Welcome to The Higher Edge Podcast!
Sept. 6, 2022

The New Protectors of Higher Ed Privacy (featuring Pegah Parsi)

Big data has been a global hot-button issue for several years, which has led to a major focus on higher ed privacy.

Lack of transparency and ugly intentions can leave students open to abuse of their autonomy. But a passionate group of professionals is leading the charge in protecting our students from hostile actors.

Pegah Parsi, Chief Privacy Officer at the University of California - San Diego, joined us to share her thoughts on privacy in the higher ed space and why its security matters.

Join us as we discuss:

- The erroneous conflation of security versus privacy (10:24)

- Opportunities for collaboration in the privacy sector (32:44)

- Opportunities for collaboration in the privacy sector (32:14)

Check out these resources we mentioned during the podcast:

- University of California - San Diego

- International Association of Privacy Professionals

- Pegah@thehigheredge.com

To hear this interview and many more like it, subscribe on Apple Podcasts, Spotify, or our website or search for The Higher Edge in your favorite podcast player.

Transcript

[00:00:00] Announcer: Welcome to the Higher Edge, a podcast for the brightest minds in higher education to hear from the change makers and rulebreakers that are driving meaningful, impactful change for colleges and universities across the country.  Rrom improving operations to supporting student success. These are the stories that give you, "The Higher Edge".

[00:00:30] And now your host, Brendan Aldrich. 

[00:00:33] Brendan Aldrich: Hey everyone, and welcome to The Higher Edge. I'm Brendan Aldrich and I'm here today with Pegah Parsi, who is the Chief Privacy Officer for the University of California in San Diego, which is a premier research university that's located on the coast of beautiful southern California and is considered one of our nation's Public IVs often tops the list of the, uh, the world's best universities.

[00:00:54] Pega welcome and thank you so much for joining us here on the Higher Edge. Thanks for having me. Pega. Every role, [00:01:00] especially a new one, like a Chief Privacy Officer, is shaped by the experiences you bring to it. Uh, we've talked a little bit about your path of becoming uc, San Diego's Chief Privacy Officer, and I think that you bring a depth of diversity and experience that is fascinating.

[00:01:14] Would you, would you mind sharing just a little bit about your personal. , 

[00:01:18] Pegah Parsi: absolutely. My personal journey seems to resonate with a lot of students, so I like telling this story. , when I graduated college, I wanted to go to law school. I was very interested in working in human rights, working in civil liberties, civil rights.

[00:01:31] Those were my big passions. I wanted to work with political prisoners and you know, asai and refugees and those sorts, sorts of. So I went to law school. I got a pretty broad general, um, education. I went to business school to have a better business acumen, but then I graduated right in the middle of the great recession.

[00:01:50] When nobody was hiring, and certainly the field of human rights is, is notoriously difficult to get into anyway, so, you know, I did a few pro bono [00:02:00] gigs and ended up working, doing research administration, which is a great field to go into, but that was not my. Passion. So I worked at the university where I graduated doing research contracts and learning about the amazing research enterprise that we have here in the United States.

[00:02:18] Um, and then I started doing the same thing at Stanford University. again, very interesting, uh, things to learn. Very interesting topics, but it wasn't my passion, but I was, uh, I kept looking around and wanting to learn more and more about university administration. And I noticed that we had a lot of privacy terms and security terms coming up in our contracts, and I kept asking our privacy office or our information security office for assistance, can we comply with this?

[00:02:55] Do we have these policies? Are these the types of security and privacy [00:03:00] protocols that we have in place? And of course, those offices, Overwhelmed. So when a developmental opportunity came up, my boss said, Hey, you are being very annoying asking these privacy questions. Why don't you go to the privacy office and you learn it yourself and then bring it back to us?

[00:03:22] So I had a six month assignment at the Stanford University Privacy Office, and the rest was history When I landed there, um, I first learned about the basic, you know, legal things that you might, you might learn about things like HIPAA and ferpa, and those were interesting enough, but once I realized the gravity and the importance of privacy for.

[00:03:47] The human condition , but certainly for things like human rights and hu uh, civil, civil liberties, I knew that was somehow my calling. 

