New Data Privacy Officer to Shepherd Proper Use of Information

From social media apps that watch every mouse click to the cell phone that tracks your location, protecting your data privacy can feel as impossible as changing someone’s mind in a Facebook argument. It’s also important for institutions like the University of Maryland, which stores highly sensitive information such as employment records and student financial data.

That’s where UMD’s new chief data privacy officer, Joseph Gridley, steps in. Gridley, who started in September after working as assistant chief privacy officer and HIPAA security officer at Penn State University, will be working on new policies and standards to make sure institutional activities respect and properly utilize private data.

“We have an ethical obligation to use it appropriately,” Gridley said. “Privacy isn’t necessarily asking, ‘Can we do this?’—it’s also, ‘Should we do this?’”

In honor of Data Privacy Day today, here are three issues that Gridley is watching as the spring semester begins.

Stay on guard online
“Digital citizenship” is important for everyone, Gridley said, and people have become too willing to hand over their personal information, even in something as superficially innocuous as an iPad giveaway raffle. The endpoint can be something akin to the Cambridge Analytica scandal, wherein personal data of Facebook users was harvested without their consent for political purposes.

Go through the apps and services you use and see what protections are there, he said, suggesting this guide from Popular Mechanics as a starting point.

“Be aware of the information you are providing,” Gridley said. “You have the ability to restrict who can see your data.”

Know where to turn
Gridley, the first privacy officer at UMD, wants to be a resource for the entire campus, likening his job to the Institutional Review Boards that oversee research proposals and protect the rights and welfare of participants.

He will also be developing a new privacy governance program in accordance with a law passed by the Maryland General Assembly last year to guide the collection, use and storage of data gathered and kept on individuals, including current and prospective students, alumni, and staff. New privacy impact assessments will be piloted to assess the impact of projects that include personal information.

Design projects with privacy in mind
Anonymity is getting harder in a world where a refrigerator can be connected to a watch and the watch can be linked to Facebook. So if someone at UMD wants to look at staff recruitment or hiring practices, for example, Gridley said they should only access the data they need—ask for only 20 pieces of information rather than the 50 you want.

“We can maybe eliminate a risky data element,” he said.

Projects that aim to predict behavior from UMD’s institutional data would present a more significant challenge, Gridley said, as formulas based on information like test data will carry unintended biases.

“Predicting behavior carries a whole bunch of risks,” he said.