Every Learner Everywhere

Understanding the Strategic Role of the College or University CPO

Digital learning technologies in higher education — along with software used in other campus functions like recruiting, the registrar, and career services — generate a tremendous amount of personal data about individual students. While those tools and the data they collect can help faculty consider innovations that may lead to greater student progress and completion, they also generate responsibilities and ethical questions: Is the data being used responsibility? Is it protected? Do students know how the data is being used? And, critically, are the institution’s data privacy procedures in support of the strategic learning goals?

In the EDUCAUSE 2020 Top IT Issues Survey: The Drive to Digital Transformation Begins, information security and privacy were the top two issues identified. Many colleges and universities have begun to address these issues with a relatively new administrative position: the Chief Privacy Officer or CPO (also sometimes called a Campus Privacy Officer). 

What does a college or university CPO do?

Currently no definitive tally of how many colleges and universities have CPOs exists. In an interview for a 2019 EdSurge article, Valerie Vogel, then Senior Manager for the cybersecurity program at EDUCAUSE, estimated 41 percent of colleges had an executive dedicated to information security. Yet it’s a specialty expected to grow as higher education recognizes the need to protect student data.

A 2015 poll of CPOs by EDUCAUSE identified five core responsibilities in the role: 

  • Establishing privacy policies, standards, and processes.
  • Ensuring compliance with state, federal, and international laws, campus policies, and industry standards.
  • Developing privacy training and awareness across campus.
  • Advising the campus on best practices, new technologies, and potential institution-wide risks.
  • Investigating and responding to privacy breaches.

What laws say about data privacy in higher education

Even without a campus CPO, colleges and universities operate under local and even international laws governing data privacy. 

For example, under the California Consumer Privacy Act that took effect in 2020, consumers can view which third-party companies have access to data. It further gives consumers the right to sue if privacy guidelines are breached. 

Internationally, the General Data Protection Regulation (GDPR) governs data protection laws across the European Union. It sets standards on how organizations can use personal data and who can access the data. Among its principles are limits on data collection, transparency, confidentiality, and security.

Although California’s law and GDPR don’t specifically address higher education institutions, those laws apply because colleges and universities collect data on students. GDPR can also cover organizations outside the EU when, for example, students are working remotely in the EU or a college or university is marketing to international students.

At the federal level in the U.S., the Family Educational Rights and Privacy Act (FERPA) permits parents with children under age 18 to access their children’s education records and request records be corrected for errors. Parents can also control disclosure of their children’s personally identifiable information. After age 18, those rights transfer to college students. That means colleges and universities may be required to release information about one student and forbidden to release the same information about another student. Failure to abide by those rules can result in the loss of federal funds.

Related reading: The Regulatory Issues Administrators Are Thinking While Faculty Design Online Courses

Good digital privacy practices in higher education

However, FERPA was enacted in 1974, long before ubiquitous online learning, big data, and ransomware attacks. Many higher education institutions establish data privacy guidelines to account for emerging technologies while staying compliant with the relevant laws.

For example, the University of California put out a Statement of Privacy Values, a model other universities and colleges can adapt to uphold digital ethics. The principles include:

  • Advance notice of policies and practices for collecting, using, disclosing, retaining, and disposing of information.
  • Retaining only the minimum amount of information about individuals for a specified purpose.
  • Allowing students to choose whether and by what means to provide their information.

The Markkula Center for Applied Ethics at Santa Clara University offers a Framework for Ethical Decision Making and Ethics in Technology Practice. Though geared toward business, the principles can be applied to higher education.

EDUCAUSE’s Higher Education Information Security Council published a guidebook in 2016 for the CPO administrative role. It outlines the relevant laws, summarizes common issues, and recommends the Fair Information Practice Principles (FIPPs), a common  framework for data privacy in the government and business sectors.


Apart from the CPO — or prior to creating the CPO role — colleges and universities may have a role titled chief information security officer (CISO). Although both positions deal with the broad issue of data security, the CISO focuses primarily on preventing intrusions into the campus’s computer networks. The CPO, meanwhile, addresses questions of how student data is used and safeguarded.

Like companies, universities have been hit by high-profile data breaches. For example, in 2020, Indiana University deleted a GPA calculator from its website after the university learned students, faculty, and staff gained access to 100,000 current and former student grades, a violation of FERPA.

In another example, the University of California-Berkeley discovered in 2017 that a third-party online discussion platform integrated with its LMS was selling information about students to companies for recruitment purposes

Because institutions work with numerous vendors on the technical side, the CISO must manage those relationships throughout the course of the contract with an eye toward data privacy, noted Cheryl Washington, CISO for the University of California at Davis, in a recent conference presentation. “You have to maintain supplier relationships so you don’t inadvertently give out more information than your original intent was,” she said.

Meanwhile, the FBI is warning colleges and universities that they are increasingly at risk of organized ransomware attacks.

Secure doesn’t mean strategic or effective

EDUCAUSE’s 2020 Student Technology Report: Supporting the Whole Student, which surveyed more than 16,000 undergraduate students at 71 U.S. colleges and universities, showed that students hold conflicting views on data collection. 

On one hand, about half believe colleges and universities use and secure their data responsibly. Yet fewer than a quarter said they didn’t see how the data collected benefited them. Although colleges may do a good job on data privacy, they could be more transparent about how student learning data is being used.

Ultimately, data is collected to support some educational purpose, and, as the frameworks referenced above suggest, it’s unlikely colleges and universities will achieve that purpose without a coherent strategy that involves the participation of every stakeholder. Faculty and administrators involved with selecting or collaborating with a CPO should ensure that the campus doesn’t drift into not seeing the forest for the trees. Colleges and universities — and their CPOs — should develop excellent data security practices that are well aligned with meaningful learning goals. 

More resources for administrators