A constant threat: UC attempts to balance digital privacy, security

The University of California has increasingly sought ways to improve its information technology infrastructure in recent years, in light of growing security concerns nationwide.

The University’s Privacy and Information Security Initiative is one way the UC hopes to help campuses balance protocols for privacy and information security.

In 2010, then-UC President Mark Yudof convened the initiative’s steering committee – comprised of individuals from the UC Office of the President and campuses across the UC system – and asked its members to come up with clearer definitions of information privacy and security. He also asked them to provide guidance on how administrators can balance the two issues.

Large institutions often have to comply with a number of laws regarding patient or student data, like the Health Insurance Portability and Accountability Act, which dictates how protected health information can be used and shared.

These legal parameters have forced universities to take cybersecurity more seriously, said Paul Rivers, interim chief information security officerat UC Berkeley.

Privacy and security, however, are two different concepts and can sometimes come in conflict with each other, said Rodney Petersen, managing director of the Washington, D.C. office of Educause, a nonprofit organization that provides resources about information technology to UCLA and other universities.

An institution that values information security would want to go back and trace the source of a security breach or problem.

Conversely, an institution that values privacy will not want to collect information from its members in the first place, or it will give users notice on how their information may be used, Petersen said.

“I don’t think it’s always one or the other, but we need to understand there might be trade-offs in what decisions we make and what direction we choose to go,” he said.

To help administrators understand how privacy relates to security, members of the UC Privacy and Information Security Initiative’s steering committee devised a privacy balancing test, the UC’s statement of privacy values and a list of the University’s privacy principles.

Many UC campuses, including UCLA, have already appointed privacy officers to field questions about information security, and some others are in the process of doing so – another recommendation that came out of the Privacy and Information Security Initiative steering committee.

UCLA Chief Privacy Officer Kent Wada, who chaired the UC Privacy and Information Security Working Group, said in an email that he thinks the new guiding principles can be useful for administrators, who often have to make decisions about data management without a common context or approach.

UCLA partners with outside organizations, like Google Apps, that sometimes have different privacy standards than the university’s.

In cases like these, officials have to negotiate with the third-party providers to make sure their services align with the university’s expectations, said Wada, who is also UCLA’s director of strategic information technology policy.

At Berkeley in 2010, administrators had to reevaluate their approach to a controversial DNA collection program that asked incoming students to voluntarily submit DNA.

Researchers would study the DNA and give students personalized genetic information.

Berkeley officials, however, had to abandon plans to share information with the students after privacy groups expressed concerns about the program.

“That would be where a privacy-type committee could say ‘Don’t do it at all,’ (or) ‘Do it under these particular circumstances.’ … This is before you can get the hacking in, or unauthorized employees looking at a record,” Yudof said in an interview with the Daily Bruin in August.

He said he hopes the initiative will serve as an avenue for administrators to seek advice about proposed and existing information technology-related policies.

And while ultimately the decisions will be left to chancellors and administrators, Yudof added that he hopes they will consider the privacy committee’s opinion before reaching those decisions.