2021 Privacy Program Year In Review

Holly DrakeAnother year in the books.  Now that I’ve been at Ohio State for three years, I can see and appreciate the Buckeye Spirit now more than ever.  As the privacy program grows by leaps andbounds, I am impressed with the knowledge, care, and attention our community gives to considering individual privacy in our work and the dedication our faculty and staff have shown to helping grow privacy efforts at Ohio State.

I start the new year again with a sense of gratitude for all of you who are working to uphold Ohio State’s privacy principles and to embed privacy at Ohio State on a daily basis.  If you are reading this and want to learn more about how to get involved with the privacy program at Ohio state, send me and email and let’s connect.

With sincere gratitude and appreciation for the Buckeye community,

Holly Drake

Chief Privacy Officer


Privacy in the News

Privacy continues to be a hot topic around the world as we navigate privacy and the pandemic while new laws are drafted and passed both at home and abroad. 

The pandemic has forced thinking about individual privacy in new ways with the introduction of the vaccine and vaccine requirements.  For example, questions surrounding how HIPAA applies in the workplace and privacy in public health efforts have kept privacy experts busy responding to questions and crafting programs and processes in ways that protect individual privacy. 

Many states have passed privacy laws including the state of Colorado with its recently passed Colorado Privacy Act.  Even the state of Ohio drafted a proposed act, the Ohio Personal Privacy Act.  While some of the details in the acts may vary slightly, the main concepts of protecting individual’s privacy rights over their data such as the right of access, right to request deletion, and right to request a company not sell your data.

Internationally, several privacy laws have been proposed and passed including China’s Personal Information Protection Law, India’s Personal Data Protection Bill, and Brazil’s General Data Protection law.  Additionally, we continue to watch developments in how the European Union’s General Data Protection Regulation evolves and is enforced. 
 

Privacy@Ohio State

The past year has been a productive one for privacy at Ohio State.  Here are a few highlights of the work we have done with the help of our fellow Buckeyes:

Launch Student Analytics Principles

Published the Student Analytics Principles:  A group of faculty, staff and students have drafted Ohio State’s first student analytics principles.   The goal of these principles is to provide the university guidelines on the ethical and transparent use of student data.  We have been presenting these principles to different groups around campus further improving the draft and plan on launching these principles in the new year. 

Launch Privacy Achievement

Visit cybersecurity4you to complete the Privacy Achievement and collect rewards.

Protect Youth Privacy

Developed the Youth Privacy Principles:  The Youth and Privacy subcommittee published the university’s first youth privacy principles.  The goal is to provide youth programs staff and volunteers on protecting the privacy of youth. These principles represent a novel approach to communicating privacy standards for youth at Ohio State and the Big 10. 

Implemented parent or guardian consent form to ensure youth and their families understand that virtual classes may record the audio and video of students.

Launch Cookie Pop-Up for Websites with Trackers

The university is in the process of rolling out OneTrust across all Ohio State and Wexner Medical Center web sites.  Ohio State uses this tool to meet requirements to let website visitors know about the cookies and trackers that we use on our websites.  Website visitors can indicate their preferences by opting out of some cookies and, depending on where they are accessing our website, consenting to the use of some types of cookies and trackers.   

Since the effort began in April 2020, we've made a lot of progress in scanning, classifying cookies, and adding a cookie banner to provide users information on how we collect and use their data while allowing users to manage their preferences and give consent.  We are finalizing work on the remaining websites missing OneTrust.  November 18, 2022 is our target completion date.  Learn more about cookies here.

Expand University Privacy Pros

Over the past year, Ohio State Privacy Pros have expanded  from five to over twenty participants from all over the university.  Learn more about Ohio State Privacy Pros here. 

Expand Privacy Principles in University Policies

The updated Institutional Data Policy now includes Privacy Principles.  We reviewed policies at Ohio State to determine the best route to ensure privacy is reflected in university policies.  Rather than writing one big privacy policy for Ohio State, we decided to add privacy to several key policies.  For example, language related to protecting privacy was added this year to the Institutional Data Policy.  We have plans to add privacy to other policies as well including the Responsible Use policy. 

Publish University HIPAA and PHI Policy

Partnered with the Medical Center in Launching a University HIPAA Policy: HIPAA at Ohio State is a well-established and fine-tuned program which affects certain parts of Ohio State—mainly the medical center and other health care colleges like Dentistry and Optometry.  The Medical Center in strong partnership with others across the university drafted and launched a university HIPAA policy.  The campus privacy team helped to draft the policy and help campus units understand and operationalize key aspects of the policy.

Require Vendors to Adhere to Privacy Requirements

Implemented the Ohio State Data Security and Privacy Addendum, which ensures our vendors and partners protect the privacy of our community members’ personal information.

Drive Privacy Practices Across Ohio and Higher Ed

One of the six Ohio State Privacy Principles says at Ohio State we “create, educate and lead best practices and compliance across our communities.”  Over the past year, Ohio State privacy has done just that.  Holly Drake, our Chief Privacy Officer, has been actively involved in privacy work throughout Ohio and the higher education community.  For example, privacy at the state level:  (1) played a key role in drafting the first Ohio privacy law proposal; (2) helped draft the Educause action plan for privacy; (3) participated in the Ohio Data Ethics Working group; and (4) helped lead the Big Ten Academic Alliance privacy working group.


Looking Forward to 2022

We are looking forward to 2022 being another year of active and dynamic growth in Ohio State’s privacy program with the help of our Ohio State colleagues.  Here are a few of the projects we have planned:

  • Hosting Data Privacy Day Activities at Ohio State:  Ohio State will be celebrating international data privacy day in January.  We are planning a day of events focusing on increasing dialogue at Ohio state about data privacy. 
  • Launching an International Privacy Laws Working Group:  We are launching an international privacy working group as part of the Privacy Governance Council early in the new year.  This group will focus on evaluating international privacy laws and developing compliance around these laws as needed at Ohio State. 
  • Launching Tailored Programs:  Leveraging a compliance approach successful at the Medical Center, we are working to launch tailored programs related to privacy regulated areas on campus.  
  • Adding privacy to the Information Security Control Requirements and renaming the document to include privacy.