Why IT Matters to Higher Education
EDUCAUSJANUARY/FEBRUARY 2013 E
Information Revealed Privacy Merri Beth Lavagnino Privacy, Security, and Compliance Michael Corn and Jane Rosenthal Mentoring, Self-Awareness, and Collaboration Melissa Woo, David G. Swartz, and Earving L. Blythe PLUS EDUCAUSE Values: Community activate learning.
An integrated collection of classroom furniture, Verb: for the many modes of learning Verb™ is designed to support a full range of teaching and learning styles on demand. www.steelcase.com/Verb Why IT Matters to Higher Education
EdUCAUsr e vıeEw JANUARY/FEBRUARY 2013 VolUmE 48, NUmBER 1
4 eDUCaUse Values: Community
FeatUres
10 Information privacy revealed Merri Beth Lavagnino
IT senior leaders and IT staff should learn what privacy is, why it is important in higher education today, and 10 how they can identify and address privacy risks.
24 privacy, security, and Compliance: strange Bedfellows or a marriage made in Heaven? Michael Corn and Jane Rosenthal
The authors examine several campus issues lying at the intersection of privacy, security, and compliance and provide insight for institutional leaders planning 24 strategic directions.
36 mentoring, self-awareness, and Collaboration: the 2012 eDUCaUse award Winners Melissa Woo, David G. Swartz, and Earving L. Blythe
The 2012 EDUCAUSE Award winners talk about the higher education IT profession and about how their particular interests have influenced and guided their 36 leadership roles.
48 analytics: Changing the Conversation Diana G. Oblinger
The third in a three-article EDUCAUSE Review series exploring analytics. 48
www.educause.edu/ero JaNuaRY/FEBRuaRY 2013 EducausEreview 1 Why IT Matters to Higher Education
EdUCAUr e vıewsE JANUARY/FEBRUARY 2013 VolU m E 48, NU m BER 1 PUBlishER/EditoR Departments d. teddy diggs AdVERtisiNG Greg Farman, Advertising director Geri Farman, Advertising manager 8 leadership dEsiGN ANd PRodUCtioN [Views from the Top] mcmurry/tmG Jeff Kibler, Art director Helping to Take the Disruptive Jerry Parks, Project manager out of MOOCs Brenda Waugh, Production Artist dEPARtmENt EditoRs Michael Reilly and E-Content: Jeffrey von Munkwitz- diane J. Graves, University librarian and Professor, Coates library, trinity University Smith
New Horizons: Vernon C. smith, Chief Academic officer and Provost, myCollege Foundation 52 E-Content Policy Matters: [All Things Digital] Rodney Petersen, senior Government Relations 8 officer and managing director, Washington office, Is Linking Thinking? EdUCAUsE Addressing and Assessing Viewpoints: Scholarship in a Digital Era david lassner, Vice President for it and Cio, University of hawaii Michael Roy
EdUCAUsE EXECUtiVE oFFiCERs diana G. oblinger, President and CEo susan Grajek, Vice President, data, Research, 54 New horizons and Analytics [The Technologies Ahead] Garth Jordan, Vice President, operations Julie K. little, Vice President, teaching, learning, ds106: Not a Course, and Professional development Not Like Any MOOC Alan Levine
EDUCAUSE Review is the general-interest, bimonthly magazine published by EdUCAUsE. With a print publication base of 22,000, 56 Policy matters 52 EDUCAUSE Review is sent to EdUCAUsE member representatives as well as to presidents/chancellors, senior academic and administrative [Campus Environment leaders, non-it staff, faculty in all disciplines, librarians, and corpora- tions. it takes a broad look at current developments and trends in & Political Context] information technology, what these mean for higher education, and how they may affect the college/university as a whole. Amassing Student Data and EdUCAUsE and EDUCAUSE Review are registered trademarks. Dissipating Privacy Rights Copyright © 2013 by EdUCAUsE. materials may be photocopied for noncommercial use without written permission provided appro- Marc Rotenberg and priate credit is given to both EDUCAUSE Review and the author(s). Permission to republish must be sought in writing (contact editor@ Khaliah Barnes educause.edu). statements of fact or opinion are made on the responsibility of the authors alone and do not imply an opinion on the part of the Ed UCAUsE Board of directors, staff, or mem- bers. For more information about copyright, see
2 EducausEreview Ja N uaRY/FEBRuaRY 2013 Old cars are classics. Old SIS are obsolete.
If your SIS vendor built its system before the Internet, it’s not vintage — it’s a liability. With the right innovations for higher education engineered into CampusVue® Student, institutions are winning the hearts and minds of constituents on a more efficient centralized system. So, before overhauling your old system again, test drive the most proven brand in the industry. Experience the Student Information System that’s serving leaders in higher education worldwide.
www.campusmanagement.com/vue
© 2012 Campus Management Corp. All rights reserved. Campus Management Corp and CampusVue are registered trademarks of Campus Management. These marks may be registered in the U.S. or other countries. All other registered trademarks and service marks are the properties of their respective owners. Information is subject to change.
CMGC 17323 ER_8.5x10.875_4C.indd 1 10/19/12 11:33 AM B:8.875” T:7.75” S:6.75”
The values of the higher education IT community shape the strategic directions and actions of EDUCAUSE. In consultation with EDUCAUSE members and community leaders, the EDUCAUSE executive staff continues to develop a series of value statements. Each statement will provide a brief overview of what the value means, why our community considers it to be impor- tant, and how the value guides EDUCAUSE in its service to association members and to higher education. The list of values, which will change over time and should not be considered exhaustive, is posted on the EDUCAUSE website: http://www .educause.edu/stratdir#values. THE DATA CENTER’S BANDWIDTH EDUCAUSE EXCEEDS YOURS. Values B:11.375” T:10” S:9”
Community“EDUCAUSE values community for the relationships, commitment, and collective action it catalyzes, and EDUCAUSE thus supports the SOLVED. development and adoption of technologies, applications, and approaches to foster community.”
community is “a group or society, helping each other.” A strong community nurtures the development of re- Thousands of students plus an entire faculty equals a whole lot of data. Certainly more information lationships and fosters mutual commitment, respect, than one IT person can handle. That’s why we’ve partnered with Riverbed to provide you the responsibility, understanding, and participation extra power you need. Our solution architects will make sure you find the right technology for among its members. your data center. The college/university is the very essence of commu- nity—a place where people gather together to explore The extra bandwidth you need is at CDWG.com/datacenter ideas and to expand the boundaries of knowledge. The community acts as a springboard to discovery, encouraging indi- Aviduals to expand their worldviews and remain open to a wide range of ideas and possibilities. EDUCAUSE values this type of community. Technological innovations, however, have created, changed, and in some cases, challenged our notions of community. Anyone and any- thing can be connected. Communities can appear and disappear spon- taneously or can be long-lived. Technology enables the formation of >> ©2013 CDW Government LLC. CDW®, CDW•G® and PEOPLE WHO GET IT™ are trademarks of CDW LLC.
4 EducausEreview Ja N uaRY/FEBRuaRY 2013
DOCUMENT PATH: Studio:Volumes:Studio:Clients:CDW:CSM_New Launch Base Mechs_First Wave:Mechanicals:123449_CDWCSM12110I011_CH7_HEDQ1 NetOpt Riverbed:123449_CDWCSM12110I011_HEDQ1 NetOpt Riverbed_F.indd
AGENCY JOB NO.: CDW.CDWCSM.12110.I.011 DATE/TIME: 12-18-2012 1:45 PM BLEED: 8.875” w x 11.375” h DIVISION/OFFICE: Ogilvy/Chicago OPERATOR: Peter Schafer TRIM: 7.75” w x 10” h STUDIO JOB NO.: None LIVE: 6.75” w x 9” h VERSION: None SLUG FONTS: DIN Light, DIN Regular DUPLEX: No REVISION: FINAL SCALE: 1”:1” NO. OF PAGES: 1 of 1 FONTS: Prelo (Black, Book) PRINTED AT: 100% FILENAME: 123449_CDWCSM12110I011_ IMAGES: 101204_CDW_21422_Bandwidth_ RESOLUTION PLACED: HiRes HEDQ1 NetOpt Riverbed_F.indd v2_Parnership_Version_F.tif (420 ppi; CMYK), riverbed_logo_with_ EXEC. CREATIVE DIRECTOR: None AD TITLE: 123449_HEDQ1 NetOpt Riverbed tagline_F.eps, CDWG_PWGI_ CREATIVE DIRECTOR: B. Gately CLIENT: CDW CMYK_F.eps ART DIRECTOR: K. Mason CLIENT JOB NO.: CDW 123449 COLOR PROFILES: None COPYWRITER: M. Peabody BRAND: CDW TRAPS: None ACCOUNT: J. Clements PRODUCT: Ad DIE CUT: None PRINT PRODUCER: D. Cusick CODENAME: None INKS: Cyan TRAFFIC: K. Abramson/S. Kelly JOB TYPE: Print Magenta ART BUYER: S. Hatten JOB CATEGORY: CDW Mechanicals Yellow ENGRAVER: Clutch Studios Black TO APPEAR IN: Educause
8.875” x 11.375” 7.75” x 10” 6.75” x 9”
27133G_123449.indd — 12/18/2012_06:23 PM Operator: pb Proof#: 1 B:8.875” T:7.75” S:6.75”
THE DATA CENTER’S BANDWIDTH EXCEEDS YOURS. Values B:11.375” T:10” Community S:9” SOLVED.
Thousands of students plus an entire faculty equals a whole lot of data. Certainly more information than one IT person can handle. That’s why we’ve partnered with Riverbed to provide you the extra power you need. Our solution architects will make sure you find the right technology for your data center.
The extra bandwidth you need is at CDWG.com/datacenter
>> ©2013 CDW Government LLC. CDW®, CDW•G® and PEOPLE WHO GET IT™ are trademarks of CDW LLC.
DOCUMENT PATH: Studio:Volumes:Studio:Clients:CDW:CSM_New Launch Base Mechs_First Wave:Mechanicals:123449_CDWCSM12110I011_CH7_HEDQ1 NetOpt Riverbed:123449_CDWCSM12110I011_HEDQ1 NetOpt Riverbed_F.indd
AGENCY JOB NO.: CDW.CDWCSM.12110.I.011 DATE/TIME: 12-18-2012 1:45 PM BLEED: 8.875” w x 11.375” h DIVISION/OFFICE: Ogilvy/Chicago OPERATOR: Peter Schafer TRIM: 7.75” w x 10” h STUDIO JOB NO.: None LIVE: 6.75” w x 9” h VERSION: None SLUG FONTS: DIN Light, DIN Regular DUPLEX: No REVISION: FINAL SCALE: 1”:1” NO. OF PAGES: 1 of 1 FONTS: Prelo (Black, Book) PRINTED AT: 100% FILENAME: 123449_CDWCSM12110I011_ IMAGES: 101204_CDW_21422_Bandwidth_ RESOLUTION PLACED: HiRes HEDQ1 NetOpt Riverbed_F.indd v2_Parnership_Version_F.tif (420 ppi; CMYK), riverbed_logo_with_ EXEC. CREATIVE DIRECTOR: None AD TITLE: 123449_HEDQ1 NetOpt Riverbed tagline_F.eps, CDWG_PWGI_ CREATIVE DIRECTOR: B. Gately CLIENT: CDW CMYK_F.eps ART DIRECTOR: K. Mason CLIENT JOB NO.: CDW 123449 COLOR PROFILES: None COPYWRITER: M. Peabody BRAND: CDW TRAPS: None ACCOUNT: J. Clements PRODUCT: Ad DIE CUT: None PRINT PRODUCER: D. Cusick CODENAME: None INKS: Cyan TRAFFIC: K. Abramson/S. Kelly JOB TYPE: Print Magenta ART BUYER: S. Hatten JOB CATEGORY: CDW Mechanicals Yellow ENGRAVER: Clutch Studios Black TO APPEAR IN: Educause
8.875” x 11.375” 7.75” x 10” 6.75” x 9”
27133G_123449.indd — 12/18/2012_06:23 PM Operator: pb Proof#: 1 EDUCAUSE Values: Community
communities of any size, on topics gen- tion for the common challenges faced at contribute their expertise, and grow eral or specialized, and without limita- institutions large and small, and helps in the profession. Our members can tions of geography or time. Wikipedia, bring into focus possible approaches find others with similar interests and Facebook, and Twitter, for example, and solutions. can follow, share, and expand profes- have catalyzed communities never The EDUCAUSE community is not sional networks through social media. before imagined. Technology-enabled limited to IT practitioners. Our com- The ability to share lessons learned and communities can be social, scientific, munity is enriched by connections with leverage effective practices allows the political, or about collective action. international colleagues, the broader entire community to progress more They can have great power. world of higher education, and corpo- rapidly. EDUCAUSE too is a community, rate and government organizations. As As the higher education technology comprising institutions and individuals expressed in our motto—“uncommon association, EDUCAUSE embraces the who are committed to the free flow of thinking for the common good”—our values of collaboration, the common information and ideas through the use community values opportunities to good, innovation, openness, and com- of technology. EDUCAUSE manifests consider a diversity of perspectives, to munity. A spirit of community is cen- the value of community in the ways it think imaginatively, and to embrace tral to EDUCAUSE and our service to promotes the association’s other values: innovation. EDUCAUSE cultivates higher education. I innovation, openness, collaboration, strategic relationships with other pro- and working toward the common good. fessional associations to enhance our Interaction among the members of our community’s work. © 2013 EDUCAUSE. The text of this article is community opens us up to the experi- EDUCAUSE strives to foster a com- licensed under the Creative Commons Attribution- ences of others, gives us an awareness, munity of higher education IT profes- NonCommercial-NoDerivs 3.0 Unported License deeper understanding, and apprecia- sionals who can engage with colleagues, (http://creativecommons.org/licenses/by-nc-nd/3.0/).
You walked across campus on the coldest day in January to make sure Ashley’s financial aid form made it to the Registrar’s Office by the 10:00 a.m. deadline. But when her mom called later with a question, you didn’t have the answer because Ashley’s form is across campus … and you’re not.
It’s time to rewrite this story. Perceptive Software process and content management solutions close information gaps and eliminate workflow bottlenecks in every department, to make staff and students’ lives easier. No matter what host application you use or how your staff interacts with data, Perceptive gives you more choices and greater flexibility – end of story.
Read success stories from real customers at www.perceptivesoftware.com/highered
www.perceptivesoftware.com/highered
© 2012 Perceptive Software, LLC. All rights reserved. All product and company names may be trademarks or registered trademarks of their respective owners. PSI_ad_EDUCAUSE_2012
6 EducausEreview JaNuaRY/FEBRuaRY 2013 From serving as a trusted liaison with your Epson Has preferred Epson dealer to providing product demos, training, and answers to your planning and technical questions, the Epson team will a Team on come to your campus to help you take full advantage of our exclusive Brighter Futures Campus. education programs and pricing. We’re a whole team of professionals focused Visit epson.com/higherEd on creating great relationships with the higher education community.
Thomas Hines Kristan Kuykendall Gerry Campana Barry Sugarman Austin, TX Lakewood, CA Ellicott City, MD Weston, FL
PowerLite® Pro Z Large Venue Installation Projectors Offering low cost of ownership and liquid cooling technology, all Pro Z projectors also feature dual lamps that are ideal for use in large auditoriums and performance venues.
EPSON and PowerLite are registered trademarks, and EPSON Exceed Your Vision is a registered logomark of Seiko Epson Corporation. Brighter Futures is a registered trademark of Epson America, Inc. Copyright 2012, Epson America, Inc. All product specifications are subject to change without notice.