[00:03:55] Brendan Aldrich: As you mentioned, the role of the, the chief privacy officer though is really still pretty [00:04:00] new. I so much like the role of the Chief Data Officer when, when I first took on that role for Ivy Tech in Indiana, at the time, Gartner was estimating that there were just about 4,000 chief data officers worldwide, and I was just the ninth person in that role for higher education, meaning that I was really kind of crafting what it meant while I was.

[00:04:18] I wonder, as the inaugural Chief Privacy Officer for uc, San Diego, do you feel that same kind of, well, let's build the airplane while we're flying. 

[00:04:26] Pegah Parsi: Most universities still don't have a privacy office or a privacy function, even much less a chief privacy officer. So we are at the, at the forefront of that.

[00:04:36] I did start the program here at uc, San Diego, um, and I'm one of the very few full-time privacy officers in the country for, for campus, not for for health systems, but for campus side. It absolutely feels like I'm building my own job, Des. , I get to decide what this entails. I get to decide what sorts of things are important, how to [00:05:00] prioritize things.

[00:05:00] What I tell folks is privacy is where security was maybe 15, 20 years ago, where it was popping up. No one quite knew what it meant. No one knew what it entailed. No one knew what a chief information security officer was, but. 15 years later. There's no doubt that that's a critical position at any research university.

[00:05:23] So privacy is sort of at the, at the beginning part of that journey still, and we get to build that as it goes. Of course, it matters where the privacy officer or the privacy office sits Organizationally, I sit in our academic affairs, which is a little bit unique. There aren't many universities that put their privacy office.

[00:05:42] Because of where I'm located, I have a very broad reach across all of campus. and I'm not seen as a compliance office, which is great. I don't wanna be a compliance person. That's also not a passion of mine. But I get to be an advocate. I get to [00:06:00] talk about ethics. I get to talk about our institutional philosophy around what we do with data, uh, what sorts of stewards we are, of people's information.

[00:06:09] I get to talk about the much broader issues that I do care about in the world. So yes, it is a little bit like flying the plane as you're building it. Absolut. 

[00:06:17] Brendan Aldrich: You make a great point, PE. When you talk about information security as a role versus privacy, and sometimes people can conflate the ideas of security and privacy, although they're really, really different.

[00:06:27] Can you talk a little bit about how you see the difference between those two? 

[00:06:31] Pegah Parsi: One way to view privacy is as having self-determination. Over yourself. Having agency autonomy over your body, your space, your communications, your information. That's how we talk about privacy. Me having control over what happens to my information, whether I wanna keep it hidden, keep it secret.

[00:06:54] That's the concept of confidentiality, whether I want to reveal it, whether I want to curate it. [00:07:00] Whether I think someone should have access to my information and for what purposes, those are the things that fall under privacy. Security is one way of protecting privacy. It is, uh, locking up the information you don't want other people to have access to.

[00:07:18] Allowing access to people that should have access to that information. The analogy I use is security as whether you lock your door and deadbolted and. You know, security, camera watching who comes in and goes out. Privacy is what you do within the walls of, of your house, what you do, who did you marry?

[00:07:38] What sort of, uh, material do you watch online? . So the difference is between the protection of something versus what we should. Be doing with something. We talk about privacy, at least I do, about what I already mentioned. Bodily privacy, territorial privacy, communication, privacy, and data privacy. And those are all interrelated, [00:08:00] but sort of distinct concepts as well.

[00:08:02] So you can think about whether or not you choose to give your information to a website or an app. There are some dating apps that collect, for example, your HIV status. You might give that information because it's relevant, right? It's relevant. In a dating situation, you voluntarily give that information to that app.

[00:08:21] That app might totally secure it. They might encrypt it. They might, you know, have it under lock and key, but their business practice might be. to share that information with some of their vendors, some of their ad networks, so they may share that information, and that's something that that's the difference between privacy and security, right?

[00:08:42] The NSA and Facebook, much of the things that they do are absolutely secure. But I think many of us would take issue with whether or not they should have it to begin with. 

