The University of Maryland Division of Information Technology will release data privacy standards for public feedback on March 30 as part of the process to revamp the university’s policies.

The process to begin restructuring this university’s data privacy policy came in March 2020 when the Maryland General Assembly passed a law requiring higher education institutions to adopt privacy programs with specific protections by October 2024.

When this law was passed, this university’s data privacy policy consisted of the Policy of Acceptable Use of Information Technology Resources, which is four pages, as well as various procedures in various informal documents, said Derek Richardson, chair of the University Senate’s information technology council.

“It was recognized that now we need to fix this up.” Richardson said, “Now … we have a single document that we can point to saying alright, this is our guiding principle. And whenever it comes to implementing something that could affect privacy rights on campus, such as the use and retention of personally identifiable information, they have to adhere to this policy.”

[UMD works to revamp privacy policy]

While the University Senate voted in favor of establishing the new data privacy policy in December of 2021, the policy is only part of it, chief data privacy officer Joseph Gridley said.

The policy sets general principles and expectations for how data is handled while the standards, which are still in the process of being developed, outline how the department plans to meet those principles and expectations when data is being used.

The DIT initially released three interim standards on Jan. 28, 2022. The interim Exceptions Standard, Incident Response Standard and Institutional Investigations Standard all “address critical functions that really can’t wait,” Gridley said.

These interim standards are mainly formalizations of things that were already happening, “with a couple extra things,” Gridley said.

Looking forward, the campus community can expect more standards — such as the Third-Party Engagement Standard and the Access to and Use of Specified Data Types standard — to be developed and ready for comment by March 30.

When those new standards are released, members of the campus community will be notified via email and other notification methods. At this point, anybody will be able to go to the DIT website to look at the standards and submit questions, concerns and thoughts on the standards for 60 days, Gridley said.

Once the 60 days are over, the drafting team made up of volunteers from the University Senate IT Council, security advisory committee council, faculty from various departments and soon, the Student Government Association, will come back together to incorporate the feedback received and submit a final product for the University Senate IT Council to review, Gridley said.

[Some UMD community members question campus building protections against shooter]

This timeline means the new, official set of standards are on track to go live June 30, 2022, though Gridley said the process is set up so drafting teams will be working on a new set of standards each quarter for community review and comment.

“The standards are intended to be kind of agile and living documents that we look at every year,” Gridley said.

Frauke Kreuter, co-director of the Social Data Science Center and a professor in the Joint Program in Survey Methodology, said shared governance and community input in creating data policies is important because “there isn’t a person on campus who won’t notice the consequences.”

Data privacy is a nuanced subject, and “there’s not a single data item that needs the same protection at all times and in every context,” Kreuter said. The regulations must center around how we can make campus life better, Kreuter added.

“The most important thing in this is that it is a collaborative effort, because it does impact the community. So we want to make sure that the community has a voice as we develop these things.” Gridley said. “The more chances we have to get that message out to the wider audience that we can, the happier I’ll be, because that makes it a better final product.”