407-694_Epson_Proj_EdR_JanFeb13_FP_Ad_FNL.indd 1 12/14/12 3:50 PM leadership [Views from the Top]
helping to Take the Disruptive out of MOOCs
hose of us who have found our way into the Today, web-based services have made nearly all academic enrollment and academic services professions and enrollment processes available to students and faculty in higher education have become accustomed to through their computers and, increasingly, through mobile the somewhat familiar refrain that colleges and applications on their phones. The vast majority of students universities are slow to change. The recent atten- apply for admission through a web-based application (many Ttion given to MOOCs (Massive Open Online Courses) has often institutions accept only electronic applications). Transcripts included the descriptor “disruptive” (meaning: “to throw into can be requested via a website and delivered electronically to confusion or disorder”) partly because this characterization of the college or university of choice (AACRAO and its SPEEDE resistance to change suggests that higher education institutions Committee developed some of the first standards for electronic could not possibly address this phenomenon in an orderly records exchange back in 1990). At the institution, those elec- fashion. tronic transcripts can be uploaded into a degree audit system We—the authors of this article—think that change, particu- that shows a student’s progress toward degree requirements larly change around the technology that makes it easier for stu- and is updated each term. These degree audits allow faculty dents to enroll and complete their degrees and that helps fac- advisors to spend more time talking with students about ulty focus their time and energy on their teaching and research, research interests or career plans and less time making sure is instead part of the fabric of higher educa- students’ course choices are meeting degree tion and is actually more characteristic of our requirements. Students register for classes, profession than is any notion of our resistance How do we pay their bills, order their textbooks, request to change. We have both been in higher edu- transcripts, change their major, and handle cation enrollment services long enough to know who is many other processes via the web. have witnessed change that would make our taking a course The embracing of emerging technolo- offices and processes unrecognizable to those when the course gies has made many of these improvements who were in the business twenty years ago. in student services possible. Verification of We believe that the same measured approach is “open” to enrollment for financial aid purposes is now higher education has taken to apply emerging anyone who easily done through the National Student technologies to current business processes in wants to Clearinghouse. Document imaging has made order to make them more student-centered it easier to share records with faculty and to can be used to navigate the MOOC phenom- take it? store records in digital files rather than in the enon in order to make it more “productive” bulging file cabinets that cluttered offices. than “disruptive.” Most students get their questions answered To understand higher education’s ability to “roll with the or their needs met through websites, allowing institutions to changes” from the academic and enrollment services perspec- close the banks of windows that often characterized student tive, think of how students applied for admission or registered services offices. Many students attend institutions only through for classes, or how faculty submitted grades or advised their web-based instruction and never even see the inside of campus students, thirty years ago. Applying to college involved com- offices. pleting a paper application and tracking down transcripts to So what does AACRAO and what do academic and enroll- mail to the admissions office. A bank of staff hand-keyed these ment service professionals have to contribute to the discussion applications and records into the “system” (usually a legacy of MOOCs? Academic leaders at our institutions are already system built on COBOL code). Registering for classes was a beginning work to address student assessment and learning massive manual exercise involving 80-column punch cards, outcomes issues. The areas where AACRAO members have paper forms, and miles logged walking around campus track- expertise are in ensuring identity management, in transcript- ing down signatures. Faculty advised students by comparing ing, and in recording and verifying credentials. A degree from transcripts against the degree requirements in the institution an accredited institution of higher education in the United catalog. Grades were rushed to the Registrar’s Office at the end States has substantial value in part because rigorous quality of each term and were hand-keyed into the system so that grade controls have been applied to the process of obtaining that reports could be mailed to students. degree. These include not only institutional and program
8 EducausEreview Ja N uaRY/FEBRuaRY 2013 Michael Reilly and JeffRey von Munkwitz-SMith David Plunkert, © 2013 accreditation, faculty credentials, and other academic quality or awarding credit for MOOC courses. The American Council metrics but also procedures ensuring that an applicant’s aca- of Education (ACE) and others are beginning work in this area. demic preparation for study has been thoroughly evaluated, At the AACRAO annual meeting in San Francisco in April that prior credit applied to the degree was earned at legitimate 2013, we are planning to hold a robust discussion of the role institutions, that transcripts reflect the achievement earned by of enrollment and academic services in contributing to the the student in the course and assessed by faculty, that a pre- success of MOOCs. We anticipate that our members and part- scribed course of study was completed, that the record is stored ners will have a number of creative ideas to offer. Hopefully in a secured environment, and that student privacy is protected. we can one day look back to the beginnings of the MOOC Call us old-fashioned, but we think these sets of quality assur- phenomenon as just another of the many challenges we have ances have served U.S. higher education well. tackled as part of the ever-evolving enterprise known as higher MOOCs create challenges to this quality-assurance regi- education. n men—challenges that will require some thought. How do we know who is taking a course when the course is “open” to Michael Reilly ([email protected]) is Executive Director for the American anyone who wants to take it? Does this matter only if some- Association of Collegiate Registrars and Admissions Officers (AACRAO). Jeffrey von Munkwitz-Smith ([email protected]) is President of the American one is interested in earning course credit to apply toward a Association of Collegiate Registrars and Admissions Officers (AACRAO) degree or credential? Promising technologies are emerging in and is Assistant Vice-President and University Registrar at Boston identity management, including through Internet2 and the University.
Common Identity and Trust Collaborative (CommIT), which © 2013 Michael Reilly and Jeffrey von Munkwitz-Smith. The text of this article is licensed present some opportunities for better authentication of the under the Creative Commons Attribution 3.0 Unported License (http://creativecommons.org/ participants. A variety of strategies is available for transcripting licenses/by/3.0/). www.educause.edu/ero Ja N uaRY/FEBRuaRY 2013 EducausE review 9 Re
ILLUSTRATION BY C.J. BURTON, © 2013 Information vealedPrivacy By Merri Beth Lavagnino
nformation privacy is not a technology concept. Long before there were Chief Privacy Officers working to address practi- cal information privacy problems, lawyers and academics studied and worked on privacy issues. The majority of people who enter the still-nascent information privacy profession come from non-technical fields including legal, compliance, marketing, and risk management. In 2012, the annual Pri- vacy Professionals Role, Function, and Salary Survey from the International Association of Privacy Professionals (IAPP) found that the majority of privacy offices—59 percent—report through legal (30%) and compliance (29%) departments, with only 9 per- cent reporting through information security and only 5 percent through Iinformation technology.1 So why is information privacy the focus of this issue of EDUCAUSE Review and EDUCAUSE Review Online? The IAPP survey contains the answer: “Meeting regulatory compliance requirements continues to be the top perceived driver of privacy office funding, while concern about required data breach notifica- tions and the bad publicity that such announcements entail grew in importance among survey respondents, with almost nine in every 10 listing it as a concern.”2
ILLUSTRATION BY C.J. BURTON, © 2013 www.educause.edu/ero JANUARY/FEBRUARY 2013 EdUcAUsEreview 11 Information Privacy Revealed
It’s all about the data. Regardless of curate because it rarely covers activities the confidentiality of letters in the North which office oversees privacy or who such as designing facilities, furniture, American colonies, and the U.S. Con- causes data breaches, protecting privacy and workplaces in ways that enhance gress passed “An Ordinance for Regulat- is inescapably tied to technology, due physical privacy.6 Information privacy ing the Post-Office of the United States of to the almost universal use of technol- focuses on anything that leaves an infor- America” in 1782.7 The U.S. Census, con- ogy to collect, store, process, and utilize mation trail, whether or not that trail is taining citizens’ personal information personal information in the pursuit of digital. IT professionals should be pre- collected by the government, prompted organizational goals. It is thus important pared to advise and assist with privacy privacy concerns that resulted, by 1840, that all IT professionals have the intel- issues concerning oral, paper-based, and in promises of confidentiality of the in- ligence they need to embrace their role digital information, including images formation and also, by 1889, in a law that as participants in, or even as leaders of, and video. significantly fined census officials for institutional information privacy efforts. Privacy is not security. Although it is disclosing confidential information. The IT senior leaders and IT staff should possible to have security without privacy introduction of the telegraph led to laws learn what privacy is, why it is important (e.g., system administrators can view any in the late 1800s to keep the contents in higher education today, and how they data they please, due to their legitimate of telegraphs confidential. The now- can identify and address privacy risks. full-access rights, though administra- famous 1890 Harvard Law Review article CIOs in particular can then respond tive policies and personal ethics would “The Right to Privacy,” by Samuel Warren positively to institutional efforts to as- normally prevent such behavior), it is not and Louis Brandeis, was inspired by the sign responsibility for privacy—or even possible to have privacy without security. authors’ concern with protecting Ameri- better, to spearhead such an effort. Typically, security profes- cans from the intrusive- sionals are very comfort- Regardless of ness of photography and definition and History able deploying physical which office the press,8 a concern Although there is no universally ac- and technical safeguards oversees privacy generated by the new cepted definition of “information pri- such as installing locks, or who causes Kodak camera, a general- vacy,” the following definitions represent deploying access control, data breaches, consumer camera placed three major perspectives: avoiding viruses, patch- protecting privacy on the market that year.9 ing vulnerabilities, and is inescapably tied None of these de- n “Privacy is the claim of individuals, implementing encryp- to technology, velopments generated groups or institutions to determine tion, but many are less due to the almost enough activity to cause for themselves when, how, and to comfortable working universal use the creation of a privacy what extent information about them on administrative con- profession. Americans is communicated to others.”3 trols such as policies, of technology were not quite ready. As n “[Privacy is] the appropriate use of awareness and training, to collect, store, the Irish dramatist George personal information under the cir- on-screen wording that process, and Bernard Shaw noted cumstances. What is appropriate will clearly describes to end utilize personal when giving a speech in depend on context, law, and the in- users how applications information in New York in 1933: “An dividual’s expectations; also, [privacy work, appropriate use the pursuit of American has no sense of is] the right of an individual to control agreements, and con- organizational privacy. He does not know the collection, use, and disclosure of tracts. Privacy augments goals. what it means. There is personal information.”4 strong physical and tech- no such thing in n “Privacy involves the policies, proce- nical controls with corre- the country.”10 Not dures, and other controls that deter- spondingly strong admin- until the technol- mine which personal information is istrative controls. ogy called “com- collected, how it is used, with whom puting” entered it is shared, and how individuals who How Did We Get Here? the scene do we are the subject of that information Information privacy be- see another flurry are informed and involved in this came the subject of at- of attention to pri- process.”5 tention several times in vacy issues in the the eighteenth and nine- United States. Yet if we Notice that the word “privacy” is teenth centuries. For ex- claim the year 1951, with usually by itself, without the clarifying ample, the British Parlia- the introduction of the “information” preceding it. However, the ment passed the 1710 Post UNIVAC, as the start of term “information privacy” is more ac- Office Act to protect the computing technol-
12 EdUcAUsEreview JANUARY/FEBRUARY 2013 Workday customers: Information Privacy Revealed
ogy revolution, it still took nearly fifty appoint a Chief Privacy Officer, or CPO. as CPO—the first recorded instance of more years for information privacy to The pace of the dance picked up. In that position in higher education—and become a profession—and even longer for 1995, the Internet went commercial, in September 2002, the University of higher education to take notice. and law enforcement took advantage Florida named Susan Blair as CPO. Technology innovation and privacy of the change: the first official Internet Interestingly, in that same year, the De- law practically danced around each wiretap was successful in helping the partment of Homeland Security was the other during those fifty years. In 1970, Secret Service apprehend three people first federal agency required by statute to the Fair Credit Reporting Act (FCRA) who were illegally manufacturing and appoint a CPO. required credit agencies to allow con- selling cell phone cloning equipment. Higher education had not ignored sumers access to their credit records to In 1996, the Health Insurance Portability privacy prior to this time, especially as review and correct mistakes. The Privacy and Accountability Act (HIPAA) applied it related to compliance with the law, Act of 1974 regulated the type of personal privacy requirements to health care, but colleges and universities handled information the federal government can covering a small part of overall college privacy in silos. Legal counsel monitored collect about private individuals and and university operations. In 1999, the legislation, highlighted the need for how that information can be used. The Financial Services Modernization Act, compliance, and ensured that an office 1974 Family Educational Rights and also known as the Gramm-Leach-Bliley took on the day-to-day responsibilities, Privacy Act (FERPA) is designed to pro- Act (GLBA), established guidelines for whereas registrars typically dealt with tect the privacy of education records, to the collection of personal data in the FERPA compliance, health science or establish the right of students to inspect banking and insurance sectors and also research staff dealt with HIPAA compli- and review their records, and to provide covered a small part of college and uni- ance, and financial staff dealt with GLBA guidelines for the correction of inaccu- versity operations. That same year, the compliance. Higher education (and rate data. Meanwhile, technology inno- Federal Trade Commission (FTC) took its indeed, all other sectors) did not realize vations added confusion around how to first Internet privacy enforcement action what was about to hit them. apply these laws. In 1969, the ARPANET against Geocities, for deceptively collect- connected four research centers, and in ing personal information. The Tipping Point 1971, Ray Tomlinson sent the world’s first Some of the laws, most notably The tipping point that pushed all organi- e-mail communication. Tomlinson later HIPAA, require accountability through zations past the comfortable privacy-by- claimed that the contents were “entirely the assignment of a person to manage silo model and into the uncomfortable forgettable” and that he had, therefore, an organization’s efforts to comply. The realization that privacy required more forgotten them.11 By 1973, e-mail consti- IAPP was founded in 2000 to provide a organization-wide attention and coor- tuted 75 percent of ARPANET traffic.12 professional community and certifica- dination was California’s SB 1386, intro- Technology innovations continued: tion for these individuals, and in 2001, duced in February 2002 and effective on by 1976, several personal computers the Wall Street Journal reported that the July 1, 2003. for consumers were available; in 1986, new position of CPO was finding its SB 1386, a personal-data-protection the NSFNET launched, incorporating way into Fortune 500 companies.13 Fi- statute, covers information such as Social ARPANET connections into its broad nally, in January 2002, the University of Security numbers (SSNs) and outlines reach and eventually becoming the In- Pennsylvania named Lauren Steinfeld data breach notification requirements. It ternet. The legislative process responded was the beginning of a new breed of pri- in 1986 with the Electronic Commu- vacy law. Over the next three to five years, nications Privacy Act (ECPA), which nearly every state passed similar legisla- extended restrictions on wiretaps from tion. Just what was so different about SB telephone calls to transmissions of elec- 1386 and its copycats that caused organi- tronic data by computer and prohibited zations to realize they needed more inte- both the interception of electronic com- grated information privacy management? munications and access to stored elec- tronic communications. In 1990, the first n Notification: Prior to SB 1386, data- commercial provider of dial-up access protection laws did not require noti- offered its services, and in 1991, the first fication to affected individuals.14 The World Wide Web server appeared on the notification requirement introduced network. Maybe that web server was the significant costs and negative public- last straw: also in 1991, Acxiom Cor- ity in the event of a breach. poration, a data broker, became one n Commonly Used Data: No univer- of the first organizations on record to sally used data, such as SSNs, had
14 EdUcAUsEreview JANUARY/FEBRUARY 2013 been covered by previous laws—and SSNs were handled by nearly every- PrIvacy rEsourcE rEcommEndatIons from one working in higher education be- tHE HIgHEr EducatIon cHIEf PrIvacy offIcErs (HE-cPo) fore the mid-2000s, since institutions were required to collect them both Freely available mailing lists, newsletters, and blogs: for employees and for student finan- n IAPP Daily Dashboard cial aid. Historically, SSNs had been https://www.privacyassociation.org/publications/daily_dashboard the unique identifier. n IAPP Inside 1to1: Privacy n Enforcement: In general, prior to SB https://www.privacyassociation.org/publications/inside_1to1_privacy/ 1386, privacy laws were not enforced routinely through sanctions. For n Privacy and Information Security Law Blog from Hunton & Williams example, there had been no FERPA http://www.huntonprivacyblog.com/ enforcement actions, even though n Privacy Rights Clearinghouse FERPA had been in place since 1974. https://www.privacyrights.org However, California and other state n Electronic Privacy Information Center (EPIC) attorneys general were now enforcing http://epic.org/alert/ these new laws, causing increased at- tention to many of the other privacy Basic standards on which most privacy programs and legislation are based: laws by their enforcing authorities. n OECD Guidelines on the Protection of Privacy and Transborder Flows of n Private Right of Action: Older laws did Personal Data not usually allow a private right of http://www.oecd.org/document/18/0,3746,en_2649_34223_1815186 action, whereas many of the state _1_1_1_1,00.html data-protection laws now did. This in- creased the risk of legal action against n Generally Accepted Privacy Principles (GAPP), American Institute of Certified the business or organization. Public Accountants Inc. and Canadian Institute of Chartered Accountants n Criminalization: Older laws did not http://www.aicpa.org/InterestAreas/InformationTechnology/Resources/ make mishandling of protected data Privacy/GenerallyAcceptedPrivacyPrinciples a crime, whereas many of the state n Security and Privacy Controls for Federal Information Systems and data-protection laws now did. This Organizations, Special Publication (SP) 800-53, Revision 4 (Initial Public Draft) was a game-changer for higher educa- http://www.nist.gov/itl/csd/sp800-022812.cfm tion: individual employees were now ac- countable for any data breaches they Seminal works: might cause—for example, due to n Alan F. Westin, Privacy and Freedom (New York: Atheneum, 1967) negligence. Even if an institution had n Peter Swire and Sol Bermann, Information Privacy: Official Reference for the an indemnification policy and chose Certified Information Privacy Professional (Portsmouth, N.H.: IAPP, 2007) to cover the legal costs of defending an employee charged with the crime, n Daniel J. Solove, Understanding Privacy (Cambridge: Harvard University Press, the employee could go to jail if the 2008) defense was unsuccessful. n Kirk M. Herath, ed., Building a Privacy Program: A Practitioner’s Guide (Portsmouth, N.H.: IAPP, 2011) Implications for Higher Education In 2005, the Privacy Rights Clearing- Professional groups: house began its “Chronology of Data n International Association of Privacy Professionals (IAPP) Breaches.”15 The first three listings in https://www.privacyassociation.org/ that year highlighted higher education n Higher Education Chief Privacy Officers (HE-CPO) breaches. In 2006, the “Chronology” Contact Valerie Vogel at EDUCAUSE: [email protected] reported that 52 percent of breaches involving outside hackers were in the Certification: higher education sector.16 In 2007, the n Certified Information Privacy Professional (CIPP) and specialized total number of breach incidents re- certifications for the United States, Canada, Europe, the U.S. government, and ported by institutions of higher educa- information technology tion rose 67.5 percent—to 139 incidents.17 https://www.privacyassociation.org/certification In 2008, the number of data breach www.educause.edu/ero JANUARY/FEBRUARY 2013 EdU c AUs E review 15 Information Privacy Revealed
incidents and profiles includes academics, the such as privacy notices, forms re- compromised by all number of practitio- questing personal information, user education-related orga- ners was high enough help screens, and appropriate-use nizations was found to be to cause the formation agreements “disproportionately high of a Higher Education n Advising decision-makers on privacy compared to the total of The most important Chief Privacy Officers risks so that they can make prudent all other U.S. enterprises action that group (HE-CPO) in 2012, decisions—for example, when deter- that reported data breach higher education which brought together mining whether or not to implement incidents.”18 institutions can approximately 34 self- a technology option or to contract However, by 2009, take is to assign identified individuals with a third party the “Chronology” had overarching privacy who have been assigned n Reviewing contracts with third par- turned its attention coordination duties lead information privacy ties to include wording that ensures from higher education to someone—no responsibilities by their the proper handling of institutional to health care. Clearly, matter his or her institutions.19 However, data shared with that party someone in higher title or where only 3 in the group have n Coordinating with information secu- education institutions the person is the title Chief Privacy Of- rity, data management, legal counsel, was—and is—working ficer with no additional internal audit, compliance, risk man- on privacy issues. But organizationally titles, and 10 do not even agement, and others who? Higher education situated—and have the word “privacy” n Providing awareness and training institutions typically enable that in their titles. and teaching others how to “think do not have large person to work privacy” so that privacy becomes enterprise-wide legal cooperatively What Do Higher Education part of the day-to-day thinking of all and compliance offices with other areas to Privacy People Do? employees and typically do not achieve objectives. CPOs or individuals who n Maintaining knowledge of privacy assign many C-level titles are assigned lead pri- law and generally accepted best such as CEO, CFO, CTO, CCO, and CPO. vacy duties take a risk-based approach practices More likely, privacy duties in colleges to privacy and focus on strengthening and universities are being shared by administrative controls, working in overview of Privacy the information security office, the data partnership with security professionals Harms and Principles management group, the compliance on physical and technical controls and Even if an institution has a CPO, all of silos mentioned previously, university with data management professionals on those who are working to provide the counsel, and various others. Current data classification. Activities include the infrastructure to collect, store, process, financial pressures can preclude following: and utilize personal information in assigning even one full-time person the pursuit of the organization’s goals need singular title of Chief Privacy Officer. n Creating and overseeing an Informa- to continually evaluate how their service Instead, additional duties are likely tion Privacy Program for the institu- affects privacy and need to take action to assigned to staff holding other titles, tion (often in coordination with the reduce any identified privacy risks. or—a favorite solution—one person is Information Security Program), with given multiple titles (and corresponding an appropriate governance structure Privacy Harms duties). The most important action n Managing privacy and security How can an institution determine that higher education institutions can breach incidents whether a business process, service, or take is to assign overarching privacy n Developing privacy policies or work- project is going to be or already has been coordination duties to someone—no ing with others to incorporate privacy implemented in a way that might cause matter his or her title or where the into other policies (e.g., employee, a privacy risk? The following list of pri- person is organizationally situated— student, and visitor electronic data; vacy harms, based on the work of Alan and enable that person to work website privacy notices; customer F. Westin and Daniel J. Solove, includes cooperatively with other areas to relationship management; human questions particularly related to inter- achieve objectives. subjects research; video surveillance) actions with users whose information As of fall 2012, IAPP membership n Assessing the privacy impact of busi- is being collected, used, disclosed, and included 246 individual members (out ness processes, services, and projects retained.20 of 11,138) from higher education institu- and providing guidance on how to tions; 121 of those held at least one pri- reduce identified privacy risks Information Collection. Is the institution vacy certification. Although that number n Crafting language for documentation collecting information about users or
16 EdUcAUsEreview JANUARY/FEBRUARY 2013 TCPN saves school districts money on all their purchases.
Overseeing district purchasing requires a lot of effort and planning. The Cooperative Purchasing Network (TCPN) helps simplify your steps and reduce your costs. TCPN’s contracts leverage the purchasing power of over 30,000 actively engaged government entities. All contracts are competitively bid and awarded by a single governmental entity – Region 4 Education Service Center. An industry giant with ISO certified processes; TCPN monitors contracts through third-party audits and regular reviews to ensure vendor accountability. You can rely on TCPN’s 100+ combined years of government purchasing experience and 50+ combined years of auditing experience – we know what it takes to keep a school running.
