http://aclu.org/pizza
UCLA CPO (& co)
CSG — November 27, 2012
Kent Wada, Director, Strategic IT Policy and Chief Privacy Officer
UCLA Office of Information Technology
The UC Electronic Communications
Policy (ECP)
http://policy.ucop.edu/doc/7000470
The ECP
 Defenders of the faith … and proxy
 Adopted 2000, last major revision 2005
 2010: ECP “quick fix” project and overarching review of privacy and
information security
 Issues become more complicated and far more pervasive (tools like
Google Analytics and Dropbox; HR issues; cultural expectations; …)
UC Privacy and Information Security
Initiative
http://universityofcalifornia.edu/privacyinitiative/
Steering Committee Charge
 An overarching privacy framework that enables UC to meet statutory
and regulatory obligations in a manner respectful of individual privacy;
 Governance, implementation and accountability structures across the
University with respect to privacy and information security;
 A formal, ongoing process through which the University can examine
and, where necessary, address through policy vehicles the technical
and societal changes that have an impact on University policy and
practice in the areas of privacy and information security; and
 Specific actions or phases needed to implement the proposed
framework as University policy.
What is Privacy?
 Privacy is about the individual
The Perils of Privacy
“Down the hall in the billing department, a clerk uses a lunch break to
scan the Web for information on abuse victims. The information
retrieved also flashes onto a screen in the boss’s office, revealing a
secret the employee never told anyone.”
The Perils of Privacy: PC World, December 28,
1999
pcworld.com/news/article/0,aid,14557,00.asp
Implications, Activities and Status
 Aligning privacy and security
 IS-3
 Convergence for strategic direction setting and risk/compliance
 Systemwide information security policy review and alignment
project
 Report draft status
A Campus Privacy Program
http://privacy.ucla.edu (planned)
A “Typical” Privacy Program
 Identifying and managing privacy risks
 Developing privacy policies and practices
 Maintaining integrity over campus practices and decisions that
impact privacy
 Fostering privacy by design
 Properly handling privacy breaches
 Resolving conflicting privacy interests
Not Your Father’s CPO
 Actually, your father didn’t have one (and most still don’t)
 Integration of both forms of privacy across the campus
 Not intended to replace existing authority for regulatory compliance
 Integrated coordination with Chief Compliance Officer, Health
System/School of Medicine and campus ISO
 More a focus than a position (at present)
 Building a roadmap
 A first step: identifying campus privacy pieces
UCLA
Privacy and Data Protection Board
http://privacyboard.ucla.edu/
Not Your Father’s “Privacy Board”
 Historical context
 UCLA Privacy Statement … basis for part of the UC initiative
 2012: organizational revision
 Strategic direction setting for privacy and information security
 Compliance and risk
 The CPO and the Board
 Director, IT Security and Chief Compliance Officer, UCLA Health System
and David Geffen School of Medicine
Questions? Thoughts? Comments?