About
The University of Illinois manages research data systems, procurement processes, and student-facing technologies across its many departments each with different privacy risk profiles. Vendors and services range from the university's learning management systems to student clinic medical record management to online conferencing platforms like Zoom. The Privacy Office within the Office of the CIO, working alongside the cybersecurity team, evaluates these systems to ensure compliance with federal and international regulations while supporting researchers' legitimate data needs and smooth institutional operations.
Process
As part of the Privacy Office, I led over 20 privacy impact assessments (PIA) across university operations. Each assessment involved evaluating a system or vendor against applicable regulatory frameworks FERPA for student data, HIPAA for health information, GDPR and PIPL for international research data, and the NIST Privacy Framework as an overarching risk methodology. A detailed overview of the process is in the diagram above.
For each PIA, I:
Scoped data flows and identified what personally identifiable information was being collected, processed, and stored
Evaluated vendor privacy policies against university data governance standards
Identified privacy risks and delivered actionable recommendations centered on data minimization, purpose limitation, and informed consent
Advised researchers on consent mechanisms and international data protection implications, often collaborating with the Institutional Review Board
Beyond individual assessments, I contributed to developing Knowledge Base articles including overviews of emerging privacy legislation and participated in campus-wide presentations to promote a culture of privacy awareness.
Impact
20+ PIAs completed across research data systems and procurement
Advised researchers in multiple departments on international data protection (Brazil, Spain, India)
Developed institutional resources that scaled privacy knowledge beyond the team
Contributed to shaping the privacy team's values, workflows, and advocacy strategy
Served on Planning Committee for Privacy Everywhere Conference (Human-Centred by Design)
Reflection
What I took from this work: privacy in institutional settings is as much a communication and design problem as a regulatory one. The frameworks matter, but only if they translate into guidance practitioners can act on. This experience shaped how I approach AI governance: policy has to be built for the people who implement it, not just the people who write it.
Role: Privacy Analyst
Timeline: Aug 2023 - Aug 2025
Location: University of Illinois Urbana-Champaign, Office of the CIO
Methods: Privacy Impact Assessment, NIST Privacy Framework, Vendor Evaluation, Stakeholder Advisory
Frameworks: FERPA, HIPAA, GDPR, PIPL
Scope: 20+ assessments across research data systems and procurement; 50,000+ affected students and staff
Stakeholders: Registrar, Student Affairs, Institutional Review Board, 10+ academic departments
Output: Privacy risk recommendations, Knowledge Base articles, campus-wide presentations, standardized consultation workflows
Presentation: "Think like a Privacy Pro: Privacy In Practice”