Keep your school purchasing on time, and on budget. Go to www.tcpn.org and sign up today.
tcpn_dollar_educate rev.indd 1 12/13/12 2:23 PM Information Privacy Revealed
watching what users are doing, more use a service because they do not know of the most commonly performed harm- than it should? Examples include sur- how the institution will process their ful activities—every time a cloud service veillance (watching, listening to, or re- information. or third party is used. cording a user’s activities); interrogation (inappropriately probing for informa- Information Dissemination. Is the institu- Invasion. Will the institution go into tion); visual monitoring (viewing private tion planning to spread or transfer in- users’ spaces and contact them or tell activities without the user’s knowledge); formation about users, more than they them what to do? Examples include communications (wiretapping phones might like or expect? Examples include invasions into private affairs; invasive or viewing e-mail or Internet transac- breach of confidentiality (breaking an acts that disturb users’ tranquility or soli- tions); and “too much information” agreement to keep information confi- tude; decisional interference (entering (unnecessarily asking for what the user dential); disclosure (sharing data with or into users’ decisions regarding private thinks is “private” information or collect- transferring data to unexpected persons affairs); unwanted e-mail (many people ing information not really needed for the or entities); exposure (revealing intimate consider e-mail to be a personal space, transaction). Whether or not someone at information, and many users consider which is why they become upset when the institution actually looks at the infor- any personal picture to be intimate); in- colleges or universities e-mail unwanted mation does not even matter; the fact that creased accessibility (making informa- communications); unwanted phone calls the information is being collected will tion more accessible, for instance by put- (most users consider phone numbers, concern people. ting paper records online and indexing especially cell phone numbers, to be by search engines); blackmail (threaten- personal space); and entering a room Information Processing. Is the institution ing to disclose personal information); without knocking. storing, manipulating, and using users’ appropriation (using a user’s identity, data in a way that they might not like or such as a name or picture, without per- Privacy Principles expect? Examples include data mining mission); and distortion (disseminating Once the privacy risks are understood, that makes assumptions about patterns false or misleading information about the institution must take steps to address (deciding if users are good students users). Information dissemination is one them. Information privacy is enhanced based on how many times they accessed through the application of the Fair In- an online textbook); aggregation (com- formation Practice Principles (FIPPs), bining pieces of users’ information col- through principles outlined in the lected from different sources); identifica- OECD Guidelines on the Protection of tion (linking unidentified information Privacy and Transborder Flows of Per- elements to particular users, perhaps sonal Data, and through the Generally to learn about “anonymous” actions); Accepted Privacy Principles.21 In nearly insecurity (failing to protect information every situation, an institution should be from leaks and unauthorized access); able to identify one or more actions it can secondary use (using collected informa- take to address any privacy issues, while tion for a purpose different from the use still achieving its business goal. for which it was collected, without users’ consent); and exclusion (using data Notice. Identifying a way to inform users to exclude a user, especially if of institutional practices around the data the data was incorrect or inter- collected from them is usually the easi- preted incorrectly). Information est way to address most privacy harms. processing can be helpful when Posting a privacy policy on the institu- it “personalizes” and gives better tional website or explaining on a form service. However, it can invade privacy or login screen the plans for the data when it goes too far or is used in unex- that users will enter is a way to provide pected ways. Does the institution keep notice. Institutions should explain who information long after it is finished with will be collecting the data, how the data the data? This can make the informa- will be used, who will receive it, and the tion vulnerable to processing harms. steps that will be taken to preserve the Privacy is a balancing act: users are confidentiality, integrity, and quality of going to balance the gains from using a the data. Any automatic service against the potential privacy collection of data— harms. Some may choose not to such as log files and
18 EdUcAUsEreview JANUARY/FEBRUARY 2013 Mediasite gives us a more global reach, sharing our courses locally, nationally and internationally.
It’s invaluable for our distance learning and part-time students, who can now enjoy the experience of a more traditional face-to- face lecture. Plus working with Sonic Foundry, the best global practitioners of lecture capture technology, we’ve been able to learn from both the company and their global user community, which means we don’t have to reinvent the wheel.
Sean Faughnan Deputy Director, Department for Continuing Education Oxford University
about Oxford’s Mediasite success Sonicfoundry.com/OxfordUniversity
webcasting and video content management 877.783.7987 | sonicfoundry.com
©2012 Sonic Foundry, Inc. All rights reserved. Information Privacy Revealed
data collected by web analytics engines— only as long as necessary to fulfill the Integrity and Security. Is the institution should be described as well. stated purposes? Once the data is col- applying reasonable technical, physical, lected, an institution can be compelled and administrative measures to secure Choice and Consent. Can the institution to reveal it through certain legal orders. its systems and data and to ensure data identify a way to obtain implicit or But if an institution does not have the integrity? Incorrect data is as bad as, explicit consent from individuals with data, it cannot be compelled to provide if not worse than, missing data, since respect to the collection, use, disclo- the data. On the other hand, if a law or incorrect decisions can adversely affect sure, and retention of their informa- business practices require the institution individuals. tion? Choice may apply to “secondary to retain the data for a set period of time, uses”—that is, uses beyond the original it must be retained for that long—and Enforcement and Redress. Does the insti- reasons for which the data was provided. must be protected appropriately while tution provide a way for users to com- Sometimes choice is “opt in” (the insti- being retained. plain—for example, to report issues to tution will not share the data without the institution or to a central Incident agreement), and sometimes choice is Disclosure Limitation. Can the institution Response unit? Are reported issues “opt out” (the institution can share the review with the business process owner investigated? Are dispute-resolution data or contact users, but users have a what it is disclosing to whom and ensure mechanisms in place? At its simplest, way to stop the sharing or contact). Can that it is disclosing information to others redress should include a righting of the the institution give options, perhaps by only as outlined in the notice and only as wrong; when issues are reported, does providing checkboxes to consented to—either im- the institution correct misinformation indicate consent to vari- Institutions plicitly or explicitly? Con- or cease the harmful practice? Does it ous uses? should explain tracts should be reviewed post easy-to-find information for users who will be regularly with third par- to learn about enforcement and redress Collection Limitation. Can collecting the data, ties, to ensure up-to-date procedures? the institution review how the data and appropriate data- what data it is collecting will be used, protection language. reflections with the business process who will From the 1710 Post Office Act of the owner and ensure that it is receive it, Access. Can the institution British Parliament to SB 1386 in 2003, collecting only the infor- and the steps provide access to users laws have progressed to protect the mation needed to achieve that will be taken to review and update or privacy of individuals at the same time the purposes identified to preserve the correct their own infor- that technology innovations have con- by the business unit in mation? This should be tinually pushed our understanding support of the university’s confidentiality, possible, especially when of how to apply those laws. Although mission and as outlined in integrity, decisions will be made the dance between law and technol- the notice? Especially crit- and quality based on that data. In fact, ogy in the quest to protect privacy is ical here are very sensitive of the FERPA outlines the right never-ending, the information privacy or risky pieces of data such data. of students to petition profession already has a foothold in as SSNs and birthdates, for correction of errors institutions of higher education. Now which need to have a sig- in their student records. is the time for every institution to as- nificant business purpose The Privacy Act outlines sign an individual to coordinate pri- for collection. “Because the right of individu- vacy activities and to infuse the college we’ve always done it als to see records about and university community with basic that way” is not an them that are held by awareness. Colleges and universities excuse in this post– the federal government. may not yet—or indeed ever—be able SB 1386 world. The Fair Credit Report- to support large numbers of Chief ing Act was enacted Privacy Officers, but they can create Use and Retention. Can the because consumers privacy-intelligent enterprises by co- institution ensure that with errors on their ordinating privacy activities, revealing the collected information credit reports had no the basics of information privacy, and will be used only as out- way to correct them. encouraging the application of these lined in its notice, with no This process need not basics to day-to-day activities, espe- unexpected “secondary include a beautifully de- cially those related to the collection, uses”? Can it ensure that it signed online form; it can storage, processing, and utilization of is keeping the information be manual. data. n
20 EdUcAUsEreview JANUARY/FEBRUARY 2013
Information Privacy Revealed
notes requirements for personal health information Educational%20Security%20Incidents%20 1. International Association of Privacy in order to update the “older” HIPAA law from Year%20in%20Review%20-%202007.pdf. Professionals, “2012 Privacy Professionals Role, 1996. 18. Joseph E. Campana, “How Safe Are We in Our Function, and Salary Survey,” https://www 15. Privacy Rights Clearinghouse, “Chronology of Schools?” November 12, 2008, p. 2, http:// .privacyassociation.org/media/pdf/knowledge_ Data Breaches: Security Breaches 2005–Present,” www.jcampana.com/JCampanaDocuments/ center/IAPP_Salary_Survey_2012.pdf, p. 21 https://www.privacyrights.org/data-breach. EducationSectorDataBreachStudy.pdf. (figure 18). 16. Beth Rosenberg, “Chronology of Data Breaches 19. A list of members is available at: http://www 2. Ibid., p. 26. 2006: Analysis,” Privacy Rights Clearinghouse .educause.edu/policy/he-cpo. 3. Alan F. Westin, Privacy and Freedom (New York: website, February 1, 2007, https://www.privacy 20. Many theorists have worked to identify and Atheneum, 1967), p. 7. rights.org/ar/DataBreaches2006-Analysis.htm. classify privacy harms. One of the first was Alan 4. International Association of Privacy 17. Adam Dodge, “Educational Security Incidents F. Westin, in his classic book Privacy and Freedom. Professionals, “IAPP Information Privacy (ESI) Year in Review—2007,” February 11, 2008, Westin’s work and that of Daniel J. Solove, in Certification: Glossary of Common Privacy p. 7, http://www.adamdodge.com/esi/files/ “A Taxonomy of Privacy”—described in his Terminology,” 2011, https://www.privacy book Understanding Privacy (Cambridge: Harvard association.org/media/pdf/certification/CIPP_ University Press, 2008)—are the sources for the Glossary_0211updated.pdf. list of privacy harms described here. 5. Lauren Steinfeld and Kathleen Sutherland 21. A nice overview of the development of the FIPPs Archuleta, “Privacy Protection and Compliance is in Hugo Teufel III, “Privacy Policy Guidance in Higher Education: The Role of the CPO,” Memorandum,” Memorandum Number EDUCAUSE Review, vol. 41, no. 5 (September/ 2008-01, Privacy Office, U.S. Department October 2006), pp. 62–71, http://www of Homeland Security, December 29, 2008, .educause.edu/library/ERM0654. http://www.dhs.gov/xlibrary/assets/privacy/ 6. I have been fortunate to be able to provide input privacy_policyguide_2008-01.pdf. For the OECD on physical privacy issues at my institution (e.g., Guidelines, see Organisation for Economic Co- placement of bathrooms, use of privacy operation and Development (OECD), “OECD panels below conference room tables, Guidelines on the Protection of Privacy and and provision of private space for nursing Transborder Flows of Personal Data,” September mothers and self-administered medical care 23, 1980, http://www.oecd.org/internet/internet needs), but this is not common. economy/ecdguidelinesontheprotectionof 7. See Anuj C. Desai, “Wiretapping privacyandtransborderflowsofpersonaldata before the Wires: The Post .htm. Finally, the American Institute of Certified Office and the Birth of Public Accountants (AICPA) and the Canadian Communications Privacy,” Institute of Chartered Accountants (CICA) offer Stanford Law Review, vol. 60, “Generally Accepted Privacy Principles” (August no. 2 (2007), p. 553, University 2009), http://www.aicpa.org/InterestAreas/ of Wisconsin Legal Studies InformationTechnology/Resources/Privacy/ Research Paper No. 1056, http://ssrn.com/ Generally AcceptedPrivacy Principles/ abstract=1079958. Pages/Generally%20Accepted%20Privacy%20 8. Samuel D. Warren and Louis D. Brandeis, “The Principles.aspx. Right to Privacy,” Harvard Law Review, vol. 4, no. 5 (December 15, 1890), pp. 193–220. © 2013 Merri Beth Lavagnino. The text of this article 9. For an overview of privacy law, see Neil M. is licensed under the Creative Commons Attribution- Richards and Daniel J. Solove, “Privacy’s Other NonCommercial-NoDerivs 3.0 Unported License Path: Recovering the Law of Confidentiality,” Georgetown Law Journal, vol. 96 (2007). (http://creativecommons.org/licenses/by-nc-nd/3.0/). 10. The speech, an address to the Academy of Political Science on April 11, 1933 at the Metropolitan Opera House in New York, was published as: George Bernard Shaw, “The Future of Political Science in America,” Political Quarterly, vol. 4 (July–September 1933), pp. 313–340. 11. Alex Hutchinson, Big Ideas: 100 Modern Inventions That Have Transformed Our World (New York: Hearst Books, 2009), p. 69. 12. Gary B. Shelly and Jennifer T. Campbell, Discovering the Internet: Complete (Boston, Mass.: Course Technology Cengage Learning, 2011), p. 14. 13. Kemba J. Dunham, “Your Career Matters—Hot Titles: The Jungle,” Wall Street Journal, February merri Beth Lavagnino 20, 2001, p. B14. ([email protected]) is Chief Privacy 14. In fact, the Health Officer and Compliance Information Technology for Economic and Coordinator at Indiana Clinical Health (HITECH) University. Act, enacted as part of the American Recovery and Reinvestment Act (ARRA) in 2009, added notification
22 EdUcAUsEreview JANUARY/FEBRUARY 2013
Privacy, Security, Compliance& Strange Bedfellows or a Marriage Made in Heaven?
