2019 Privacy Program Year In Review

Headshot of Holly Drake Chief Privacy Officer

Happy New Year! It’s difficult to believe that 2020 and a new decade is here. When I travel around our campuses and community, people that I meet often ask me: what’s the best part of working at Ohio State? I always reply: the generosity of our community members.

Thanks to all of you who have offered your guidance and ideas and shared your experience and expertise. If you are reading this and we haven’t met yet – drop me a line, and let’s connect!

With sincere appreciation for your enthusiasm, expertise, and partnership,

Holly Drake
Chief Privacy Officer

 


 

Privacy in the News

Looking back at 2019, this was an epic year for those in the privacy profession. California has a new privacy regulation, and we are noticing lots of new pop-ups online highlighting privacy statements and cookie policies. Several other states and the federal government are also contemplating new privacy laws.

The Federal Trade Commission (FTC) alleged that Facebook violated its privacy promises to consumers, violating a 2012 order. The FTC levied a $5 billion penalty – the largest ever it has imposed. Health and Human Services continues its regular enforcement actions as well, issuing fines to entities who fail to meet HIPAA obligations.  

Privacy blossomed as an area of interest across higher education. Many institutions hired their first chief privacy officers and initiated efforts to assess and improve privacy practices across their campuses. In addition, many journals and newspapers also published articles about student surveillance, analytics and data mining.

 

Privacy@OhioState

Wondering what’s going on with privacy at Ohio State? During my first year, I met leaders from across the university to learn about the stellar privacy compliance programs already in place. Take a look at what we accomplished with all of your support, ideas and passion for privacy!

1. Developed Transparency and Trust: The Privacy Plan

In partnership with privacy partners across the university and The Wexner Medical Center, we drafted Transparency and Trust and the Ohio State Privacy Principles, which outline Ohio State’s privacy values. From these values, we developed a privacy plan to roll out over the next several years. Next, we presented the privacy principles to students, faculty, and staff across the university so we could incorporate their feedback and suggestions.  

2. Expanded Ohio State’s Privacy Team

Ohio State already has incredible compliance programs around key laws involving privacy such as FERPA, HIPAA and others. Strong and valued privacy partnerships have been built over the past year with privacy pros around the university within the medical center, human resources, marketing, data governance, risk, compliance and more. In July, we hired a senior privacy officer, Jennifer Elliott.

3. Launched Big Ten Academic Alliance Privacy Officers Working Group

The chief privacy officers from Penn State and Ohio State are co-chairing the newest BTAA working group, which includes members from 12 schools!  The work culminated in a 2-day in-person conference at Ohio State. During this session, the privacy officers selected three privacy topics and created task forces to bring the collective expertise, experience and passion of the BigTen to tackle them.

4. University Senate Committee on Distance Education, Libraries, and Information Technology adopted Privacy@OhioState

As Ohio State continues along its privacy journey, the Council on Distance Education, Library and Information Technology (DELIT) selected “Privacy@OhioState” as a working group sub-topic. The goal is to spark a conversation across our community about privacy, digital footprints and privacy personas. Throughout the year we are hosting Data Privacy Days to engage the Ohio State community in discussions about privacy topics. The ultimate objective is to publish a community-driven Website Privacy Statement.

5. Digital Experience and Infrastructure Working Group (DE&I): Adopted Text Message Recommendations

The DE&I team is comprised of marketing, design, web, and communications stakeholders from across the university. Many units and teams are working to establish texting programs for their students, faculty, and staff members. Unfortunately, texting without consent can annoy recipients and may even violate regulatory guidelines. The team worked to explore texting campaigns from other institutions and companies, evaluate regulatory requirements and best practices, and formulate a list of recommendations for texting campaigns. DE&I members have adopted these practices.

6. Further Streamlined HIPAA Compliance Activities

HIPAA compliance is well-established at Ohio State. The HIPAA Evolution is an effort comprised of HIPAA Privacy and Security Officers from the medical center and academic units. They are working to further streamline compliance reporting, update HIPAA training, and bring together various established procedures into a tool kit. This kit is designed to help other teams adopt and report HIPAA privacy requirements as needed. The group evolved into a standing committee that will be coordinated by the medical center.

7. Launched a Privacy Framework, Conducted Privacy Impact Assessments

In the Office of the Chief Information Officer, we developed a Privacy Impact Assessment (PIA) tool. The tool is a method of evaluating the privacy risk of projects that require us to collect, use, and share personal information. We will partner with teams and units if they need to make modifications to their projects. PIAs ensure that we are consistent in adhering to our privacy principles and regulations.

 

Looking forward to 2020

2020 also promises to be an active year for privacy!  Many states and the federal government are taking up this important topic. Ohio State will be an important voice in crafting new rules through our higher ed affiliations. The Ohio State privacy program, grounded in our privacy principles and rooted in regulation, will expand and grow to meet the increasing expectations of our community members. Our work will maintain and grow the trust of the students, faculty, staff, and community members who entrust us with their personal information.

Leaders from across the university and medical center, who are instrumental in building and expanding of the Ohio State Privacy Program, are convening in early 2020 to launch the Privacy Governance Council. The Council will oversee the priorities and activities of the privacy program and serve as a forum for thoughtful consideration of complex privacy topics affecting our community. Two important topics that this group will tackle are (1.) student analytics and (2.) faculty and staff privacy practices.

This spring, OCIO will partner with DELIT and DE&I to publish a new online privacy statement that explains our privacy practices – how we collect, share and use personal information. This work includes a new cookie pop-up notice to inform our visitors how we use cookies on our websites, as well as creating a single, comprehensive source for our community members to request access to their personal information.