Jan. 24-28 is Data Privacy Week, a National Cybersecurity Alliance initiative that encourages individuals to secure their personal information and urges organizations to use customer data with respect and transparency.
To mark the week, we talked with Kirk Corey, director of policy and privacy within the university’s Information Security and Policy Office, about the importance of privacy and what the university is doing to protect it.
Question: What do we mean when we talk about “IT privacy” or “data privacy?” How is privacy different from security?
Kirk Corey: This is a great question and one we get asked a lot. Privacy applies only to data that is related to an individual person, whereas security applies to the way data is protected, regardless of whether that data is personal data.
So, security is an important part of protecting privacy, but it’s not the whole story. Privacy also deals with questions of how much of your data is collected, how is it used, how you find out what data others hold, and how you correct data that others have.
Q: Why is IT privacy especially important for universities like ours? What institutional actions can we take to enhance IT privacy?
KC: As an institution, we collect an extraordinary amount of personal data—not only data about our students, faculty, and staff, but also patient data, customer data, and data about research participants.
It’s important that we develop institutional processes and policies to help protect this data, both for the sake of the individuals who entrust the data to our safekeeping and to fulfill our legal and ethical responsibilities to be good stewards of sensitive, personal information.
Q: In general, how are we doing as an institution? Where have we made improvements?
KC: We collaborate closely with our counterparts at other institutions, especially within the Big Ten, and we all support each other by sharing information about what works well.
Recent improvements include policies covering the European Union General Data Protection Regulation (GDPR) and the IT Privacy Policy. But there’s also a lot of behind-the-scenes activity as we add new technologies that enhance privacy per se and increase privacy by improving data security.
Q: How can each of us better protect our own data and other people’s data?
KC: It’s important to understand both the data we share with others and the information revealed when all the little pieces of data are put together.
There’s a well-known story about a woman who started receiving targeted ads for diapers and other baby items from a large retailer that had invested in analyzing customer shopping behavior. The customer never told the retailer she was expecting—they figured it out by correlating lots of little pieces of data, such as switching from scented to unscented lotions, buying more vitamins and supplements, etc.
Knowing that sensitive conclusions can be drawn from seemingly non-sensitive information shows the importance of protecting information in general.
Q: How should this understanding affect what we do as a university or as university employees?
KC: Some questions to consider: Do we limit our usage of data to the original purpose for collecting it? Do the people providing the data understand the reasons we’re requesting it? Are we careful to destroy the data when it’s no longer needed?
A couple of years back, a company’s servers were breached and a lot of personal data compromised. What made it worse was the discovery that a lot of the data was supposed to have been deleted. If that company had followed its own rules for data retention, the breach would have affected far fewer people.
Q: We sometimes talk about privacy and security in terms of “compliance”—things we need to do to follow applicable laws, regulations, etc. But compliance shouldn’t be our only concern, right?
KC: This is a really important point. We have to make sure we fulfill our compliance obligations to avoid fines and penalties. But laws and regulations are always evolving, and right now we’re seeing increased interest in privacy protections across the political spectrum.
It’s important to track these trends and make sure we don’t adopt practices and technologies today that are likely to cause problems down the road.
It’s also important to prioritize ethics. Data can be misused in ways that may be legal but are still unethical. Modern technologies make it easy to collect huge amounts of data about individuals, with or without their knowledge. And the more data we collect, the greater potential for damage if that data is breached.
Q: Security often gets framed as something we do to protect against phishers, hackers, or other intruders. Is it fair to say that privacy is more about the things we do willingly—providing info without considering why, freely posting personal details to social media, etc.?
KC: Yes, this is an example of how security and privacy don’t completely overlap. Once the horse is out of the barn, so to speak, a better lock on the barn door doesn’t do much good.
We’ve seen claims from some analytics companies that, based on a certain number of answers to seemingly trivial questions, they can predict your future behavior better than you can. A lot of these companies gather data that we willingly share on social media. So, you might think twice before voluntarily taking the “What kind of potato am I?” quiz on social media.
Q: Is surrendering privacy an unavoidable cost of using social media, search engines, online shopping, etc.?
KC: We know there’s a paradox between how people describe their concern with privacy and how they behave when it comes to giving away their information. The incentive to provide information conflicts with our interest in protecting it.
For example, we’re surrounded by so-called “smart devices”—TVs, phones and other technologies listening for our voice commands. It’s convenient to be able to control a device without getting out of your chair and finding the remote. But if these devices are always listening for voice commands, they’re also listening for other things. It’s hard to guarantee how that information is being used—how much of that is for our benefit, and how much is not.
A lot of us participate in customer loyalty programs that track our purchases and reward us with discounts and other incentives. It’s easy to see how those can benefit us but we don’t necessarily understand or think about potential harms, mostly because we don’t know all the ways our shopping data is being used.
Q: Can you recommend any additional resources for learning about data privacy?
The National Cybersecurity Alliance offers tools for managing your privacy, including a list of direct links to privacy settings for major devices and online services.
The International Association of Privacy Professionals focuses on information for people involved with privacy as part of their jobs but also offers general-interest resources. They do an outstanding job of tracking legal and regulatory activity surrounding privacy, so it’s a great way to see which direction the wind is blowing.
Educause looks at the role of technology in higher education. They have devoted more attention privacy in recent years and offer a great place to learn about privacy issues unique to universities like ours.