By Michael Corn and Jane Rosenthal
here does privacy belong in the college/university ecosystem, and what should its relationship be with security and compliance? Are the three areas best kept separate and distinct? Should there be some over- lap? Or would a single office, officer, and/or reporting line enable a big picture of the whole? This article examines several of the campus issues lying at the intersection of privacy, Wsecurity, and compliance and provides some insight for institu- tional leaders as they plan strategic directions.1
24 EducausEreview Ja N uaRY/FEBRuaRY 2013 Strange Bedfellows or a Marriage Made in Heaven?
Illustration by David Plunkert, © 2013 Privacy, Security, and Compliance: Strange Bedfellows or a Marriage Made in Heaven?
has existed much longer as a business Privacy (noun) component, since it involves not just the technical component but also the physi- 1 a: the quality or state of being apart from company or observation: seclusion cal and administrative areas. Most major b: freedom from unauthorized intrusion
26 EducausEreview Ja N uaRY/FEBRuaRY 2013 compromise of personal data by the dominant driver in organizations that are that environment. This leads to various organization or its service providers increasingly funding a privacy role within cases that lie at the boundaries between n Serves as the organizational point of an institution. A close second is the orga- privacy, security, and compliance. We contact for individuals, internally and nizational effort to avoid data breach and will discuss three: IP address tracking externally, who have questions about the expensive and time-driven notifica- and web browsing; mobile device man- privacy policies and practices4 tion process of the affected individuals agement/application technologies; and and government oversight agencies. On security cameras and video technologies. Further, “privacy is essential to es- the other hand, it is easy to see these two tablishing and maintaining trust. If drivers as variations of one another.7 IP Address Tracking and Web Browsing customers, clients or employees believe How is the privacy office function As techniques for monitoring networks, that their personal information will be shaped by the decision to place it in the workstations, and campus activities handled respectfully, in an open and compliance office, in the legal office, or have become more sophisticated, the transparent manner, with strong, reason- in a reporting structure combined with quandary of the privacy/security/com- able safeguards, and made accessible to information security? There are many pliance position requires reassessment. them at their request, this fosters trust able and enthusiastic advocates for plac- In one simple example, over the last six and a continued positive relationship can ing personal privacy in both the com- years at the University of Illinois, we be expected. If customers are typically pliance and the legal offices of higher have observed that malware has shifted considered a business’ greatest asset, then education institutions, yet it is easy to from relying on e-mail as the dominant their personal information must be con- imagine this having a limiting (or chill- method of distribution to utilizing web- sidered one as well. Organizations will ing) effect on the scope of the privacy based attacks.9 Users are often innocent want to build and protect their assets, and function. This is particularly true within victims: they are not clicking foolishly personal information, as an asset, is no U.S. institutions, since the United States on e-mailed phishing links but, rather, different. An accountable organization lacks a mature, contemporary regula- are clicking on ads or links on major can demonstrate to customers, employ- tory framework for privacy and since news and sporting outlets that have been ees, shareholders, regulators, and com- the legal structure is long engrained in compromised. To better forensically un- petitors that it values privacy, not only the organization. Ensuring compliance derstand these attacks, we increasingly for compliance reasons, but also because within the patchwork of federal, state, collect—either from intrusion-detection privacy makes good business sense.”5 and accompanying regulations or stan- systems or system-management agents— dards pertaining to security benefits the the web-browsing history of our users. Privacy as a Security individual. Nevertheless, based on the Obviously, this information is treated or Compliance Function IAPP 2012 survey, the role of the privacy with the utmost confidence and security. Increasingly, privacy officers today hold a officer has increasingly moved toward Only authorized staff who are research- law degree (JD) and thus are able to under- avoiding liability, rather than focusing ing specific incidents may access it. stand and apply the patchwork of laws and on the individual or on the larger com- Nevertheless, the reality is that such regulations to information management. munity desires. information can lead to the feeling that both institutional privacy and personal privacy have been breached. This is true How is the privacy office function shaped by the decision to place it in the compliance office, in the even in the context of policies stating that campus equipment and services legal office, or in a reporting structure combined with information security? are involved and that no privacy is guaranteed when working to maintain In addition to having this legal viewpoint, Privacy, Security, and the overall system security. Yet for ex- many privacy officers are champions Compliance in Conflict ample, the data gathered and accessed for the protection of individual privacy; As those of us who work in security and may reveal the ratio of visits to Demo- they act as advocates for the inclusion of compliance know, there is a strong delin- cratic or Republican websites from an privacy as a critical facet when designing eation between the two areas. We may be administrative building or may reveal and advising on digital identity within the completely satisfied that a third party—for which personnel are visiting sites in- campus ecosystem. Other privacy profes- example, Amazon—runs a very tight dicative of certain medical conditions or sionals view their position as one of regu- ship regarding security within its storage sexual orientation—data that most would latory compliance, strongly defining the environment.8 Yet without contractual agree is universally private or personal contours of the privacy domain.6 assurances, a higher education institution information. Additional data provided by the IAPP cannot agree to the storing of regulated As our work and our lives are thor- confirms that regulatory compliance is a data (e.g., FERPA or HIPAA data) within oughly mediated by technology, the
www.educause.edu/ero Ja N uaRY/FEBRuaRY 2013 EducausE review 27 Privacy, Security, and Compliance: Strange Bedfellows or a Marriage Made in Heaven?
invisible breach of this personal space, community. Does this conflict of interest Mobile device management (MDM) albeit done with good intentions, must or duality of roles prevent someone who and mobile application management raise concerns. The security professional is vested with the role of privacy and secu- (MAM) technologies entered the play- might rightfully argue that this informa- rity or the role of privacy and compliance ing field as another compliance solu- tion is increasingly essential to fulfilling from succeeding in this role? tion to reduce the inevitable data and professional responsibilities. Although device loss. These program consoles academia frowns on the idea of intruding Mobile Device/Application or applications provide the institution into personal space and filtering10 or col- Management Technologies with a picture into the life of the device lecting information from these resources, Although the world of laptops has long owner/user, with access to review the lo- in the security environment the methods challenged higher education institutions, cation of the device (or the holder), the may be necessary to gather information that challenge has migrated to smaller application inventory (e.g., Mobile Ap- to fend off current and future attack mobile devices with greater computing plication Inventory from MobileIron, vectors. The compliance officer might power. There is exponential growth in http://www.mobileiron.com/), and well acknowledge that these resources these devices with the Android, Symbian, restrictions on travel (e.g., Geo-Fencing are legal and even necessary to maintain Windows, and other operating systems from Zenprise, http://www.zenprise the requirements for an institution. Only prevalent on smart phones and tablets. .com) and content (e.g., Mobile Content the privacy officer, in his or her role as Colleges and universities face the chal- Management from AirWatch, http:// advocate, might actively challenge the lenge of containing and retaining infor- www.air-watch.com/). The issue be- use of these tools as being too invasive to mation within their sphere of control comes the necessity of the institution to personal freedoms and might recognize while employees clamor for their own employ reasonable and available tools the risk to the level of trust or transpar- device of choice—known as “BYOD” or to track not only the devices but also ency that the institution provides to the the “consumerization of devices.”11 the device applications that are plac-
Millions Thousands Thirty years of students of administrators of experience
One company Education Advances
Software and marketing solutions supporting education professionals, maximizing student success and institutional effectiveness.
www.hobsons.com
28 EducausEreview JaNuaRY/FEBRuaRY 2013 ing the information at risk, versus the camera usage is expanding significantly. user’s inherent privacy rights to avoid At the University of Illinois–Urbana these intrusions on a personally owned campus, the number of security cameras device. has grown from zero to nearly 1,000 in a MDM technologies can literally period of 18 months. Similarly the Uni- view every application on an enrolled versity of Kansas campus has hundreds of device and wipe (“brick”) the device if it cameras, inside and outside, to enhance is reported missing by the owner or the the security of students and staff. To ad- assigned guardian of the device. MAM dress privacy concerns, the University technologies are not device-centric but of Illinois–Urbana security camera are based on a restriction of applications policy was written with a number of com- for the security of institutional data on a mon prohibitions on camera use and mobile device. How does an institution location.12 Three of these are paraphrased balance the privacy right of the indi- as follows: vidual against the use of such invasive tools, especially if the privacy and secu- n All locations with security cameras rity officers are housed in the same of- Security Cameras and Video Technologies will have signs displayed that provide fice or represented by the same person? No other surveillance technology sug- reasonable notification of the pres- Yet, the privacy and security personnel gests “big brother” with as much im- ence of security cameras. must maintain a functioning, working mediacy as do security cameras. Yet in n Security cameras may not be used in relationship and must not work inde- response to a growing demand for greater private areas, which include residence pendently in separate, segmented silos. physical security on campuses, security hall rooms, bathrooms, shower areas,
www.educause.edu/ero Ja N uaRY/FEBRuaRY 2013 EducausE review 29 Privacy, Security, and Compliance: Strange Bedfellows or a Marriage Made in Heaven?
locker and changing rooms, areas are being monitored, thus the notification where a reasonable person might provision. Covert activity not only makes change clothes, and private offices. people uncomfortable; it may also create Additionally rooms for medical, phys- a feeling that they are being treated like ical, or mental therapy or treatment children or criminals. Second, people are private. Where security cameras have a culturally innate sense of a “per- are permitted in private areas, they will sonal” or private space that should not to the maximum extent possible be normally be breached. Still, is the “right used narrowly to protect money, real to be left alone” the prevailing concern? or personal property, documents, sup- Privacy is not specifically provided in the plies, equipment, or pharmaceuticals U.S. Constitution or in any of the subse- from theft, destruction, or tampering. quent 27 amendments. Justices Samuel n Security camera recordings may not Warren and Louis Brandeis discussed the be used in the course of personnel definition and common law that created investigations such as those related to the right to privacy in their 1890 Harvard (but not limited to) workplace atten- Law Review article: this and the subse- dance or work quality. quent case law provide the legal basis for our concept of privacy today.14 Finally, These typical controls are found in although many employees understand many such policies and are similar to that the workplace and the equipment those found at the University of Kansas.13 are provided by their employer, the work First, individuals want to know when they environment is nevertheless, for many
Your Campus
Multi ple Departments
One Comprehensive Soluti on Web Calendaring Event Management Academic Scheduling ���.���.���/����
30 EducausEreview Ja N uaRY/FEBRuaRY 2013 EDUCAUSE thanks our 2013 Corporate Partners for their continued support! Lower PLATINUM PARTNERS GOLD PARTNERS event fees. CDW Government Blackboard Campus Management Dell Desire2Learn Corporation Cengage Learning Incorporated Cisco Systems Free Ellucian Epson Gartner HP Jenzabar McGraw-Hill Education webinars. Pearson Microsoft Corporation Sonic Foundry Moodlerooms VeriSign Steelcase Cutting-edge publications.
SILVER PARTNERS BRONZE PARTNERS
Aruba Networks AirWatch Echo360 AT&T Extron Electronics Big Bang Google Cloudpath Networks Higher One Computer Comforts ConnectEDU These are just some of the Hobsons CourseSmart IBM Corporation Dean Evans and Associates benefits our Corporate Partners Laserfiche EMC Corporation lynda.com Enterasys Networks help make a reality all year long. Oracle Corporation Four Winds Interactive Perceptive Software Gilfus Education Group VMware GovConnection Workday Hyland Software To learn more, visit Instructure educause.edu/Corporate-Partners. Jadu Kivuto Solutions Lenovo Longsight LoudCloud Systems NEC NetApp Panasonic TouchNet Information Systems Turning Technologies Vidyo Privacy, Security, and Compliance: Strange Bedfellows or a Marriage Made in Heaven?
employees, a kind of cameras may provide, at another campus, due to differences extension of personal without creating an in expertise, personalities, or resources. space. Monitoring that uncomfortable or even Nevertheless, an examination of the fol- space is seen as evi- Orwellian environ- lowing issues may lead to locally relevant dence of mistrust. ment? Further, what solutions: There is an intimacy should the institution associated with physi- do with the information 1. Does it make sense for endless variet- cal observation; as so- recorded, as far as stor- ies of compliance challenges to be cial creatures, we vary age, sharing, secondary housed together? Can the institution our behavior (and its use, and disposition? truly and meaningfully bring together expression through Finally, do these records research integrity (e.g., conflict of in- language) according then become subject to terest, contract compliance, FISMA, to social context. Cameras create a kind view by public colleges and universities scholarly conduct), human subjects of ambiguous social context and, thus, with open-records requirements? (e.g., IRB, HIPAA), animal safety (e.g., discomfort; but cameras may also provide IACUC), life safety (e.g., environmen- people with a false sense of security that Privacy and Organizational Structure tal health, radiation, occupational they are being protected by monitor- All higher education institutions face health), employee accessibility, diver- ing—which may or may not be occurring similar or even identical challenges, yet sity, risk management, internal audit, on a 24/7 basis. Several questions then how colleges and universities are orga- and so forth? arise: What security and privacy structure nized strongly reflects a type of institu- 2. What about the silo effect of these nu- allows an institution to benefit from the tional character. A strategy that works at merous campus groups if they remain very real physical safety that security Illinois or Kansas may fail spectacularly separated physically and in reporting Network near you.
Our goal of advancing the future of 2013 EDUCAUSE Regional Conferences Moving forward higher education is shared by our corporate Platinum Partners. We thank Mid-Atlantic Regional NERCOMP Annual Southeast Regional them for their unparalleled support. Conference Conference Conference together. January 16–18 March 11–13 May 29–31 Baltimore, Maryland Providence, Rhode Island, Atlanta, Georgia "People + Process + Technology: IT Matters" and Online "Amp IT Up! Powering Education with "Improvising the Future" Technology" CDW Government West/Southwest Regional Dell Conference Midwest Regional Desire2Learn Incorporated February 12–14 Conference Ellucian Austin, Texas, and Online March 18–20 Gartner "Strategic Impact: Partnerships and Value Chicago, Illinois Jenzabar in a Changing World" "Collaborating for the Future…Now!” Pearson Sonic Foundry Attend an EDUCAUSE regional conference in 2013 to discuss VeriSign shared challenges and discover innovative IT solutions implemented by your higher education peers. To learn more, visit educause.edu/Corporate-Partners. For a full list of upcoming events, visit educause.edu/Events.
32 EducausEreview JaNuaRY/FEBRuaRY 2013 Network near you.
2013 EDUCAUSE Regional Conferences
Mid-Atlantic Regional NERCOMP Annual Southeast Regional Conference Conference Conference January 16–18 March 11–13 May 29–31 Baltimore, Maryland Providence, Rhode Island, Atlanta, Georgia "People + Process + Technology: IT Matters" and Online "Amp IT Up! Powering Education with "Improvising the Future" Technology" West/Southwest Regional Conference Midwest Regional February 12–14 Conference Austin, Texas, and Online March 18–20 "Strategic Impact: Partnerships and Value Chicago, Illinois in a Changing World" "Collaborating for the Future…Now!”
Attend an EDUCAUSE regional conference in 2013 to discuss shared challenges and discover innovative IT solutions implemented by your higher education peers. For a full list of upcoming events, visit educause.edu/Events. Privacy, Security, and Compliance: Strange Bedfellows or a Marriage Made in Heaven?
lines? Secure data handling and data ride the privacy or security voice in Information & Privacy Commissioner for British privacy regulations are frequently decision-making? Columbia, “Getting Accountability Right with a housed in differing parts of an orga- Privacy Management Program,” https://www .privacyassociation.org/media/pdf/knowledge_ nization, and in practice, authority Nurturing healthy privacy, security, center/Canada-Getting_Accountability_Right flows from these differing parts and and compliance functions is a balancing %28Apr2012%29.pdf, p. 19. they may report up through differ- act. Integration of the three areas can 6. IAPP, “Salary Survey,” p. 21. 7. Ibid., p. 26. ing structures. Most security officers result in conflicting missions, whereas 8. See Amazon Simple Storage Service (Amazon (housed in information technology), decoupling them can make it difficult to S3): http://aws.amazon.com/s3/#protecting. as well as privacy officers (housed in ensure a cohesive institutional strategy. 9. Verizon, “Malware Infection Vectors,” 2012 Data Breach Investigations Report, http://www.verizon numerous locations Each higher education in- business.com/resources/reports/rp_data- from audit to compli- Integration of the stitution must find its own breach-investigations-report-2012-ebk_en_ ance to stand-alone balance, calibrated accord- xg.pdf, p. 27. privacy, security, 10. See, for example, principle #6 in the American offices), are familiar and compliance ing to its organizational Library Association’s “Intellectual Freedom with the challenge of functions can structure. Principles for Academic Libraries,” July 12, 2000, trying to address data In the end, privacy is http://www.ala.org/Template.cfm?Section= result in conflicting interpretations&Template=/Content security and privacy key—wherever it finds a Management/ContentDisplay.cfm&Content with researchers who missions, whereas home in an institution. It ID=8551. are used to working decoupling them can is a unique need that must 11. Abigail Strong, “Enlisting the Help of Infrastructure to Cope with the BYOD under the domain of make it difficult to be considered as a distinct Explosion,” Network World, August 31, 2012, a vice chancellor for ensure a cohesive component of the institu- http://www.networkworld.com/news/tech/ research. tional mission. Privacy, in 2012/083112-infrastructure-byod-262085.html. institutional 12. University of Illinois, “Security Camera Policy,” 3. Can the institution its purest form, is an ex- September 18, 2009, http://cam.illinois.edu/viii/ afford to not fund strategy. pression of respect for our VIII-1.5.htm. separate and distinct privacy, security, communities: individuals are informed 13. University of Kansas, “Policy on Implementation and Use of Video Technologies for Safety and compliance functions? Given the of what data is being collected about them and Security Purposes,” March 28, 2011, growing tangle of privacy legislation, and what is being done with that data, https://documents.ku.edu/policies/provost/ the nuances associated with breaches and they are assured that they have some VideoTechnologies.htm. 14. Samuel D. Warren and Louis D. Brandeis, “The may require cleaving off privacy from control over what happens with their Right to Privacy,” Harvard Law Review, vol. 4, no. 5 security. One need look no further information. By complying with regula- (December 15, 1890), pp. 193–220. than HIPAA (Health Insurance Porta- tions and securing data, we can show 15. See the HIPAA Privacy Rule, Penalties: HIPAA Administrative Simplification 45 CFR 160, Part bility and Accountability Act) or PCI our respect for students, staff, and the D. For PCI compliance violations, the payment DSS (Payment Card Industry Data Se- broader higher education community. n brands may fine an acquiring bank (and send it curity Standards) to find where “good downstream to merchants) $5,000 to $100,000 per month: http://www.pcicomplianceguide.org/ security” is inadequate to prevent sig- Notes pcifaqs.php. nificant fines for non-compliance.15 1. This article represents the considerations of 4. Wherever and however these varied the authors in their experience and practice © 2013 Michael Corn and Jane Rosenthal. The text and does not represent the position of the and various duties are housed, do of this article is licensed under the Creative Commons institutions for which they work. This is not legal Attribution 3.0 Unported License (http://creative they have access to the top of the advice; please consult university counsel for commons.org/licenses/by/3.0/). structure—be that the president, guidance in this process. 2. The original position of privacy officer at the chancellor, or board of regents/trust- University of Kansas was a direct report to the ees? With all of these approaches, senior vice provost from 2005 to 2012. In 2012, an Michael Corn (mcorn@ access to the top and to the change institutional compliance office was created, and illinois.edu) is Chief Privacy privacy was placed within that office structure. and Security Officer at resources that can improve or miti- 3. International Association of Privacy gate circumstances must be a con- Professionals (IAPP), “2012 Privacy Professionals the University of Illinois, sideration. Will the positioning of Role, Function, and Salary Survey,” https://www Urbana-Champaign. .privacyassociation.org/media/pdf/knowledge_ these groups— either separately in center/IAPP_Salary_Survey_2012.pdf, p. 8. departments that report up differ- 4. Lauren Steinfeld and Kathleen Sutherland Jane Rosenthal ([email protected]) is ing chains or combined but still not Archuleta, “Privacy Protection and Compliance Director of the Privacy Office in Higher Education: The Role of the CPO,” reporting directly to the top—restrict EDUCAUSE Review, vol. 41, no. 5 (September/ at the University of Kansas. their effectiveness? What role does an October 2006), pp. 62–71, http://www.educause institution want its external or public .edu/library/ERM0654. 5. Office of the Information and Privacy relations staff to have in responding Commissioner of Alberta, Office of the to breaches, and can that staff over- Privacy Commissioner of Canada, Office of the
34 EducausEreview Ja N uaRY/FEBRuaRY 2013 Experience the Institute.
2013 EDUCAUSE Institute Programs:
New IT Managers Program Learning Technology Leadership Program March 18–20 | Chicago, IL June 24–28 | Evanston, IL
Management Program Leadership Program July 15–19 | Evanston, IL July 22–26 | Evanston, IL
These dynamic and immersive programs help you gain practical knowledge to apply as a current or future IT leader. They provide an opportunity to enhance your skills and create a tight-knit group of peers for brainstorming, support, and sharing resources.
