Podcast Episode 25: Privacy for Remote Students and Europe’s View of Privacy

Ep. 25 – Dr. Gabriela Zanfir-Fortuna, Senior Counsel for the Future of Privacy Forum & Bob Eckman, CISO at Kent State University

This week on Privacy Please, we take a closer look at how GDPR affects higher education and, even more importantly, how universities can create a framework to meet the regulations. We bring both perspectives to the conversation with Dr. Gabriela Zanfir-Fortuna, Senior Counsel for the Future of Privacy Forum, who helped negotiate the GDPR and Bob Eckman, CISO at Kent State University, who works every day to keep his institution in compliance. When you listen to this week’s show, you’ll find out why Zanfir-Fortuna earned the nickname “Wonder Woman of GDPR” – and she even has a plaque to prove it.

Here are three highlights of this week’s chat:

Why You Need a Privacy Office – Actual Office Space Optional

Eckman tells us how just a few years ago he had never heard of a Privacy Office, which is a one-stop-shop for data privacy and now a common feature at universities. Some institutions’ privacy offices are in an actual office with people, such as a Chief Privacy Officer, working within. But not all of them have separate office space with dedicated workers.

The Privacy Office communicates how the university manages privacy and treats data, but even more importantly, it helps people feel comfortable interacting with the university environment. Eckman explains that some smaller schoolers don’t have a dedicated Chief Privacy Officer. In these cases, the CIO typically takes on the role to meet GDPR requirements of a data protection officer reporting to the highest level of the organization. At larger schools, there is a dedicated role for Chief Privacy Officer or the Chief Security Officer handles the responsibilities.

How Europeans View Privacy Differently than Americans

Every time Zanfir-Fortuna hears the term data privacy, she has a conflict in her head because the term isn’t used in Europe. The European Union legal framework protects the right to privacy and the right for data protection. While the right to protection of personal data is in another bubble, the two bubbles often interact. The European view refers to how personal data can be used – and if it even should be used. If you collect personal data, you need justification for why you need the data at that current point in time. In the U.S., data privacy laws typically cover a well-defined piece of information, such as PHI under HIPAA, which is different than the broad definition created by the GDPR.

How Remote Learning Affects Data Privacy

While students did not see many holistic impacts from moving to a remote model, Eckman explains that on an administrative level, the shift opened a lot of new issues. With people working from home consistently, strange machines are connecting to strange networks on a regular basis. Many privacy regulations, such as HIPAA, require having control access to a machine displaying PHI that only authorized users can see, which creates additional challenges. Eckman says that in an office environment, his team uses creative ways to fill such requirements, such as using screen protectors and distancing workstations. But with remote environments, you can never be sure that the employee looking at PHI isn’t in their living room with family members able to see the screen.

However, he says that his school (Kent State) and many others quickly instituted some changes to help, such as VPN use and using dedicated workspaces in homes. Because Kent State has a great relationship with Microsoft, he was able to create an advanced Microsoft authentication that allows employees to securely use tools such as Teams and Outlook while connected to a VPN. While Kent State was able to adjust with a tremendous amount of work and effort, he saw many other schools really struggle with the home security aspect.