January 28th brings another Data Protection Day. Five years ago today we launched UC Berkeley's "bConnected Transparency Report" to give our students, faculty and staff a clear idea about how the University handles their personal information in services like Google, Box, Sharepoint.
Several of us involved in launching the original report collaborated on an article, posted today on the University's main technology website, Looking Back: Celebrating Five Years of Data Privacy and Transparency at UC Berkeley, that reflects back on the launch and where we are today. From that article:
"The bConnected Transparency Report was part of a larger UC Berkeley Transparency initiative led by Campus Privacy Officer Lisa Ho. The larger program included three major areas: Clarity about UC Berkeley’s electronic communications policy, so everyone knows the rules and how those rules are tied to individual practice; consistency in how IT practices align with policy; and transparency through a biannual report. The bConnected Transparency Report shows the number of requests for non-consensual data access, the number of access requests approved, and other information for bConnected, which includes Google Suite, Box, and CalShare. It also highlights the limitations of bConnected privacy, based on certain laws that bypass the university’s policy."
Our IT, procurement, and security staff focus a LOT on contract terms for vendors' practices on data management, security and privacy controls (all super important!), but we can't miss the fact that our own internal Berkeley teams often have significant access to people's sensitive information. With that access comes responsibility to implement our own privacy practices and controls -- and to provide transparency about how those processes work. As Tracy Mitrano from Cornell and I presented it to EDUCAUSE in 2015, In the world of cloud services, privacy begins at home.
How our institutions handle people's sensitive information reflects our institutions' values. Actions define culture with respect to people and their information. I'm thrilled to have played a role in originally launching Berkeley's transparency report, and to be able to say today that it is withstanding the tests of time and bureaucracy. I am not too surprised to note that this persistence is not the norm. The Atlantic published an article this Fall about how companies are quietly backing away from commitments to transparency. One of the challenges is that processes like these become dependent on people - and when people change jobs, or when their workloads grow there's pressure to simplify. Privacy is something most often noticed in the breach - not a burning daily concern for most people. We are tackling these pressures on privacy compliance and transparency reporting as we are most similar challenges -- by automating more things and aligning more processes with people's regular work and tooling so compliance happens by default rather than periodically needing special work. UC Berkeley's Interim Privacy Officer, Scott Seaborn and I are championing use of the new campus Docusign service. Providing a secure path from access requests through the review process with Docusign enables us to automate our biannual transparency reporting. As Scott puts it:
"The UC Berkeley Privacy Office is taking further steps to automate the administrative review process for requests by university officials to access the electronic communications of students, staff and faculty to ensure that the appropriate checks and balances are in place, that the minimum necessary access is only granted after an extensive, defined review process occurs and that the rationale for granting access is documented and made publically available."
I'll close with a couple thoughts from Lisa Ho's thoughts from the article:
"With the tide of data collection so strong, it takes conscious effort to stay rooted to our fundamental ideals when people, budgets, priorities, and technology change. If new situations require changes to our practices, we must do so with full public awareness, and not simply drift away from our ethical stance in the middle of the night. Our transparency report acts as a public statement of accountability to help anchor us to the shared privacy values and principles we agreed were fundamental to our mission."