Find out which program is right for you » educause.edu/Careers/Educause-institute Illustration by Steve mcCracken, © 2013 Mentoring, Self-Awareness, and Collaboration The 2012 AwardEDUCAUSE Winners
he EDUCAUSE Awards Program, under the guidance of the EDUCAUSE Recognition Committee, brings peer endorsement and distinction to professional accomplishments in higher education information technology. The Rising Star Award, introduced in 2011, recognizes an IT professional who, still early in his or her career, demonstrates exceptional leadership and accomplishment in the area of information technology in higher education. The Leadership Award is the association’s highest recognition for individual achievement. This award acknowledges and celebrates exemplary leadership that has a significant and positive impact Ton advancing the theory and practice of information technology in higher education. All three awards are sponsored by Moran Technology Consulting, Silver Partner.
IllustratIon by steve mcCraCken, © 2013 © 2013 Melissa Woo, David G. Swartz, Earving L. Blythe, and EDUCAUSE JANUARY/FEBRUARY 2013 EdU c AUs E review 37 Mentoring, Self-Awareness, and Collaboration: The 2012 EDUCAUSE Award Winners The Rising Star Award For demonstrating excellence in Melissa Woo cyberinfrastructure and support for the research Vice Provost for Information Services enterprise, IT organizational development and CIO and effective practices, and IT infrastructure University of Oregon deployment and management
elissa Woo is recog- ing support model, which could be fully tices for use by other higher education nized as a strong leader, adoptable by other universities. institutions. one who is expected One of the infrastructure initiatives Woo is a strong supporter of staff to achieve continued started by Woo was the UWM identity professional development, particularly success in the profes- and access management (IAM) program. in the area of mentoring. As chair of the sion. At the University Since its inception in 2010, the program EDUCAUSE Professional Development Mof Wisconsin–Milwaukee (UWM), Woo has aggressively completed a number of Advisory Committee, she instituted led the promotion of a central, core significant milestones: the campus Active a major revision of the EDUCAUSE research cyberinfrastructure service Directory was transformed from a service Mentoring Information Kit to focus on without identified funding or widespread with no identified support to one with a new mentoring styles appropriate to 21st- research faculty support. She chartered stable support structure; a SAML (Secu- century professionals and an agreement and staffed a faculty/staff committee, rity Assertion Markup Language) service between mentors and mentees before led by a respected faculty researcher, to was deployed to support federation and they enter into a relationship. Additionally, identify related campus issues. The result enterprise single sign-on; and UWM be- she collaborated with another UWM was a series of far-reaching recommenda- came a member of the InCommon and colleague to develop two mentoring pilots tions made to the executive leadership to eduroam federations. As a result, UWM is for the EDUCAUSE regional conferences: improve the campus research cyberinfra- actively engaged in activities supporting “minute mentoring,” which provides structure. She has presented numerous the establishment of InCommon Silver advice on specific topics in a “speed times on the high-performance comput- compliance implementation best prac- dating” format; and a program (launched
38 EdU c AUsEreview JANUARY/FEBRUARY 2013 Thank you to our Doctorate Level sponsor for their support of our annual meeting.
EDUCAUSE LEARNING INITIATIVE Mentoring, Self-Awareness, and Collaboration: The 2012 EDUCAUSE Award Winners
at the 2012 EDUCAUSE Midwest Regional forward to others is the best way I can involves nominating a mentee/protégé Conference) to match mentors and honor the mentors who have helped me. for positions and promotions. Vis- mentees during conferences. ibility provides a mentee/protégé with Woo is a collaborative change agent EDUCAUSE Review: What are the opportunities for relationships with and natural leader, one able to accom- best mentoring approaches for pre- key figures. Coaching outlines strate- plish what is needed for campus informa- paring the next generation of IT gies for accomplishing objectives. Role tion technology. leaders? modeling provides attitudes, values, and behaviors for a mentee/protégé to EDUCAUSE Review: You are an ac- WOO: There are many different mentor- emulate. Lastly, counseling explores tive proponent of mentoring in the ing approaches for preparing the next concerns that may interfere with per- IT higher education profession. Why generation of IT leaders. There are two sonal and career accomplishments. do you feel so strongly about this aspects of mentoring to consider: men- topic? toring styles and mentoring functions. EDUCAUSE Review: Do you have Mentoring styles that might be most advice for IT staff just entering the WOO: As I’ve been helped greatly by the appropriate for preparing the next gen- field and for those looking to move assistance of numerous mentors, both eration of IT leaders for the next level of up in the profession? formal and informal, throughout my ca- leadership include the traditional, net- reer, in some ways I feel very much like a work, circle, and invisible styles. Tradi- WOO: I can’t emphasize enough the “poster child” for the benefits of mentor- tional mentoring is what most of us think importance of mentors in one’s profes- ing. Mentors have served many roles in of when we consider the topic of mentor- sional advancement. Consider put- my life. They have served as role models, ing. This style of mentoring is delivered ting together a professional develop- consultants, advocates, on a one-on-one basis, ment plan before seeking mentors. A and guides without tends to be hierarchi- professional development plan can whom I wouldn’t be “Mentoring styles cal in the sense that facilitate self-reflection and increased where I am. Mentors that might be most a more experienced self-awareness . Such a plan would also continue to aid me in appropriate for preparing individual acts as the involve setting longer-term goals and de- my career progression, the next generation of mentor, involves an veloping action steps toward those goals. for which I’m continu- IT leaders for the next expert who passes Having a professional development ally grateful. along knowledge, and plan can help determine which mentor- Anyone can benefit level of leadership include is generally considered ing styles and functions will be most im- from having the right the traditional, network, to require a long-term portant for goal attainment. Being aware mentors. After all, circle, and invisible commitment. Network of the appropriate mentoring styles and there are commonali- styles.” mentoring involves a functions will aid in the selection of ties throughout higher group of people who mentors. Always remember to look for education informa- share knowledge with those outside traditional mentor roles as tion technology. Why tackle a challenge each other, can be hierarchical, and gen- well. Mentors are not only managers and without knowledgeable help, and why erally has a variable time commitment. leaders but also peers, colleagues at any reinvent the wheel? A mentor can be a Circle mentoring is similar to network level, and friends. All kinds of individu- great sounding board and can share past mentoring in that it involves a group of als, representing numerous different experiences in order to assist in current people who share knowledge, but it con- roles, can be valuable as mentors. decision-making. Another mentor might sists of peers who make a medium/long- Mentors can be found through many be able to open up advancement oppor- term time commitment to the circle. different means: conferences, social tunities that one might not have access to Finally, invisible mentoring occurs when networks, and professional organiza- otherwise. one observes a mentor at a distance; it is tions such as EDUCAUSE. If you think A strong reason for promoting men- not interactive. Learning occurs through someone would make a good mentor, toring in our profession is the need to de- extensive research into an invisible men- make sure to ask if she or he would be velop future higher education IT leaders tor’s life, from what has been written willing. What’s the worst that could hap- to fill the leadership pipeline. Without about him/her to the invisible mentor’s pen? More important, what’s the best the support of mentors, some candidates articles, presentations, and the like. that could happen? n may leave the profession, while other Mentoring functions most relevant to © 2013 Melissa Woo. The text of this section is promising candidates may not be identi- the next generation of IT leaders include licensed under the Creative Commons Attribution- fied. Another reason I actively promote sponsorship, visibility, coaching, role NonCommercial-ShareAlike 3.0 Unported License mentoring is that I believe paying it modeling, and counseling. Sponsorship (http://creativecommons.org/licenses/by-nc-sa/3.0).
40 EdU c AUsEreview JANUARY/FEBRUARY 2013 Upcoming 2013 ELI Events
February 15 Short Course: Part 1—Evaluating the Effectiveness of Mobile Learning Initiatives
February 26 Short Course: Part 2—Evaluating the Effectiveness of Mobile Learning Initiatives
March 6 Short Course: Part 3—Evaluating the Effectiveness of Mobile Learning Initiatives
March 18 Online Seminar
April 3-4 Spring Focus Session: Learning and MOOCs
May 20 Online Seminar
June 17 Short Course: Part 1—Designing and Delivering a Quality MOOC
June 24 Short Course: Part 2—Designing and Delivering a Quality MOOC
June 27 Short Course: Part 3—Designing and Delivering a Quality MOOC
August 14 Short Course: Part I
August 26 Short Course: Part 2
September 9 Short Course: Part 3
September 16 Online Seminar
November 6-7 Fall Focus Session
December 9 Online Seminar
Are you already an ELI member? Be sure to tune in every month for our exclusive ELI webinars. For more details on these upcoming events, visit www.educause.edu/ELI/Events.
EDUCAUSE LEARNING INITIATIVE Mentoring, Self-Awareness, and Collaboration: The 2012 EDUCAUSE Award Winners The Leadership Award
For advancing best practices in IT service David G. Swartz management, strategic planning, project Assistant Vice President and CIO management, information security, technology American University operations, and enterprise infrastructure life-cycle planning
avid G. Swartz is recog- a strategic business partner, enabling the University to leverage resources and nized for his dedication effective and efficient use of technol- target redundancies. His judicious use to demonstrating the ogy by the institution. Incorporating of outsourcing arrangements saved the value of information fresh ideas and knowledge from past university more than $1 million a year technology to fulfill the experiences, he successfully introduced and improved service levels. campus mission and for industry-standard best practices in IT Swartz’s many contributions to the Dhis overall service to the IT profession. service management, strategic plan- profession include serving as faculty at Throughout his career, Swartz has not ning, project management, information the EDUCAUSE Institute Leadership feared change as an innovative way to security, technology operations, and Program, as council member at the improve IT services to the campus com- enterprise infrastructure life-cycle plan- Hawkins Leadership Roundtable, and as munity, and his academic background ning. He was also among the first CIOs the Higher Education Information Se- in economics has served him well in to understand the need for the role of curity Council (HEISC) Executive Com- making difficult decisions regarding the the chief information security officer mittee Chair. He has demonstrated his associated resource allocations. He un- to build a strong security program at wide knowledge of IT issues by speaking derstands the need for analytics to mea- the institution—specifically, American at numerous EDUCAUSE conferences, sure performance, track progress, and University. Before joining American Uni- authoring many publications, and pre- benchmark against peer institutions. versity, he eliminated legacy stovepipe senting at a variety of venues. He is the He has transformed the central IT operations and centralized information recipient of honors and awards from IT organization at American University into technology across George Washington authorities such as Computerworld, CIO
42 EdU c AUsEreview JANUARY/FEBRUARY 2013 Magazine, ACUTA, and ACM, as well as SWArTz: Self-awareness is about being balancing the physical, emotional, and EDUCAUSE. He is dedicated to profes- comfortable with who you are. The hap- mental dimensions of life. We all know sional development of his staff, with an pier you are with yourself, the more likely about the importance of proper diet, extraordinary one-to-one ratio for rele- you’ll be to treat others with kindness. rest, and exercise. Even focusing on just vant professional certifications for each To lead people, you must understand these areas in the physical dimension staff member. them, and by understanding ourselves, will create significant benefits. Further, Swartz’s accomplishments and abil- we are better able to understand oth- we can balance the emotional dimen- ity to mentor those aspiring to senior IT ers. Self-aware leaders have brought sion by flowing kindness and sharing positions in higher education make him significant parts of their unconscious an appreciation of others. Even simply one of the most respected leaders in the minds into consciousness, so they are giving a smile can uplift everyone. Next, profession. As a popular speaker and less controlled by unconscious bias and regarding the mental dimension, I have esteemed colleague with a commitment filters. Self-aware leaders have developed found that positive thinking helps to to the value of information technology in emotional intelligence and thereby can address negative self-talk. All successful higher education, he has helped not only build the relationships golfers know to stay the institutions he serves directly but that allow them to lead. focused on where they also others across the community. Once we can express “If you are aware of want the ball to go more self-awareness, your own strengths rather than on the haz- EDUCAUSE Review: You have talked we have removed much and weaknesses, ards; otherwise, their about the “self-aware leader.” What of our negative self-talk you can create a ball will end up in the is self-awareness, and how has it and are more positive. synergistic leadership water or sand-trap al- made a difference in your career? As we express more team. A diverse and most every time. I have self-awareness, we have complementary group also found that medi- SWArTz: Self-awareness is the very more present-moment is more likely to solve tation is the ultimate foundation for effective leadership. awareness and worry complex problems.” balancing technique To be an effective leader of others, you less about the future that addresses all three must start with self-leadership. Self- and are less obsessed of these dimensions, leadership requires an awareness of the about events in the past. We are better at resulting in significant growth in self- self. Since the ancient Greeks, the focus listening and engaging fully. One of the awareness. Some of the most successful of the world’s greatest philosophers, benefits of improved self-awareness is business and political leaders, entertain- psychologists, and spiritual mystics has a clear mind. With a clear mind, we are ers, sports professionals, and inventors been to “know thyself.” As we come to better able to focus and be one-pointed have discovered the benefits of medita- know ourselves, we are better able to un- and less distracted. A self-aware leader is tion: Steve Jobs, Larry Ellison, Al Gore, derstand and relate to others. Further, as grounded and unshakable. This ability is Candy Crowley, Jerry Brown, Oprah we approach a self-actualized or realized measurable using galvanic skin response Winfrey, William Ford Jr., Tiger Woods, state, we are happier and more secure in to stressors and is shown to improve with Gary Player, Jerry Seinfeld, Richard ourselves, have a clearer mind, are more techniques that improve self-awareness. Gere, Thomas Edison, and even Albert emotionally stable, and are better able Studies also show that blood pressure Einstein. Additional steps can be taken to to handle stress. Within a few months normalizes. Further, if you are aware of consult with expert counselors who can of taking over as the university CIO at your own strengths and weaknesses, you help people see blind spots more clearly. a major research institution, I was also can create a synergistic leadership team. Also, 360 reviews can provide much made the CIO of the tertiary hospital A diverse and complementary group is useful information that may be hidden and the medical clinics. The stress was more likely to solve complex problems. from view. unbelievable. I needed to find a way to Finally, I have noticed that an entirely new better handle stress and maintain some paradigm emerges for those grounded EDUCAUSE Review: Do you have balance if I was going to survive as a CIO. in self-awareness, as they see coopera- advice for how IT leaders can dem- The results of this discovery process led tion as a means to success rather than as onstrate the value of information me to the realization of the importance competition. technology to fulfilling the campus of self-awareness. Without the benefits mission? of the growth of self-awareness, I would EDUCAUSE Review: How do you de- not have been successful as a CIO. velop self-awareness? SWArTz: Most IT leaders do not document the value of information EDUCAUSE Review: Why is self- SWArTz: I have found that self-aware- tech nology to the college or univer- awareness important to leadership? ness can be enhanced by focusing on sity. Even after the completion of a www.educause.edu/ero JANUARY/FEBRUARY 2013 EdU c AUs E review 43 Mentoring, Self-Awareness, and Collaboration: The 2012 EDUCAUSE Award Winners
transformational project, we often move on to the next proj- ect rather than demonstrating the value of the recent initia- tive. This documentation can take the form of a traditional economic ROI, such as im- The proved efficiency or effective- ness or qualitative improve- ment to services. It is good to have the process or functional owners give testimony and help to document the benefits. Leadership The higher education institu- tion has multiple objectives in the areas of teaching, research, and service, and the benefits of information technology need to be assessed for each of these areas. This can be captured in a periodic annual report Award or customer forum. The word gets out to others, and it helps to build the foundation for further investment and trust For advancing the interlocking systems of in information technology. technical, financial, professional, social, It is important that informa- tion technology demonstrate and political processes that brought about its value not just as a reliable fundamental and disruptive change utility, but also as a campus organization that can foster strategic improvements to the processes and competitive- ness of the institution. One arving L. Blythe has been At the same time that Blythe was closely of the challenges is also to one of the foremost leaders involved in the critical movement toward be sure to focus on the most in higher education informa- community-owned, facilities-based net- important projects, not just tion technology, influencing works of regional and national scale, he also the squeaking wheels. A ma- change and new directions in made strong contributions through white ture portfolio process on the the application of networking papers, conferences, and visits to the Hill and front end—one that filters out technology in higher education. A unifying the Federal Communications Commission— poor investments and helps E theme for Blythe’s accomplishments is his contributions that had demonstrable impact to focus resources on the most leadership across the interlocking systems of on national policies and programs such as critical needs—is essential to technical, financial, professional, social, and the FCC’s National Broadband Plan, the U.S. success and is more likely to political processes that have brought about Broadband Technology Opportunities Pro- result in initiatives that can a fundamental and disruptive change in how gram, and the proper consideration of scope demonstrate great value to the we use communications in higher education and methods with regard to copyright issues institution. n and beyond. Blythe has played a central role and lawful surveillance on campus networks. in the proliferation of modern broadband Blythe has repeatedly demonstrated a © 2013 David G. Swartz. The text of this networking by coordinating and educating rare combination of brilliant creativity and section is licensed under the Creative the stakeholders on his campus, in his pro- pragmatic leadership to drive a long series of Commons Attribution-NonCommercial- NoDerivs 3.0 Unported License (http:// fession, in state and local governments, and groundbreaking initiatives at Virginia Tech: creativecommons.org/licenses/by-nc- in industry about the fundamental, qualita- network infrastructure and services; the Fac- nd/3.0/). tive advantages of a new style of networking. ulty Development Initiative Program; the Vir-
44 EdU c AUsEreview JANUARY/FEBRUARY 2013 competitive advantages for research, and the early Internet in the form of NSFnet, facilitated outreach. His track record of we had visionaries in our community, achievement and his clear dedication people like Kenneth King, Stuart Lynn, to service at Virginia Tech have sup- Mike Roberts, Stephen Wolff, Glenn ported his continued leadership at the Ricart, Doug van Houwelling, and many university over many decades, resulting others who recognized the opportunity in profound benefits to the university, to and who realized the potentially ex- the Commonwealth of Virginia, and to traordinary but unquantifiable benefits our profession. of the invention and of new concepts developed by university and federally EDUCAUSE Review: With the rapid sponsored researchers. These people change and constant innovations took great risks to enable the nationwide in the higher education IT profes- demonstration of this new mode of com- sion, what do you think is needed for munication. They did not do so for fame someone to be an effective leader or fortune; they did this for our commu- today? nity—to enhance research, discovery, and learning. BlYTHe: Ultimately, an effective IT leader in higher education today must EDUCAUSE Review: You are known be able to see and evaluate opportuni- for having reached across systems ties and then match the right talent with and networks during your career. How the relevant competencies, to the chosen can leaders encourage similar col- opportunities. laboration among IT staff, as well as At the most basic level, three compe- throughout and across institutions? Earving L. Blythe tencies essential to success in the IT pro- fession are the ability to analyze, the abil- BlYTHe: If there is one constant to retired Vice President for ity to be precise in the use of language, the history of man, it is the continuous Information Technology and CIO and the ability to organize and synthe- economization of information: increas- Virginia Tech size. For example, an early lesson in com- ing specialization and divisions of labor puter languages was that computational that have accelerated in our networked, ginia Education and Research Network machines do exactly what you tell them to globally connected, 21st-century world. (VERnet); the renowned Blacksburg do. Most of the worst debacles in compu- This has brought us changes in how the Electronic Village (BEV); NetworkVir- tational systems can be global community in- ginia (NWV); the client-server migra- traced back to an im- teracts and learns—set tion of Virginia Tech’s administrative precise—sloppy—use “We are privileged in motion by accel- systems to an enterprise-wide, client- of language. Assuming to work and lead in erating technological server–based resource; System X high- the presence of those a national university innovations—and will performance computing; eCorridors; VT basic competencies, community with broad, either create great op- Technology Services and Operations— when I am looking for shared values and portunity or result in and more. a potential leader in in- with traditions of significant irrelevance Blythe has served as a mentor and a formation technology, inclusiveness and for traditional institu- trusted advisor to many of his colleagues especially at the senior tions of higher educa- at Virginia Tech. He fully recognizes the management level, the fairness and justice.” tion. So the message need for hands-on experience and men- first questions I ask are: I share with my col- toring to develop future generations of What have you done? leagues is that with this IT leaders. His passion for the university What do you know? Are you hungry to constantly increasing specialization, we and its people has generated tremendous discover and to learn? must collaborate or become irrelevant. enthusiasm, optimism, and trust in the But I have also become convinced For great examples of leadership, IT organization across Virginia Tech. that to achieve extraordinary things, we are graced by extraordinary IT Blythe has continually reinvented leaders need three other characteristics, professionals and researchers across and transformed the application of in- ones that are tough to ascertain: vision, the spectrum of higher education. Over formation technology in ways that have commitment to the ideal of higher educa- my career I have realized that there enhanced teaching and learning, created tion, and courage. For example, driving is probably no emerging technology, www.educause.edu/ero JANUARY/FEBRUARY 2013 EdU c AUs E review 45 Mentoring, Self-Awareness, and Collaboration: The 2012 EDUCAUSE Award Winners
process, concept, or opportunity my colleagues and I have accomplished safety and security in a future article in that isn’t being examined and tested at Virginia Tech over the last thirty-five EDUCAUSE Review. somewhere in our community. More years has been built on collaborations le- We are all part of the education com- important, when that occasional great veraging the great ideas and accomplish- munity, supporting the highest of all idea—that potentially disruptive tech- ments of these IT leaders. human endeavors: learning and teach- nology—shows promise, there will ing. I am convinced that information always be a few early movers in our EDUCAUSE Review: As you move technology is the DNA of the global edu- community who are willing to collabo- into retirement and look back on your cation fabric and that leading-edge com- rate and to coalesce around large-scale career, do you have advice for your petencies in information technology for proof-of-concept initiatives and, if war- colleagues who continue to face the those involved in higher education are ranted, aggressive exploitation of that challenges of the higher education IT critical and strategic to its future. breakthrough. The Internet as we know profession? But we are also privileged to work and it today, large-scale and highly parallel lead in a national university community high-performance computing, and the BlYTHe: Certainly, the lessons from the with broad, shared values and with tradi- open-source movement have benefited darkest days of my life—following the tions of inclusiveness and fairness and from, and may even owe their existence mass murders at Virginia Tech on April justice. This is who we serve, and this is to, this characteristic of our community. 16, 2007—are the starkest. The first was what makes our jobs as IT professionals It is especially humbling to have that a significant disconnect exists be- so special. n known and worked with accomplished tween IT practitioners and public safety © 2013 Earving L. Blythe. The text of this section is leaders in information technology, at Vir- principals at the campus and local com- licensed under the Creative Commons Attribution- ginia Tech and across the United States. munity levels. I will say more about the NonCommercial-NoDerivs 3.0 Unported License To a very real extent, everything that implications and obligations related to (http://creativecommons.org/licenses/by-nc-nd/3.0/).
