For 15 years, the University of Maryland relied on a single sentence to govern what it may do with the online private information of students, faculty and staff. But a proposal for a revamped policy, whose creation was triggered by a state law that passed last year, is set for a vote in the University Senate in December.
The current policy is buried in the Policy of Acceptable Use of Information Technology Resources and was signed by former university President Wallace Loh in 2006. The provision reads: “To the extent possible in the electronic environment and in a public setting, a user’s privacy will be preserved.”
The current policy is ambiguous, said Jessica Vitak, an associate professor in the information studies college who runs the Privacy, Education and Research lab on campus.
But the law, passed by the Maryland General Assembly in March 2020, requires specifics, such as that higher education institutions adopt privacy programs for the protection of personally identifiable information, along with other related requirements, by October 2024.
“We want companies to be transparent with how they are using our data, and we want that transparency to be articulated very clearly,” Vitak said.
In October 2020, following a series of conversations, the university set up a privacy office and hired a chief privacy officer to develop a new, more comprehensive information privacy policy. The process is currently ongoing.
“As a student at UMD, you are generating a ton of data,” Vitak said. “I want to know exactly what data [is being collected], how it can be used, and who might get access to it.”
[UMD to expand COVID-19 testing for asymptomatic individuals]
The proposed policy is over 4 pages long, defines what information is protected, outlines how the policy will be implemented, how policy violations will be handled and states the document’s guiding principles.
Centered around the collection and acceptable use of personal identifiable information, such as social security numbers and internet activity, the policy lays out a set of principles that are supposed to guide the university when making decisions that may impact someone’s privacy rights.
“The overall goal is to more clearly communicate the principles that Maryland has with regards to privacy,” said Joseph Gridley, the new chief privacy officer. “And to also clearly define the expectations of privacy that the community has.”
By publicly stating how they are going to handle private information, the university is legally binding itself to that commitment, according to Hamza Jilani, a professor at the University of Maryland law school teaching information privacy law. Under Section 5 of the Federal Trade Commission Act, entities are held to public statements.
Jilani has worked in the privacy sector for more than 10 years, advised Fortune 500 companies developing their own privacy policies and is currently creating a policy at W.L. Gore & Associates where he is the director of the global privacy program.
[DOTS still advises shuttle drivers to admit riders without masks. Some drivers are upset.]
“There [are] a number of principles that the University of Maryland is looking to establish: respect, equity, transparency, responsibility, limitation,” he said. “These stem from frameworks that were developed by international organizations.”
In some cases, such frameworks require the disclosure of what is being done with private information or the provision of guidance on how to articulate that to individuals, Jilani said.
“The whole University of Maryland System, personal information flows everywhere, in all different departments, in all different activities,” Jilani said. “This establishes rules and principles around those activities, which are critical for building trust at the University of Maryland, and holding the university accountable to this document.”
University community members can offer input about the proposed policy at the IT Council’s virtual public forums every Tuesday at 3 p.m. for the rest of September. Concerns may also be submitted to umd-privacy@umd.edu.
“We’re looking to do this as a community,” Gridley said, “to establish these principles and expectations in a way everyone understands, and that they feel like they had an opportunity to influence and be heard.”
The proposed policy, in a more finalized form, will be presented to the University Senate in October by the IT Council. In December, the policy will again be brought before the senate for final review and a vote of approval, Gridley said.
“It’s a good first step in updating the practices of the university,” Jilani said. “It will be interesting to see if any practices change or are adjusted or remain the same.”