM Level - Repeatable

18



Previous President, alarmed by FreehReport recommendation on data retentionpolicies (WSU didn’t have any)

Set up committee to develop a policy andframework (yours truly as chair)

Issues like COPPA and a Web privacy policybeing addressed on an ad hoc basis with

speaker as central core on eachUltimately will have a governance

structure, although a CPO still unlikely inthese budget days.

19



International Association of Privacy Professionals(https://www.privacyassociation.org)

Privacy Program Management , Russell R.Densmore

American Institute of CPA’s – (www.aicpa.org) CIO.gov – (https://cio.gov/about/groups/privacy-

cop/privacy/ Electronic Privacy Information Center (epic.org)

StaySafeOnline.org HealthIT.gov Sample Video Surveillance Policy

20

https://www.privacyassociation.org/


http://www.aicpa.org/

https://cio.gov/about/groups/privacy-cop/privacy/





http://policies.wayne.edu/11-1-video-surveillance.php

http://policies.wayne.edu/11-1-video-surveillance.php







http://www.aicpa.org/






21

Questions?