EdUcAUsEreviewAWARds www.educause.edu/ero
Ten Magnum Opus Awards for Outstanding Achievement in custom Publishing, including 2012 and 2011 silver Awards and two Gold Awards (2009, 2007) for “Best All-Around Association Publication”
Eleven APEX Awards for Publication Excellence, including 2007, 2008, and 2010 awards for “Magazines & Journals, Print (over 32 Pages)”
seven Tabbie Awards, including a 2012 listing in the Top-25 for Why IT Matters to Higher Education
review “Best single Issue” EDUCAUSjuly/augustE 2007 Dr. Ma shup or, Why Educators Should Learn to Stop Worrying and Love the Remix Brian lamb 2011 six Ozzie Awards for Excellence in Magazine design, including a
Ozzie review EDUCAUSEJ ULY / AUGUST 2000 Awards 2011 Bronze Award for “Best Use of Illustration”
Voluntary Counter-Reformation: Stepping Up to the Challenge WI llI a M H. GR a VES
academic analytics: a New Tool for a New Era JoHN P. CaMPb E ll, PETER b . DEbloIS, and D I a N a G. o blINGER
the global view: The e-Framework’s Service-oriented approach bIll o l IVIER
designation as “Publication of the Year” by the colorado
An Interview with Mike Roberts Colorado society of Association Executives BY MARK LUKER Society of Portals in Higher Education BY MICHAEL LOONEY AND PETER LYMAN Useful Devils BY MARK C. T A YLOR Association BOOK EXCERPT : “Technical Building Blocks to Enable E-Business” BY DAVID L. WASLEY PLUS: Going the Distance BY NANNERL O. KEOHANE Executives
EdUcAUsE Review, the flagship magazine of EdUcAUsE, takes a broad look at current developments and trends in information technology, how they may affect the college or university as an institution, and what they mean for higher education and society. In addition to EdUcAUsE members, the magazine’s audience consists of presidents and chancellors, senior academic and administrative leaders, non-IT staff, faculty in all disciplines, librarians, and corporate leaders. The magazine has a print circulation of 22,000.
46 EdUcAUsEreview JANUARY/FEBRUARY 2013 2013 EDUCAUSE Events EDUCAUSE events—all designed for you to learn from and network with thought leaders and peers—range from hour-long webinars to multi-day, hybrid conferences and annual meetings.
FEBRUARY EDUCAUSE Learning Initiative Annual Meeting Feb. 4–6 Denver, CO, and Online West/Southwest Regional Conference Feb. 12–14 Austin, TX, and Online MARCH NERCOMP Annual Conference Mar. 11–13 Providence, RI, and Online EDUCAUSE Institute New IT Managers Program Mar. 17–20 Chicago, IL Midwest Regional Conference Mar. 18–20 Chicago, IL APRIL EDUCAUSE Learning Initiative Apr. 3–4 Online only Online Spring Focus Session Security Professionals Conference Apr. 15–17 St. Louis, MO, and Online Advanced Core Technologies Meeting Apr. 16–17 St. Louis, MO Enterprise IT Leadership Conference Apr. 16–18 St. Louis, MO MAY Southeast Regional Conference May 29–31 Atlanta, GA JUNE Leading Change Institute, Successor to Frye June 2–7 Washington, DC EDUCAUSE Institute Learning June 24–28 Evanston, IL Technology Leadership Program JULY Breakthrough Models Academy July 14–19 Boston, MA EDUCAUSE Institute Management Program July 15–19 Evanston, IL EDUCAUSE Institute Leadership Program July 22–26 Evanston, IL OCTOBER EDUCAUSE Annual Conference Oct. 15–18 Anaheim, CA, and Online NOVEMBER EDUCAUSE Learning Initiative Nov. 6–7 Online only Online Fall Focus Session
For a comprehensive list of upcoming events, please visit educause.edu/Events. INSIGHTS INTO ANALYTICS This is the third in a three-article EDUCAUSE Review series exploring By Diana G. Oblinger analytics. N LYTICS
Changing the Conversation e live in an information culture. We are accustomed to students understand the data and what it having information instantly available and accessible, means to them. For example, too many course choices along with feedback and recommendations. We want to can be confusing for students, and mak- know what people think and like (or dislike). We want ing poor course selections could delay W graduation. Degree Compass, a course- to know how we compare with “others like me.” Just as analytics recommendation system developed at powers Amazon.com, Netflix, TheRestaurantFinder.com, and Yelp, Austin Peay State University, uses predic- it can support tools for student empowerment. tive analytics to help students find the Empowerment hinges on having access to information, which courses that best fit their degree program, overlaid with a model predicting the stu- can help students make better choices to navigate college more dents’ success in the course. The system successfully. As we have explored student empowerment in higher guides students and advisors in deciding education, several guidelines have emerged from what we are on a pathway to graduation. Recom- mended course lists, the role each course learning. plays in a degree program, and class avail- ability information are readily available to “Use data to change the conversation.” environment, assumptions and anecdote students. Students, faculty, staff, and the public—we aren’t enough. Higher education has a all make assumptions easily. Having data responsibility to provide guidance to help “Move from the past to the predictive.” at hand can change the conversation by students make good decisions based on Much of our data use has revolved informing questions and providing con- data. But using data well requires the de- around reporting on what happened— crete answers. In a highly complicated velopment of “data literacy.” We must help in the past. Data use is moving to the
48 EdUcAUsEreview JANUARY/FEBRUARY 2013 and predictive algorithms, system alerts learners to personalized learning path- trigger individualized interventions that ways tailored to their needs, aspirations, can help students, advisors, and/or fac- abilities, and timelines. Although data has ulty tap resources to avert failure. historically flowed in only one direction, serving to validate compliance or trigger “Empower choice, don’t restrict it.” funding, data is actually most useful to For almost any decision, there are more inform thinking, questioning, planning, options than we may realize—sometimes and next steps. so many that decision-making can become Rapid feedback enables accelerated paralyzed. As noted above, choice—with- learning for students. Carnegie Mellon out good information and guidance—can University’s Open Learning Initiative be the enemy of student success. Analytic uses feedback loops based on analytics. systems allow us to personalize recom- Students receive feedback in corrections, mendations that help students make suggestions, and cues tailored to their per- better-informed choices. With good infor- formance. Student learning is accelerated, mation, students might ask: “What should along with equal or better retention and I do differently?” And they might use data performance compared with traditional to find alternative paths to their goal. instruction. Instructors receive feedback Knowing whether they are “on track” about students’ knowledge, how students makes a difference to students. The are using course materials, and students’ Changing the Conversation
predictive—to what is likely to happen. eAdvisor system at Arizona State Univer- use patterns. Instructors have better Today’s online systems collect more data sity and STAR at the University of Hawaii information on which to base course re- and more detailed information about assist students in selecting appropriate finements and inform theories of learning. courses and tracking progress toward their how students learn, capturing inputs, n n n problem-solving sequences, number major. eAdvisor was designed to take the of attempts, and time spent on task. guesswork out of how to earn a degree so Few transactions are as complicated as Detailed learning activity can be used that students would stay on track to gradu- college. By informing questions and to predict how a student will perform ate. For example, it helps students choose providing concrete answers, analytics in a future context, providing useful a major based on their interests and career can empower students to make good feedback to the student, the instructor, goals, and it then highlights appropriate choices. Analytics can thus change the and the institution. The data is key to course sequences. Because much of the conversation, both for students and for adaptive systems, diagnostics, and alerts degree requirements tracking is handled institutions. n that can make students aware of risks and online, in-person advising services can be can help students avoid problems. These expanded, allowing more time to explore © 2012 Diana G. Oblinger. The text of this article is licensed under the Creative Commons Attribution- systems are designed not to replace per- degree and career choices and address NonCommercial-NoDerivs 3.0 Unported License sonal interaction but to make education individual needs. (http://creativecommons.org/licenses/by-nc-nd/3.0/). more personal through timely alerts that assist individual students. “Use data for gateways, Diana G. Oblinger ([email protected]) Purdue University and Rio Salado not just gatekeeping.” is President and CEO of College are among the pioneers of pre- We have been conditioned to think of data EDUCAUSE. dictive analytics, which allows institu- as summative—as an end point. A report, a tions to make predictions and anticipate grade, or a test either opens a door or closes problems. Based on personalized data it. Thanks to analytics, data can point
www.educause.edu/ero JANUARY/FEBRUARY 2013 EdU c AUs E review 49 corporate Resource Guide
EduCause Ad Final_Layout 1 12/21/12 6:47 PM Page 1
Kaseya Education IT Bundle Automated IT systems management solution built for schools I Scripts, Monitor Sets & Reports I Discovery, Audit & Inventory I Remote Control & Management I Patch & Software Deployment I Endpoint and Network Monitoring I Kaseya Advanced Basics Training I Imaging, Deployment & Migration I Power Management & Desktop Policy I ITIL Compliant Service Desk I Post-Implementation Checkup
www.kaseya.com/ educause
Multiple Devices. Fully integrated solution from Multiple Sources. recruitment to advancement.
One Solution. Download a free SIS Buying Guide www.sisbuyingguide.com POWERED BY: Moofwd.com (888) 826-6773 www.empowersis.com
Rethink the rules. Game Changers: Education and Information Technologies Download the free e-book » educause.edu/GC
50 EdUcAUsEreview JANUARY/FEBRUARY 2013 Advertiser Index
Company Contact Website Page EDUCAUSE is a nonprofit association whose mission is to advance higher education through the use of information Apogee www.apogee.us 21 technology.
