Updated: August 29, 2019 at 7:03 p.m.
During its first six months, GW’s new ethics office updated University policies and brought on additional personnel to increase student awareness about data privacy issues.
Officials launched the Office of Ethics, Compliance and Privacy in February to oversee issues like conflicts of interest and data security efforts. Dorinda Tucker – the assistant vice president of the office of ethics, compliance and privacy and the office’s head – said her team has held sessions throughout the spring semester to educate the GW community on data privacy and created and modernized key policies since the office’s launch.
Tucker said that her staff updated policies related to people with disabilities, personal information and privacy, prohibited relationships with students, effort reporting and legal representation of faculty and staff.
She said the office also made “minor” updates to “a number of policies” and created a new policy regarding web and digital content accessibility. Officials met the first federal deadline to update GW’s website accessibility in January after a federal investigation into the matter.
Tucker added that her office held two lunch-and-learn sessions about data privacy – one in early April and the other in late May – to increase awareness about administrators’ efforts to improve data privacy. Roughly 40 to 50 people attended each session, Tucker said.
“It was a great way to make sure our employees and community are aware of how the University safeguards personal information and increase privacy literacy,” she said in an email.
Tucker added that in July, administrators added two new positions to the office, a compliance manager and a privacy manager. She declined to say how large the office’s budget is.
Tucker also declined to say how many ethics violations have been reported to the office since it launched or what challenges the office has faced in terms of increasing compliance, managing risk, improving data security and strengthening the University’s ethics policies.
Data privacy experts said that while students and staff should receive data security training, officials must also dedicate enough resources to the new office to prevent a failure in the school’s data privacy systems.
Chris Kielt, the vice chancellor for information technology and chief information officer at Washington University in St. Louis, said officials in his office created a communication plan and cultivate “threat management expertise and safeguards.”
“Experience, peer collaborations, planning, simulations, quick responses and acting on lessons learned helps grow the program maturity aimed at providing consistency and continuously improving in a fast-changing, ever-evolving landscape,” Kielt said in an email.
He added that in the digital age, data security applies to everything from class registration to personal information, and students should be part of a “shared responsibility” to protect online data.
“We include students in our awareness campaigns and hope to impart information about safe use and access to university data,” he said. “In raising awareness of the risks and educating students on best practices when sharing and accessing university resources and information, we look for opportunities to communicate how this also applies to sharing and accessing their own personal data.”
Kielt said efforts to bolster an institution’s data security systems are sometimes unsuccessful because leaders do not allocate enough resources and funding.
“Data security is a significant investment, but the investment is usually less costly than the consequences of unaddressed risk,” he said. “Most institutions recognize this and prioritize this important work.”
Cathy Hubbs, the chief information security officer at American University, said it can take a significant amount of time for a university to implement a successful data security system, which includes training staff and crafting the right processes, policies and procedures.
“Securing data is easy, it means not granting any access whatsoever, unfortunately, this is impractical in our technology-dependent world,” Hubbs said.
She added that should officials neglect to commit sufficient resources to the office, the University could face serious consequences.
“Failed data security can lead to unexpected, undocumented changes to data, which can have cascading effects for decision-makers,” she said. “Unintended data exposure, data breaches, compliance issues, fines, business reputational data, identify theft, staff losing their jobs and much more.”
This post has been updated to reflect the following clarification:
The Hatchet reported that Chris Kielt, the administrator at the Washington University in St. Louis, suggested that GW’s new office of data privacy should create a communication plan and cultivate “threat management expertise and safeguards.” He was instead commenting on his own school’s data privacy efforts.