 The EDUCAUSE Privacy Showcase gives us all a chance to learn about privacy and higher education these days. This series collects a wealth of materials, and collectively, they offer six major lessons. So let's explore them, and let's consider the implications for you. Always true to some extent, but no longer marginal, almost all kinds of work, research, learning, and teaching are being conducted in homes, cars, and the like. EDUCAUSE's inaugural Information Security Horizon Report declares remote work to be an uber trend because it permeates so many aspects of higher education. And why does this matter to privacy? Well, not everyone has the luxury of a separate home office, network, and equipment dedicated entirely and only to work or learning. IT, legal, privacy, and risk professionals need to adapt to supporting zero-trust environments. The 2021 EDUCAUSE IT issues offers three paths for action. The Restore Path starts with ensuring faculty, staff, and students can understand and recognize threats to privacy and how to mitigate or respond to them off-campus as well as on. Evolving from where the pandemic has left us means adapting existing policies to a permanently hybrid work environment, but to transform and help lead the way for all of higher education. Institutions are going to want to rethink the workplace entirely from equipment to tools to security to training and design for the reality that is. Privacy has two facets. Data privacy, the one institutions most often focus on, and personal privacy, the one students and other people are most concerned about. Today's legislation, and therefore the default privacy focus of most institutions, is about protecting data privacy. But when people talk about privacy, they're worried about freedom from surveillance. The University of Michigan Six Words About Privacy Project is giving us insights about how people think about privacy. It's time to reframe the privacy conversation. Yes, we need to protect people's data, but we need to recognize the people behind the data and focus on protecting them. So start with restoring data privacy so it applies to all contexts, but then evolve privacy to focus on people as well as data. To transform, reframe the privacy conversation as one about individual freedom and institutional trust. The shift to remote learning has generated enormous additional amounts of data, including data that can be useful to student success initiatives. Analytics and data are also fueling new recruitment and enrollment methods. As analytics and enterprise architecture mature, we can make more of an impact with data. And more data, used more widely, increases privacy risks for current and prospective students. So we need to double down on data and privacy governance. Institutions looking to restore privacy governance should focus on understanding what data they have, where it is, and how it's used. Those looking to evolve privacy governance should develop a data governance structure that integrates privacy and data governance. And even institutions that have ongoing data governance should work to transform their programs to allow for the ways data are used today. We've learned a lot about how to create better privacy environments for students. Students care about their privacy and they have questions about how their data is being used and how it will benefit them, and they don't want today's data to backfire tomorrow. But today, few students know the answers to these questions. Remote learning has also spawned remote assessment and proctoring, and privacy is one of the major challenges with it. On the bright side, many students trust their institutions' use and safeguarding of their data, and they have far more trust in colleges and universities than in corporations. Institutions need to reform student privacy or risk losing the trust that many students still have. Institutions need to develop or update policies and practices to ensure students know how their data is being used and how it benefits them. And what needs to evolve? Well, as the 2021 Information Security Horizon Report recommends, students increasingly expect higher education institutions to allow them to opt out of personal data collection and use. Well, what should be transformed? Faculty and academic leaders committed to online learning should rethink assessment entirely. Right now, privacy leadership and management is mostly falling to IT, followed by legal or compliance. And processes related to privacy risk and compliance are still underdeveloped. The EDUCAS Core Data Service suggests that we may be underinvesting in privacy. And Huron's Merritt Neal and Matthew Traniacchi remind us that tools, regulations and policies to address data privacy can't match the pace of technological innovation. It's past time to mature institutional privacy management and leadership. What needs to be restored? Outreach and communications are a relatively low lift that can go a long way. And we need more chief privacy officers. CPOs can help institutions create a strong privacy culture faster and keep the people whose privacy must be protected, front and center. Institutional privacy policy and governance also need to evolve. Privacy offices need to establish responsibilities and processes, interpret policies, investigate violations and help the institution articulate and achieve a set of outcomes. What must transform? Conceptions of privacy should be rooted in the institution's privacy values and reflected in the way privacy is communicated, managed and led. Privacy regulations that affect U.S. higher education are at the state level, federal level and even outside the U.S. Regulations cover different privacy realms but the protections overlap for individuals. Sorting it out to develop umbrella institutional policies and practices requires special knowledge and an awful lot of time. And because the policy landscape is shifting, addressing it is an ongoing effort. And a word of warning, increasing amounts of data are created, housed and used on third-party platforms, which is a growing iceberg of data and risk of which only the tip is visible. The 2021 Information Security Horizon Report highlights what needs to evolve and what needs to be transformed. First, institutions need to verify vendor compliance with regulations like FERPA and HIPAA. To evolve beyond baseline privacy regulations, consider complying with the European Union's GDPR, if you aren't already. Institutions can help transform our entire sector by working with their state legislatures to craft student data privacy laws like the University of Maryland system has done. Going forward, institutional leaders need to bake privacy into all their decisions. It's past time for privacy to expand beyond compliance to address what should be protected, incorporate ethical implications and balanced institutional priorities with the rights of individuals.