Campus Management 1-866-397-2537 www.campusmanagement.com/vue 3 EDUCAUSE Board of Directors —An EDUCAUSE Gold Partner
Debra H. Allison, Chair CDW-G 1-800-767-4239 www.CDWG.com/datacenter 5 Vice President for Information Technology —An EDUCAUSE Platinum Partner and CIO Miami University 1-281-535-2288 www.computercomforts.com/edu 29 Computer Comforts Brian Voss, Vice Chair —An EDUCAUSE Bronze Partner Vice President and CIO University of Maryland Dean Evans & Associates 1-800-440-3994 www.dea.com/educ 30 Susan Metros, Secretary —An EDUCAUSE Bronze Partner Associate Vice Provost, Associate CIO, Professor EMPOWER/ComSpec 1-888-826-6773 www.empowersis.com 50 University of Southern California International Bruce Maas, Treasurer CIO and Vice Provost for Information Epson www.epson.com/highered 7 Technology University of Wisconsin–Madison —An EDUCAUSE Gold Partner Kara Freeman Ginkgotree www.ginkgotree.com 50 Vice President of Administration and CIO American Council on Education
Hobsons 1-800-927-8439 www.hobsons.com 28 Joy Hatch —An EDUCAUSE Silver Partner Vice Chancellor, Information Technology Services Virginia Community College System Jenzabar 1-877-536-0222 www.jenzabar.com/tco inside back —An EDUCAUSE Platinum Partner cover David Lassner Vice President for Information Technology and CIO Kaseya www.kaseya.com/educause 50 University of Hawaii
Richard Northam Laserfiche 1-800-985-8533 www.laserfiche.com/educause 23 Chief Executive Officer —An EDUCAUSE Silver Partner The Council of Australian University Directors of Information Technology (CAUDIT) Moofwd 1-855-2-MOOFWD www.moofwd.com 50 Pattie Orr Vice President for Information Technology and Pearson Learning Solutions www.pearsonlearningsolutions.com back cover Dean of Libraries —An EDUCAUSE Platinum Partner Baylor University
Justin Sipher Perceptive Software www.perceptivesoftware.com/ 6 Vice President of Libraries and Information —An EDUCAUSE Silver Partner highered Technology St. Lawrence University
Sonic Foundry 1-877-783-7987 www.sonicfoundry.com 19 Vernon C. Smith —An EDUCAUSE Platinum Partner Chief Academic Officer and Provost MyCollege Foundation Steelcase www.steelcase.com/verb inside front Randall J. Stiles —An EDUCAUSE Gold Partner cover Special Advisor to the President Colorado College TCPN — The Cooperative www.TCPN.org 17 Ex Officio Member Purchasing Network Diana G. Oblinger President and CEO WolfVision www.wolfvision.com 50 EDUCAUSE
Workday 1-925-951-9000 www.workday.com 13 —An EDUCAUSE Silver Partner
www.educause.edu/ero JANUARY/FEBRUARY 2013 EdU c AUs E review 51 E-ConTenT [All Things Digital]
Is Linking Thinking? Addressing and Assessing Scholarship in a Digital era
ur analog world is being replaced with a digital just the chemist or the computer scientist but also the English one that at times replicates the features and professor who is clamoring for more storage, more compute functions of its predecessor and at other times cycles, more help with compiling programs, and sustainable completely turns the past on its head. Pixar data-management schemes. These start-ups have not yet been made award-winning movies without calling factored into most operating budgets. Combine that with the ointo question the notion of what it means to be a Hollywood general skepticism about the long-term prospects for humani- film. Netflix eviscerated the video-rental store. It is within this ties8 of any sort, and the prospects for this new form of scholar- uneven and bewildering moment that those of us in higher ship seem bleak at best. education need to consider our approach to this new thing Opportunities. The U.S. Department of Labor projects that called digital scholarship. 65 percent of the U.S. children in kindergarten today will be The words we choose to frame this question are fraught.1 employed in jobs that currently do not exist.9 As a nation and as Digital scholarship? Digital humanities? Whose agenda are an increasingly interconnected global society, we face massive we supporting when we choose one turn of phrase instead of challenges: climate change, globalization, the collapse of the another?2 What happens to the “regular” humanities curricu- social contract between employer and employee. How do we lum if it is replaced by a digital humanities curriculum? Will make sense of these transformations? How do we develop sensi- the story of digital humanities prove to be the story of Pixar or ble, humane, and sustainable answers to these daunting changes Netflix? that have life-altering implications for us and our children? For Here are some tricky questions that tenure committees may students, there may be short-term advantages to acquiring very need to answer in the coming semesters: specific and employable skills during a college career. However, in the long-term, students are likely better served by acquiring n Can a blog count as scholarship?3 the general capabilities needed to navigate a rapidly changing n Is open peer review as valid as double-blind peer review?4 future that demands a complex set of skills extending beyond n Does scholarship that can be read only onscreen count as the “merely” technical. Is there an answer to be found in a scholarship?5 form of education and scholarship that powerfully combines n Do the terms of evaluation for “born digital” require a whole a technical capability with foundational questions about iden- new vocabulary, or can new forms of scholarship be evalu- tity, society, and culture? Some argue that digital scholarship ated effectively within existing frameworks?6 can show why the humanities and the liberal arts matter more than they ever have. Others argue that the humanities and the Evaluative frameworks are still in development within orga- liberal arts can be taught effectively without all of this expensive nizations such as the Modern Language Association and the technology. American Historical Association and have not yet been fully In the debate around digital scholarship, we have the perfect tested in tenure cases on most campuses.7 These new frame- storm. On the one hand, we have the conservatism in the culture works will shape an institution’s faculty, its curriculum, and of most higher education institutions. On the other, we have ultimately the campus library and technology needs. In the end, board-level anxieties arising from the upstart challenges posed avoiding these questions will be difficult as a campus develops by the world of MOOCs, badges, and other emerging forms of its digital scholarship strategy. Some of these questions may external competition. As Clayton Christensen has taught us, seem like threats. Others will take the form of opportunity. disruptive innovations from outside can blind us from seeing Threats. Just a decade ago, humanities scholarship was new forms of competition for what they really are. Much as the relatively inexpensive to support. Give the English and History American steel industry failed to understand the threat posed Departments an Internet connection, a word processor, and by the rebar produced by the Japanese mini-mill platform,10 so a subscription to JSTOR and the MLA bibliography, and they too higher education may be unable to see the siege from these were all set. In contrast, today’s digital humanities scholars can new interlopers. But let’s make sure this crisis doesn’t push us to be as expensive to support as the hard scientists. Now it’s not place the emphasis on the wrong questions. As we consider the
52 EdU c AUsEreview JANUARY/FEBRUARY 2013 E-content department Editor: Diane J. Graves By Michael Roy
impact that the innovations that will follow MOOCs will have new forms of collaboration across disciplines11 and among insti- on our institutions, we need to think long and hard about how tutions that in turn could serve as a catalyst for important new we, within our institutions and our various professional guilds, working relationships necessary for the continued relevance of will adapt to the threats to our livelihoods and our institutions our institutions in the 21st century. While there is some urgency posed by these disaggregating technologies that disrupt every to deciding on how one chooses to approach the bewildering single means of production. The plight of digital scholarship and accelerating change that is coming from outside, there are may seem small in the grand scheme of the future of higher edu- also difficult choices to make: is it the humanities and liberal cation. Yet this story could serve as the canary in the coalmine— arts or the digital humanities and the digital liberal arts that will as a harbinger of things to come, another market opportunity prepare our students for a world of globalization, climate change, and all of the attendant challenges? n
Notes 1. Stanley Fish frames the question of how to approach this upstart new thing in “The Old Order Changeth,” New York Times Opinionator, December 26, 2011, http://opinionator.blogs.nytimes.com/2011/12/26/the-old-order-changeth/. 2. Another skeptical view that captures the anxiety surrounding this transition can be found in Stephen Marche’s essay “Literature Is Not Data: Against Digital Humanities,” Los Angeles Review of Books, October 28, 2012, http:// lareviewofbooks.org/article.php?id=1040&fulltext=1#.UJPBOOoTD6k. 3. Here, I am using “blog” as a surrogate for “born digital” scholarship. For a good introduction to “born digital” scholarship in the humanities, see Christa Williford and Charles Henry, One Culture: Computationally Intensive Research in the Humanities and Social Sciences (Washington, D.C.: Council on Library Information Resources, June 2012), http://www.clir.org/pubs/reports/pub151, and the Digging into Data Challenge website: http://www.diggingintodata.org. 4. For an excellent analysis of the challenges of evaluating born digital scholarship, and of the threats and opportunities that new forms of peer review pose for our systems of evaluation, see Kathleen Fitzpatrick’s blog “Planned Obsolescence”: http://www.plannedobsolescence.net/about/. 5. See the work of Anvil Academic (http://www.anvilacademic.org ), a digital- only press that is grappling with this vexing question of how to provide authority and legibility to these new forms. 6. For a useful discussion of why the terms of evaluation for new media and digital humanities need not necessarily require a whole new vocabulary, see Alison Byerly, “Everything Old Is New Again: The Digital Past and the Humanistic Future,” session delivered at the Modern Language Association (MLA) Conference, January 7, 2012, http://web.duke.edu/~ves4/mla2012/
Junos/Jupiter Images, © 2013 Byerly-DigitalPast-HumanisticFuture.pdf. 7. See, for example, the Modern Language Association’s “Guidelines for we may unwittingly cede to disruptive innovation from outside Evaluating Work in Digital Humanities and Digital Media,” January 2012, our walls. http://www.mla.org/guidelines_evaluation_digital. 8. For a provocative proposal that would address the current crisis in the The world of digital scholarship is a world of both promise humanities, see Toby Miller, Blow Up the Humanities (Philadelphia: Temple and peril. Most schools have not yet significantly invested in University Press, 2012). this area. Are such investments merely life-support for a dying 9. See U.S. Department of Labor, “Futurework: Trends and Challenges for Work in the 21st Century,” Labor Day 1999, http://www.dol.gov/oasam/programs/ patient, or are they strategic in an existential fight for the soul of history/herman/reports/futurework/report.htm#.UJsi9uOe9kI. the university? The choices, the conversations, and the debates 10. For an excellent, albeit disturbing, introduction to the concept of disruptive all connect in an integral way to the future of scholarship, schol- innovation in the context of higher education, see Clayton M. Christensen, Michael B. Horn, Louis Soares, and Louis Caldera, “Disrupting College: How arly communication, and classroom instruction. Disruptive Innovation Can Deliver Quality and Affordability to Postsecondary Just as Pixar brought to the movie screen an experience pre- Education,” Center for American Progress, February 8, 2011, http://www viously unattainable using the traditional techniques of anima- .americanprogress.org/issues/labor/report/2011/02/08/9034/disrupting -college/. tion, so too there are promises associated with the transforma- 11. For an example of what post-institutional collaboration might look like, tion of scholarship enabled by the expressive and computational see HASTAC—the Humanities, Arts, Science, and Technology Advanced power of technology. We can ask new questions of large bodies Collaboratory (http://hastac.org). of texts; we can visualize ancient ruins; we can perform pat- tern recognition across large bodies of visual materials to reveal Michael Roy ([email protected]) is the L. Douglas and Laura J. underlying themes; we can embed rich media—audio, video, ani- Meredith Dean of Library and Information Services and Chief Information mation—within the very texts of our arguments, all while making Officer at Middlebury College. scholarship more public and accessible than ever before. These © 2013 Michael Roy. The text of this article is licensed under the Creative Commons new modes of argumentation and representation may allow us Attribution-NonCommercial 3.0 Unported License (http://creativecommons.org/licenses/ to re-enliven the discussion around humanities, may allow for by-nc/3.0/). www.educause.edu/ero JANUARY/FEBRUARY 2013 EdU c AUs E review 53 nEwhorIzonS [The Technologies Ahead]
ds106: not a Course, not Like Any MooC
ooking for something different from the cur- finish the website in a month, and since then it’s been fully rent hysteria of Massive Open Online Courses launched. (MOOCs)? A digital storytelling course started by Jim Groom at the University of Mary Washington The idea to open up ds106 followed the lead of the first (UMW), ds106 was set loose as an open course in course to be called (by Bryan Alexander and Dave Cormier) LJanuary 2011 (http:/ds106.us/). Yet the UMW catalog does not a “MOOC”: the 2008 “Connectivism and Connective Knowl- include such a course. Its actual course designation is CPSC edge” (CCK08) course taught by George Siemens and Stephen 106 (Computer Science)—a small but telling example of how Downes. Open participants in ds106 can choose to use any ds106 plays with and questions the norm. blog platform, which is then subscribed to by the ds106 site. Most classes in digital storytelling revolve around the per- Other institutions teaching related courses connected their sonal video narrative form as popularized by the Center for students into the flow of ds106: Temple University in Japan, Digital Storytelling (http://www.storycenter.org/). But ds106 York College (CUNY), SUNY Cort land, Kansas State Univer- storytelling explores the web as a culture, as a media source, sity, Kennesaw State University. At any one time, the ds106 and as a place to publish in the open. Not claiming to authori- site includes overlapping work of students at UMW, students tatively define digital storytelling, ds106 is a constant process at these other institutions, and people who are just following of questioning digital storytelling. Is an animated GIF a story? along. Thus ds106 is more community than course. What does it mean to put “fast food” in the hands of Internet In its present incarnation at UMW, ds106 stands apart from pioneers? Why would we mess with the MacGuffin? Is every- the current crop of MOOCs in several ways: thing a remix? Though this is perhaps simply semantic word- play, ds106 is not just “on” the web—it is “of” the web. n There are no video lectures. Assignments are published weekly, Characteristic of ds106 is its distributed structure, mimick- including a mix of readings, videos, and creative work. ing the Internet itself, and its open-source non-LMS platform. n There is no concept of dropping out. The structure of ds106 allows Students are charged with registering their own domain, man- open participants to tune in only to parts they care about. aging their own personal cyberinfrastructure, and publishing One such participant, Emily Strong (http://erstrongds106 to their own website. Via the WordPress plugin FeedWord- .wordpress.com/), shares: “I’ve heard before that practicing Press, all content from students is automatically aggregated creativity regularly makes you more creative, and from par- to the main ds106 site—but all links go back directly to the ticipating in DS 106 I have to say that this is absolutely true. students’ sites. Between daily creates and projects from the assignment What do students get out of this? Colin Schulz, a former bank, I am constantly creating things, and I find myself tak- UMW student, explains: ing more creative approaches to everything else in my life, from approaching problems at work to noticing the inter- Going into DS106, I had extensive knowledge of computer esting angles and textures of a room.” programming but did not understand how to implement n The experience for open participants need not be the same as that for my programming skills with web design. By managing and enrolled students. Most MOOCs aim to create the same experi- creating our own blogs on the WordPress platform in ds106, ence for all participants; in ds106, open participants create I successfully learned about the WordPress platform and their own pathways. web design. n Massive is about impact more than numbers. Open participants The summer following successfully completing the add value to the experience for enrolled students. They offer course, I interned for a company. One of my tasks was to ideas and constructive feedback and are often active mem- simply put language into a newly created website that was bers of UMW students’ group projects. Regarding numbers, not launched but was successfully built by a professional the ds106 website currently subscribes to 620 blogs and has web developer. aggregated 23,000 external posts since January 2011. More Within the first week of doing minor fixes to the new than 800 people have published at least one item to ds106, website, I was asked to restart the process from scratch and with some of them having published hundreds. fully design and develop them a new website by myself. The n ds106 offers no certificates or badges. People join out of their skills I obtained from participating in ds106 allowed me to own interest or just to be part of a community. Open par-
54 EdU c AUsEreview JANUARY/FEBRUARY 2013 New Horizons department Editor: Vernon C. Smith By alaN leviNe
ticipant Margaret Herrick (http://margaretherrick.com/ The web syndication structure of the course is not limited blog/) notes: “ds106 has given me the conviction that I, at 72, to ds106. The same platform was deployed in a Fall 2012 open can make videos that tell my story beautifully, thoughtfully, online course in Entrepreneurship in Education (http://www and truthfully. The community aspect gives me the security .edstartup.net/) and in Project Community, a course offered that, no [matter] how busy I am with other things, I can by the Hague University of Applied Sciences (http://project always ‘drop into’ ds106 and continue to learn more.” community.info/). Similar functionality is provided by n ds106 is truly open. Course materials are not behind a login, gRSShopper (http://grsshopper.downes.ca), developed by nor are they ever deleted. The main channel of communica- Stephen Downes for a number of the Connectivist-style tion is not a discussion board but is via the #ds106 hashtag MOOCs. in Twitter. One last characteristic of ds106 is that it is not supported n Versions of ds106 push the boundaries of the class itself as a narra- by millions of dollars of investment money. Though the tive. The 2011 “Summer of Oblivion” included the disap- course started at the University of Mary Washington, ds106 pearance of an eccentric professor who banished students, truly belongs to its community. Hosted externally, the ds106 resulting in a class “rebellion.” The following year, Camp website is supported by its participants via a 2012 Kickstarter Magic Macguffin (http://magicmacguffin.info/) operated campaign (http://www.kickstarter.com/projects/jimgroom/ as a virtual happy summer camp metaphor—where things ds106-the-open-online-community-of-digital-storyte). were not exactly what they seemed. No one claims ownership of ds106. Its success can be traced to innovation supported by the University of Mary Washing- Thus ds106 is neither a product nor a magic bullet to “fix” ton and carried out by the UMW Division of Teaching and education. But within ds106 are applicable attributes that can Learning Technologies (DTLT) and to the vision of former be used elsewhere: UMW leaders Gardner Campbell and Chip German and DTLT team members: Jim Groom, who crafted much of the spirit and n The Assignment Collection (http://assignments.ds106.us/) drive of ds106; Martha Burtis, who built many of the key web includes over 500 creative activities, all contributed by par- pieces (and has taught the class); and Tim Owens, who shaped ticipants. Rather than being assigned specific tasks, UMW the design and functionality of the sites. But the contributions students are assigned, say, 15 stars of Audio Assignments extend further. UMW student Aaron Clemmer built a twitter (stars being a crowdsourced difficulty rating). Students are bot that updates the current content on ds106 radio, itself a free to choose the challenges that appeal to them. Via tags, contribution of open participant Grant Potter (University of the work that students publish for a particular assignment Northern British Columbia). From Scotland, John Johnston are linked from the original assignment as an example for has created storytelling tools (e.g., http://johnjohnston.info/ others to see. blog/?e=2264) that emerged from experiments in ds106 assign- n The Daily Create (http://tdc.ds106.us/) provides a regular ments. We lack enough space to list everyone who has contrib- dose of creative challenges in the areas of photography, uted to ds106! drawing, audio, video, or writing. Designed to take 20 min- How can you be a part of ds106? We’ve seen K–12 teachers utes or less, responses are shared via flickr, YouTube, or tap into specific tasks from the Assignment Collection. Others SoundCloud with specific tags that allow them to be syndi- make use of the Daily Create or just the radio station. The value cated back to the main site. of comments on participants’ blogs can never be overlooked. n Participants in ds106 nominate work of others as “inspir- And we will set up syndication for anyone who is teaching a ing” to a “best of ds106” collection called in[SPIRE] (http:// “ds106-ish” class in 2013 (http://ds106.us/teaching-ds106/) inspire.ds106.us), itself a project designed by Spring 2012 and who wants to integrate the class into the ds106 site and UMW students Linda McKenna and Rachel McGuirk. community. n Many advised us that for ds106 to be an open course, we Much more than a course, ds106 is an experiment in the needed to hold synchronous events in a webinar environ- shape and potential of open education. n ment—to us, a space that has not evolved significantly since the 1990s. But ds106 came up with something different: alan levine ([email protected]), an independent consultant an open, free-form Internet radio station (http://ds106 (CogDog.it), currently teaches the open digital storytelling course ds106. .us/ds106-radio/). The class uses the radio station for live Levine is an innovator in educational technology, previously working as an broadcasts of audio projects and for bringing in guest instructional technology specialist at the University of Mary Washington, experts. However, as a resource, it is open for other educa- following leadership positions at the New Media Consortium and the tors to explore the potential of live audio streams. Open Maricopa Community Colleges.