[00:08:53] Brendan Aldrich: I'd love the analogy about the house protecting the information versus, you know, the privacy of what's going on within the house. I, [00:09:00] I hadn't really thought about it that way, and I think that's just such a clear way to differentiate those two 'em.

[00:09:05] I wanna go back to one thing we talked about, which is when you talk about crafting what this role really means inside of uc, San Diego, and, and part of it is it's not just. What that role is within the organization, but your work to help craft what it means in the broader realm of higher education and even outside the walls of academia.

[00:09:24] How are some of the ways that you are leading that charge? 

[00:09:28] Pegah Parsi: Sure. The first thing that's important to note is that we are not in a vacuum. No university isn't a vacuum. In fact, the world is such that most industries, most companies, organizations, aren't in a vacuum. You are sharing information with for-profit entities, government entities, international organizations, NGOs, you're getting information from a variety of different sources.

[00:09:54] We do a lot of different things at a university. We don't just teach people, we house people, [00:10:00] we feed people. We provide healthcare for people. We do a lot of things and collect a lot of information. Share a lot of information. So it's very important to realize. Just because you're working in in higher ed or working in privacy in higher ed, it's not an insular thing.

[00:10:15] You have to know the landscape of privacy everywhere. For that reason, it's important for a higher ed privacy officer to stay abreast of those developments, to be connected to those sorts of associations, to those groups, to understand the latest thinking, the latest technological developments. I do that.

[00:10:36] uh, knowledge sharing very freely with not only my uc, university of California privacy colleagues, but also nationwide. We have a couple of different privacy officer groups that meet on a regular basis to have a free form agenda list conversation. , what are you all dealing with today? How are you handling this thing?

[00:10:58] And that was [00:11:00] immensely useful during Covid. By the way, let me tell you, talk about building a plane as you're, as you're flying it. We had to figure out what everybody else was doing with covid contact tracing, with notifications, with things like doing wastewater testing, vaccinations, all of those things.

[00:11:17] We couldn't do that without collaborating with our colleagues. And uh, like you were noting earlier, this is a new field. We don't have many resource. So, uh, the privacy officer in higher ed absolutely has to work with everybody else, every other privacy officer. I still. Liberally from my privacy officer counterparts at other universities, and I open all of the tools and trainings that I have to everybody else as well.

[00:11:46] They're free to steal those liberally as well. We have to work together, uh, because we, none of us can do it alone. That's one way in the higher ed space that I stay connected. The other one, of course, is with the International Association of [00:12:00] Privacy Professionals, the I A P P, which is sort of the premier.

[00:12:04] Privacy Pro organization and it has folks from all around the, the world working in so many different fields, from privacy engineers to the very technical folks, to data scientists, uh, to government regulators coming together. And that, uh, organization grew significantly in the last few years thanks to the European Union's gdpr, uh, general Data Protection Regulation.

[00:12:26] Uh, that's another place to stay abreast of what's going on in the 

[00:12:30] Brendan Aldrich: privacy space. GDPR is so interesting. To the point where I was actually on a website the other day and when I was actually going through the signup process, it said to not only to list sort of what country you were from, but actually had a note that if you were from a European economic area that they did not want you to sign up.

[00:12:50] And it made me wonder how much that might be gdpr. Really saying, uh, we don't, we maybe don't have our arms around this. We we're not exactly sure, so we'd [00:13:00] rather not have those people as customers right now until we're sure we know what we're 

[00:13:03] Pegah Parsi: doing. Sure. You see that in some spaces where somebody, where an organization either doesn't have their arms around something or they just haven't quite got their ducks in a row yet.

[00:13:15] Or their readiness efforts just aren't up to par yet, and they'll say, we can't honor your rights, so please don't engage. You see that a lot with website privacy statements that say, if you're under 13, don't come here. Don't click on anything. Don't sign up. We are not compliant with the with Kapa, which is the regulation that governs online protection of children's information where they say, Nope, we're not doing that.

[00:13:41] Don't touch this. Go away. 