participants created tutorials for each other, and the power © 2013 Alan Levine. The text of this article is licensed under the Creative Commons of live audio has been elevated by mobile apps that allow Attribution-ShareAlike 3.0 Unported License (http://creativecommons.org/licenses/ live broadcasts. by-sa/3.0/). www.educause.edu/ero JANUARY/FEBRUARY 2013 EdU c AUs E review 55 policyMATTerS [Campus environment & Political Context]
Amassing Student Data and Dissipating Privacy rights
rom test-performance scores to student financial Records” mean “education records,” including test scores, data to statewide longitudinal data systems, there transcripts, and disciplinary infractions. Other Google has been a dramatic increase in the collection representations raise real concerns about how the student of students’ sensitive information over the last information, now in control of private companies, will be decade. Both the U.S. Congress and the presiden- used. For instance, Google will disclose student information Ftial administrations have touted the amassing of student data from its Apps for Education if it has a “good-faith belief” that as beneficial and necessary to a successful education system. such disclosure is “reasonably necessary” to comply with law However, the increase in the collection of student data has led enforcement requests and to protect “the rights, property to a marked decrease in student data protection. Changes to or safety of Google, [Google] users or the public as required student privacy regulations and government programs such as or permitted by law.”6 This means that Google, and not the the Education Data Initiative underscore the need for mean- educational institution, will be making decisions about when ingful oversight for the protection of student data. to disclose sensitive student (and faculty) information to law enforcement agencies. The education Department and Privacy Safeguards Parchment is another popular third-party entity to which In 2008 and 2011, the U.S. Education Department amended colleges and universities routinely outsource students’ most the regulations for the Family Educational Rights and Privacy prized commodity: transcripts. Parchment is a web-based Act (FERPA). These amendments increased private company service that permits colleges to “receive, request, and analyze and third-party access to student data. The electronic transcripts.”7 Despite Parchment’s 2008 changes expanded the definition of claim that its services are “fully secure and “school officials” to include “contractors, FERPA compliant,” the company’s terms of consultants, volunteers, and other parties The increase in use reveal that to the extent permissible by to whom an educational agency or institu- the collection law, Parchment disclaims any representation tion has outsourced institutional services or or warranty that its site is secure and dis- functions it would otherwise use employees of student data claims any liability for lost data.8 In an era of to perform.”1 This amendment gives com- has led to a rampant security breaches, a company’s fail- panies like Google and Parchment access to marked decrease ure to carry the responsibility for safeguard- education records and other private student ing students’ transcripts is hardly reassuring. information. in student data Surprisingly, in 2011, the Education Google Apps for Education offers “free protection. Department again loosened the safeguards Web-based email, calendar, and documents” for student records by modifying the key to “millions of students and educators terms “education programs” and “authorized worldwide.”2 Arizona State University, the representatives” to permit greater disclosure University of Michigan, Brown University, and other higher of student data. Under FERPA, “authorized representatives” of education institutions use Google Apps for Education to pro- the U.S. comptroller general, the secretary of education, and vide many of the services that colleges and universities had state educational authorities may access student records to typically provided directly to students and faculty—resources audit or evaluate federally supported “education programs.”9 for research, e-mail, and document production.3 Because The new regulations broadly define “education programs” to higher education can spend hundreds of thousands of dollars encompass programs not only focused on “improving aca- to provide e-mail servers to students and faculty, the allure of demic outcomes” but also related to “bullying prevention, “free” e-mail service is obvious.4 Less obvious, however, is that cyber-security education, and substance abuse and violence students are paying the cost to use Google’s “free” servers by prevention” regardless of whether the program is adminis- providing access to their sensitive data and communications. tered by an educational agency or institution.10 And previ- Google states: “To the extent that Customer Data includes ously, “authorized representatives” were exclusively entities FERPA Records, Google will be considered a ‘School Offi- over which educational authorities had “direct control, such cial’ . . . and will comply with FERPA.”5 Presumably, “FERPA as an employee or a contractor of the authority.”11 Now, autho-
56 EdU c AUsEreview JANUARY/FEBRUARY 2013 By MaRc RoTeNBeRg and Khaliah BaRNeS
rized representatives can be any individual or entity that edu- When FERPA was enacted almost forty years ago, Congress cational authorities select as an authorized representative.12 made it clear that students’ personal information should not By amplifying “education programs” and “authorized be made widely available. Congress was particularly con- representatives,” the Education Department has taken very cerned that if student records fell into the hands of private narrow circumstances that permit the disclosure of education parties, these records could hurt students later in life when, records and has expanded those circumstances to the point for example, students were seeking jobs. Although the pres- that the disclosure of student data is no longer the exception sures have increased over the years to access student data, but is increasingly becoming the rule. Congress and the Education Department should work to strengthen student privacy rights and provide oversight on Wider Disclosure, Fewer Safeguards student data disclosure. n In January 2012 the Education Department, working with the Office of Science and Technology Policy (OSTP), announced Notes the Education Data Initiative, a public-private partnership 1. Family Educational Rights and Privacy Regulations Notice of Proposed 13 Rulemaking, 73 Fed. Reg. 15,574, 15,578 (March 24, 2008); see also Family that collects and disseminates student data. The Education Educational Rights and Privacy Regulations, 73 Fed. Reg. 74,806, 74,852 Data Initiative involves several public-sector entities that (December 9, 2008). gather student data and then disclose it to the private sector. 2. Google Apps for Education, accessed December 12, 2012, http://www.google .com/enterprise/apps/education/. For instance, under the Education Data Initiative, federal 3. “Customer Stories,” Google Apps for Education, accessed December 12, 2012, student aid websites feature “a ‘MyData’ download button to http://www.google.com/enterprise/apps/education/customers.html. allow students to download their own data [and] . . . share . . . 4. “Arizona State University Success Story,” Google Apps for Education Case 14 Study, October 10, 2006, http://static.googleusercontent.com/external_ with third parties that develop helpful consumer tools.” content/untrusted_dlcp/www.google.com/en/us/a/help/intl/en/edu/ Although the Education Department and OSTP are push- customers/pdfs/asu_success_story.pdf. ing for an increase in aggregating data, these agencies do 5. “Google Apps for Education Agreement,” Google Apps, accessed December 12, 2012, http://www.google.com/apps/intl/en/terms/education_terms.html. not explicitly describe how the Education Data Initiative 6. “Privacy Policy,” Google, July 27, 2012, http://www.google.com/policies/ will protect students’ privacy or safeguard against security privacy/#infosharing. See also “Security and Privacy,” Google Apps for breaches. The absence of a breach policy is ironic in light of Education, accessed December 12, 2012, http://www.google.com/apps/intl/en/ edu/privacy.html. security breaches that affected an Education Department 7. “Docufide Receiver,” Docufide by Parchment, accessed December 12, 2012, website in October 2011. The Education Department’s Federal http://www.docufide.com/products/docufide-receiver. Student Loan Servicing website (http://www.myedaccount 8. “Terms of Use,” Docufide by Parchment, accessed December 12, 2012, http:// www.docufide.com/terms-of-use. .com) exposed “the personal financial details of as many as 9. 20 U.S.C. § 1232g(b)(3) (2012). 5,000 college students” to borrowers who had logged into the 10. Family Educational Rights and Privacy Regulations, 76 Fed. Reg. 75,604, 75,614 website. Although the department shut down the website (December 2, 2011). 11. Family Educational Rights and Privacy Regulations Notice of Proposed while it resolved the problem and “notified and offered credit Rulemaking, 76 Fed. Reg. 19,726, 19,734 (April 8, 2011). monitoring services” to those affected,15 this is an unfortunate 12. 34 C.F.R. § 99.3 (2012). example of the Education Department’s failure to establish 13. Aneesh Chopra and Zakiya Smith, “Unlocking the Power of Education Data for All Americans,” Office of Science and Technology Policy Blog, January 19, 2012, appropriate technical safeguards that ensure confidentiality http://www.whitehouse.gov/blog/2012/01/19/unlocking-power-education- of personal records as required by the Privacy Act, which, like data-all-americans. FERPA, is another landmark federal privacy law.16 14. Office of Science and Technology Policy, Executive Office of the President, “Fact Sheet: Unlocking the Power of Education Data for All Americans,” The Education Data Initiative reflects a growing trend with January 19, 2012, p. 1, http://www.whitehouse.gov/sites/default/files/ student data: government agencies are taking personal infor- microsites/ostp/ed_data_commitments_1-19-12.pdf. mation that students are required to provide, skirting federal 15. “Government Site Exposes Financial Info of Thousands of College Students,” CBS Local Media, October 26, 2011, http://washington.cbslocal.com/2011/10/ regulations, and turning student data over to the private sector 26/government-site-exposes-financial-info-of-thousands-of-college with few, if any, safeguards for privacy and security. -students/. See also Alice Lipowicz, “Education Dept.’s New Website Suffers Data Leak, Malfunctions,” Federal Computer Week, October 31, 2011, http://fcw .com/articles/2011/10/31/education-dept-experiencing-data-leak-glitches-on- conclusion new-student-loan-website.aspx. In February 2012, the Electronic Privacy Information Center 16. 5 U.S.C. § 552a(e)(10) (2012). (EPIC) filed suit against the Education Department regarding the changes to the federal student privacy regulations under Marc Rotenberg ([email protected]) is Executive Director of the Elec- FERPA. At EPIC, we believe the agency exceeded its authority tronic Privacy Information Center (EPIC) in Washington, D.C. He teaches when it revised the federal privacy law to make student data Information Privacy Law at Georgetown University Law Center. Khaliah more available. And we disagree with the agency’s decision to Barnes ([email protected]) is Administrative Law Counsel at EPIC. loosen the key definitions that help safeguard student records. © 2013 Marc Rotenberg and Khaliah Barnes. The text of this article is licensed under Our case, EPIC v. Department of Education, is pending in federal the Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License district court in Washington, D.C. (http://creativecommons.org/licenses/by-nc-nd/3.0/). www.educause.edu/ero JANUARY/FEBRUARY 2013 EdU c AUs E review 57 viEwPoInTS [Today’s hot Topics]
MooCs: Get in the Game
n July 2012, John V. Lombardi (someone I have admired for but can be truly transformative in the evolution of pedagogy nearly three decades and came to know personally during (perhaps rapidly) to a “flipped classroom” model. By actively our shared time in Louisiana) wrote that investing in Massive engaging in these start-up efforts, we bring the lessons directly Open Online Courses (MOOCs) as the “next big thing” in to our campuses and, more important, to our faculty and our higher education is largely about institutions trying to “seek academic staff who must assume leadership for how our colleges Ivisibility and preeminence to validate their claims of significance and universities embrace online and blended education. and advertise their association with the latest educational trends Institutions that take a responsible approach and make a rea- and enthusiasms.”1 Lombardi was spot-on in assessing that these sonable investment of time and resources to get a few courses into “free” courses are by no means free and that many questions a MOOC environment can benefit by seeing things up-close and remain to be answered. However, I would argue that there is personal. The debate about all aspects of MOOCs is only getting value in institutions sticking their proverbial toe in the MOOC started; it will become even more robust as more data on experi- waters, as my own institution—and scores of others—have done ences emerges and as more people join the discussion.2 Being via Coursera and other MOOC efforts. “in the game,” rather than simply watching from the sidelines, In the EDUCAUSE 2012 session “MOOCs: The Coming Revo- provides a better set of insights to inform that robust debate. We lution,” which I presented with Coursera’s co-founder Daphne will be able to use our own experiences to judge what our unique Koller, I opened my portion by emphasizing that the current IT- institutions do rather than basing our decisions on the experi- driven disruption is not actually about information technology ences and views of others who are not us. but is, rather, about pedagogy. I’ll take this opportunity to state Although UMD is still in the early days with MOOCs, I can my view again: the focus of this disruption should be on teach- share our experience to date: ing and learning. However, I believe that there is value in having the IT organization take an active role in helping the institution n Contracting with the provider. Working out our contract with to embrace this change, even going so far as to move onto “point” Coursera was not overly challenging. I’ll credit that to the for change. I believe the move by my institution, the University flexibility of Coursera and its understanding of the concerns of Maryland (UMD), into Coursera perfectly illustrates why insti- of higher education institutions. The agreement is not secret, tutions—and IT leaders and organizations—should get involved with many of them available for perusal online, including with some form of MOOC initiative at this time. I see two pri- UMD’s.3 mary reasons, along with a third, more fundamental reason n Choosing the course offerings. Recruiting faculty and selecting beyond those two. courses was a task of winnowing to a reasonable number First, there are opportunities available. The current “name-brand” from a large set of quality offerings (rather than hunting for MOOC entries are still interested in developing content- volunteers). Today, we have a steady flow of faculty who are providing partners: Coursera has expanded twice, growing interested in being “in the next wave,” and our first Coursera from its original four partners to thirty-three as of December offerings won’t debut until early spring of 2013. In fact, at this 2012; edX has grown from the Harvard-MIT founders to include time, our biggest challenge involves how to deftly and sensi- the University of California–Berkeley, the University of Texas tively say “No, not just now, maybe later” to an increasingly System, Georgetown University, and Wellesley College. eager and ambitious number of faculty. Second, this is what leading institutions do. As UMD President Wal- n Preparing the courses. Here, we are still gaining knowledge. The lace Loh said, we stick our necks out (in the metaphor of our first to-do with Coursera involved creating the “course land- mascot, the terrapin). Presidents and provosts at all levels of insti- ing pages” (like “trailers” for a coming-attraction movie). This tutions are, if not under pressure, certainly being encouraged by was revealing on many levels, including the need to establish their boards, legislatures, donors, and others in the community better video support services (we used our University Rela- to take action. They are also being pushed by their own faculty, tions studio and talent) and also support for our faculty on who are eager to give MOOCs a try. “being ready for their close-up.” What we’re only now starting Third, and more fundamentally important, actively participating may to understand is how much goes in to actually preparing the be a better way to learn than simply watching from afar. I believe we’re course “modules”: Coursera’s structure encourages faculty- at a point of change, where information technology not only is led “imparting” sessions of 12 to 15 minutes, augmented useful for automating the status quo in teaching and learning with associated assignments, discussions, and assessment
58 EdU c AUsEreview JANUARY/FEBRUARY 2013 Viewpoints department Editor: David Lassner By BRiaN D. voSS
institutions have decided that there is value in a senior-level position (e.g., vice provost, special assistant to the president), not necessarily to take ownership of all facets of online educa- tion but to coordinate the process by which an institution can quickly evolve its collaborative activities. n What is the role of information technology? Many observers, includ- ing me, argue that MOOCs are not really about information technology and are not something that should be led by the IT organization. That said, as the debate rages in the academic divisions and the cabinets of our institutions, the IT orga- nization is well positioned to take a “recon” role—that is, to establish a beachhead, or a pilot, or a furtive first experiment or discussion. I’m sure I’m not the only CIO to be called by the president or provost when the MOOC events began to unfold. This makes sense: those of us in information technol- ogy are well positioned to contribute in turbulent times. Our challenge will be how to do so and then how to relinquish the point position when the academic divisions are ready to assume their rightful place leading this charge into our Steve McCracken, © 2013 future. exercises to create learning modules delivered via its online platform in a synchronous approach. In his blog post, Lombardi advises colleges and universities to watch and wait until the leading institutions have experi- The challenges we’ve exposed in our process have illumi- mented and developed a viable strategy that can deliver value nated a broader set of questions: (from MOOCs) to their communities. He further cautions that governing boards should exercise caution in demanding trendy n What is this new approach to pedagogy? There is a definite need for responses from their institutions and that it is often best to a better understanding on the part of faculty of what the new observe, study, and evaluate and to perform a cost-benefit analy- paradigm of pedagogy means to them. Many faculty may come to sis before jumping onto the next big thing. This is sound advice the discussions thinking of the current model of IT enable- for many, to be sure. ment in blended and online learning, which is largely one But I would argue that we can better do these things—includ- of using information technology (learning management sys- ing learning about these new environments, platforms, and tems and their many attendant parts) to automate the process processes so as to apply their value in the broader blended and of course delivery, with little impact in the classroom or in the online initiatives we undertake, well beyond MOOCs—by tak- curriculum. Coursera’s approach is challenging this model ing an active role rather than simply watching and waiting. We and is opening up what may be a renaissance in faculty mem- should be in this game, and actively so. Our higher education bers’ approach to teaching (and students’ approach to learn- institutions are about creating, sharing, and preserving knowl- ing) in a 21st-century IT environment. What we have here is edge. By taking an active role in the MOOC revolution, we are a new way to apply an old IT term—Business Process Reengi- fulfilling the first, to the benefit of the second. n neering—to the fundamental business of our universities. n MOOCs are “it,” right? The focus on this “next big thing” has Notes often been viewed as a search for what might be called the 1. John V. Lombardi, “The Next Big Thing,” Reality Check (Inside Higher Ed blog), 4 July 23, 2012, http://www.insidehighered.com/blogs/reality-check/next-big Highlander Model —that is, there can be only one, and MOOCs are -thing#ixzz2EaNNSQ00. the one. Of course, MOOCs are just a single tool in the online 2. See, for example, Doug Guthrie, “Jump Off the Coursera Bandwagon,” education toolbox. We need to stop thinking in terms of a Chronicle of Higher Education (Commentary), December 17, 2012. 3. “Online Course Hosting and Services Agreement,” http://www.president.umd MOOC revolution and instead think in terms of teaching and .edu/legal/frpdpdfs/coursera_contract_2012.pdf. learning revolution, of which MOOCs are just one (currently 4. On the Highlander movie, see http://www.imdb.com/title/tt0091203/. very disruptive) element. n Do we need another administrator? A critical challenge is the Brian D. voss is Vice President and Chief Information Officer at the Uni- shortness of time to act. Events are transpiring quickly, and versity of Maryland.
the revolution in online education may not patiently wait for © 2013 Brian D. Voss. The text of this article is licensed under the Creative Commons the evolution of our institutions in terms of how our faculty Attribution-NoDerivs 3.0 Unported License (http://creativecommons.org/licenses/ and scholarly support structures respond. Several leading by-nd/3.0/). www.educause.edu/ero JANUARY/FEBRUARY 2013 EdU c AUs E review 59 Editors’ Picks for 2012
Multimedia Changing the Game in Higher Ed IT Education changes lives and societies, but can we sustain the current model? In this video, find out how new models and new technologies allow us to rethink many of the premises of education. »
Online in February at » educause.edu/ERO Search
Feature Good Ideas Cloud Security: Cloud Now or Concentrating Class: Learning in Cloud How? the Age of Digital Distractions Highlights of the sometimes sprawling yet always Exploring technology’s impact on their learning and their interesting Shel Waggener–Fred Cate debate, including lives ended with many students further enamored of a bit of color and passion. » technology rather than concerned by its disruptions. »
Case Study Peer-Reviewed Dream On: An Acting Class Building the E-University: Explores the Digital Landscape Transforming Athabasca University An acting class added digital technology to investigate Reinventing itself as an online university required how it might enhance character interpretation and sweeping changes in culture, effective leadership, and explore whether it could play an integral part in the faculty/staff flexibility. Today, real change is visible. performance without becoming the performance. » Here’s how they did it. » Need to squeeze more value out of your IT budget?
Technology leaders are increasingly asked to provide more services while maintaining costs. Jenzabar, a leading provider of software, strategies, and services for higher education, can help you to get the most from your technology spending. Contact us today to:
+ Assess Total Cost of Ownership and what it means for your campus + Support student success without over-spending + Identify opportunities for cost-effective support
Visit jenzabar.com/tco for insights you can use.
© 2013 Jenzabar, Inc. Jenzabar® is a registered trademark and the Jenzabar logo is a trademark of Jenzabar, Inc.