[00:13:44] Brendan Aldrich: I much appreciated that than sometimes the 12 pages of legalese that most people don't read, that you have to accept to use services where you know it's hidden in there somewhere, but you don't know necessarily what it was. So the fact that it was even called out, I thought was a more responsible approach for the company to take as [00:14:00] opposed to let's just hide it in there where nobody reads and, and just hope we get away.

[00:14:04] Pegah Parsi: Brandon, don't even get me started on legalese and trying to CYA to protect an organization versus actually being transparent and giving the data subjects the information that they need and making sure that individuals are empowered to actually understand what's going on. Again, going back to the understanding of privacy as self-determination as.

[00:14:30] Autonomy over yourself. You can't have autonomy over yourself if you don't understand what's going on, right? Even in the medical space, when you go for medical research or to have a procedure done, they give you a big old consent form to explain everything to you. They sit there and ask you, do you have any questions?

[00:14:45] Do you understand the risks? Do you understand the procedure? Right. It's not exclusively a privacy concept, but it's very much related. It's for you to understand what is happening to your body. That is the concept of bodily privacy, [00:15:00] right? So we expect to have that kind of information to make an informed decision about what goes on with our body.

[00:15:05] But for some reason, when there is this, Very rich digital profile, this rich footprint that we all have, that we're paying no attention to, and we have no idea what's happening to it as if it doesn't have real world consequences. And that data collection about us, that profile that's created about our data is not used to make real everyday decisions about each and every single.

[00:15:33] Brendan Aldrich: So interesting when you mention bodily privacy, it leads into a conversation that you and I had recently. You know, there have been so many shifts in the privacy landscape over the last couple of years, both academically and legislatively. Although, although we're, I'm gonna start is judicially, uh, there's been significant public attention around the Dobbs decision resulting in the Supreme Court overturning Roe v.

[00:15:53] Wade, and I wondered if you might share your thoughts on that. From a privacy per. , first of all, you're absolutely 

[00:15:58] Pegah Parsi: right. There's been a lot of shifts in the [00:16:00] privacy space, uh, in a variety of different ways from goodness, from after nine 11 with the Patriot Act to Edward Snowden's revelations and, and then the GDPR that we talked about.

[00:16:11] Most people. Outside of the privacy profession, don't think of ROE as a privacy decision. I am here to dispel that for everybody. Roe was a privacy ruling. Roe v. Wade was a privacy ruling. Roe sits in a line of cases that are related to bodily privacy, what we call our constitutional right to privacy. . So there's a line of cases, various privacy rulings, all interrelated with Roe about what we can and can't do with our life, with our lifestyle, with our own 

[00:16:51] Brendan Aldrich: body.

[00:16:52] Because Roe was really the first ruling. And then there were a number of other rulings that used that as a foundation around different aspects of privacy. Is that right? It wasn't 

[00:16:59] Pegah Parsi: the first [00:17:00] ruling, but it is the, the, the, the seminal one. It's the one everybody knows about, but there are, there were other ones.

[00:17:06] But they're all interconnected. The point I'm making is the actual theme is bodily privacy and being able to live your life the way that you want to. So there's all these cases that are all about bodily privacy. And what do I mean by that? These were cases that were around things like, uh, interracial marriage, contraceptives, whether or not you can give contraceptive devices to people.

[00:17:32] whether or not you could have obscene material in your home, right? These are all bodily privacy issues, right? They're all within that same category of rulings, and in the middle of them is Roe, and it would be a mistake to view Roe as simply a. Ruling about abortion, it is not, it actually impacts all of these other things that are [00:18:00] important to us that we should not take for granted, and that impact every single one of us, regardless of what we think about abortion.

[00:18:08] In particular, though, I urge anyone that cares about privacy to pay attention to the world ruling. Now, I've said a lot about, um, about it being about bodily privacy. That's not to say that. Data issues aren't being implicated here. Uh, as well, you're hearing a lot of folks asking about, well, can the data that are, are collected about me, whether through apps or websites or whatever, can those be subpoenaed or can they be, uh, can law enforcement have access to that information?

[00:18:42] So it's very important for us to understand, once again, information privacy is not just some thing out in the ether that creeps you out every now and then by showing you a shoe ad because you were talking about a shoe and so you don't care about it. It matters because it [00:19:00] impacts you in your regular everyday life.

[00:19:02] Whether that means your insurance rates go up, whether that means you're subject to a, to investigations, whether that means you are bombarded with anti-abortion ads, if you're in the vicinity of a Planned Parenthood because of geo tagging. People that went close to a Planned Parenthood would get bombarded with very distressing message.

[00:19:25] Uh, because of where they were. That's very troubling. Privacy is not just for criminals. Privacy is not just for whistleblowers. It's not just for VIPs, and it's not just for people that wanna cut the cord and go live in the woods. Privacy is for every single one of us. It's just we take it for granted, I think in this country quite a bit.

[00:19:49] I'm an immigrant from Iran, so I have a little bit of a different relationship with privacy. I've seen those risks. It's very visceral for me, and I understand what happens when they are [00:20:00] stripped away. And so I'm here to ring that alarm and tell people, please don't take it for granted, because the Dobbs decision is what happens, and that has rippling effects in all the other aspects of, of things you care about.

[00:20:13] What I 

[00:20:14] Brendan Aldrich: love so much about that is it's so, so easy for people to take a look at something like the Dobbs decision and see it as just this specific in a box issue that, that you agree with or don't agree. and really miss that underlying message about the, the opening up or the lack of, of privacy, that that may result as a result of that.

[00:20:37] That's right. Let me ask you, for anyone considering a career in privacy, I wonder if there's a piece of advice or a story that you might share with them that might help give them the higher 

[00:20:46] Pegah Parsi: ed. I started viewing my work differently when I shifted my focus from trying to protect the organization, like many risk professionals and compliance professionals do, right?

[00:20:59] [00:21:00] They're charged with protecting the organization. When I shifted my focus to protecting the data subjects, and the the benefits to the organization would follow from that. So I focus. People and protecting them regardless of, you know, fines and audits and et cetera, et cetera, to the organization. That's the first thing.

[00:21:21] The other thing is to be very curious about all of the privacy adjacent fields. Privacy folks, again, are no longer just called on to be compliance people or people to read the law and tell you how to, uh, comply with it. We're increasingly called to be privacy engineers and data ethicists, some of us data scientists to have a real deep technical understanding.

[00:21:46] So I urge anybody that is interested in privacy, I urge them to understand that there are various entry points. First of all, whether you're a legal person or a technical person, or an advocate or [00:22:00] law enforcement, whatever, they're different avenues to get into the privacy. But once you're in that space, you better be really, really interested in learning all the other pieces as well so that you can be a really good all around privacy officer, 

[00:22:15] Brendan Aldrich: you and I were talking recently about how you were working with the team at the city of San Diego.

[00:22:20] Was there anything related to some of the, the advice they were looking from you, uh, that would be 

[00:22:24] Pegah Parsi: related to that? I provide privacy services to a variety of. Things in my life. I volunteer, for example, for the Afghan, a coalition that helps get at risk Afghans out of, get them to safety a, as you might imagine, very important privacy issues there.

[00:22:41] If their information gets into the wrong hands, it's not just that, oops, their, you know, credit score might be impacted. People die, right? So I provide services around privacy there, but also in my local community. . I work with various task [00:23:00] forces and city council in San Diego and the city of Chula Vista.

[00:23:04] To talk to them about their law enforcement's use of technology, their city's use of technology. This came under more and more scrutiny after the murder of George Floyd. During that summer of, of protests, certainly the main focus was on. Physical police brutality. But on the periphery of that many privacy advocates were also saying, Hey, don't forget about all these other police practices, uses of technology, uses of data.

[00:23:34] uh, and some of the data practices that, that go on at cities. Uh, so because of that conversation, think you're seeing more municipalities take up that issue and start, um, considering, Hey, how do we get a handle on the types of technologies we use? What are they collecting? And they're not always built as surveillance technologies, right?

[00:23:57] In fact, for, for us here in San [00:24:00] Diego, our Star Smart Streetlights program, Was billed to help with our climate goals and our traffic goals, and you know, just improving city life. So they weren't meant for law enforcement, but once folks started looking at what's being captured, they saw, oh, this is actually capturing who's coming, who's going, who's doing what?

[00:24:22] And that can then be used by law. . There are some places where law enforcement, instead of acquiring the surveillance themselves, will subsidize citizens to get things like ring doorbells or Arlo doorbells or whatever and give access to the police department. And my neighbor has a ring doorbell that looks right at my door,

[00:24:47] It looks right in my door. If my neighbor chooses to hand that over, warrantless to the police, he can. , he won't, he knows better, but he can do that. Right? . So those are the types of [00:25:00] things that, um, that I'm also involved in as a, as a privacy advocate, uh, to, to inform. That's fantastic. Yeah. To inform the task forces and the city government.

[00:25:10] I, my role, I see my role not as being a partisan person in this, in this fight. I think privacy is something that transcends partisan boundaries, um, and. And it is a mistake to think that it's, you either have privacy or public safety. You either have privacy or student success. You either have privacy or public health.

[00:25:36] That's not it. You, it is not. That's not a minor interest. All privacy can sit in the same hand at the same time as all of these other things. It can actually enable you to do that. We saw that during the COVID 19 pandemic. where uh, people were hesitant to share information. They didn't want to tell us as [00:26:00] their employer or as their university where they'd been, who their contacts had been, right.

[00:26:05] They were worried about that until the privacy people stepped in and said, Hold on. We're gonna be transparent about what we're doing. We're gonna explain everything. We're gonna put safeguards around this so that you can trust us. Once we did that, our compliance rates went through the roof and people felt more comfortable participating.

[00:26:24] So in fact, privacy was instrumental in getting the, the end result of having one of the safest, um, campuses in the. 

[00:26:35] Brendan Aldrich: Well, and privacy, as we've learned over the course of our conversation, is an incredibly complex, but an important and critically important issue. And Peggy, I'm so glad we've got people with your passion and your kind of dedication and commitment to lead the charge 

[00:26:48] Pegah Parsi: on that.

[00:26:48] Well, thank you for giving me this platform to, uh, to chat about it. 

[00:26:52] Brendan Aldrich: For our listeners, we've been talking to Pega Parsi, the inaugural Chief Privacy Officer for the University of California San Diego Pega. If listeners would like to [00:27:00] reach out to you with questions about today's episode or to continue the conversation, are you, are you open to that?

[00:27:05] Pegah Parsi: Absolutely, I am. I will. Also, I will ask people to visit the website that we have, privacy.ucsd.edu. Also, I have a privacy one-on-one workshop that I teach once a month. Open and free to anyone anywhere in the world that wants to attend, register, and come on in. It is helpful whether you're in higher ed, not in higher ed, just a regular person in the world that wants to learn about privacy.

[00:27:29] Privacy 1 0 

[00:27:30] Brendan Aldrich: 1 workshop. Perfect. And where do they go to find that? Signup form. 

[00:27:34] Pegah Parsi: privacy.ucsd.edu. Under education 

[00:27:37] Brendan Aldrich: and training. And if you'd like to continue the conversation with Pega, you can go ahead and reach out to her at pega@thehigheredge.com, and that's Pega, P e G a h, at the higher edge.com. Pega's, such a pleasure to have you on the show.

[00:27:51] Thanks again for coming on and being guest with us on the higher edge. And for everyone listening, I'm Brendan Aldrich and we'll talk. 

[00:27:58] Pegah Parsi: Thanks for 

[00:27:59] Announcer: listening to The [00:28:00] Higher Edge. For more, subscribe to us on your favorite podcast platform. Leave us a review if you loved the show, and be sure to connect with Brendan on LinkedIn.

[00:28:09] Know someone who's making big changes at their higher ed institution that belongs on this podcast. Drop us a line at podcasts@thehigheredge.com. The Higher Edge is sponsored by Invoke Learning. In partnership with Westport Studios view an opinions and. Expressed by individuals during the podcast are their own.

[00:28:30] See how Invoke Learning is empowering higher education@invokelearning.com.