National Data Privacy Week, observed each year during the last week of January, highlights the ongoing importance of protecting personal information. Since its launch in 2008, the week has served as a call to action for individuals and organizations alike to strengthen data protection practices and stay vigilant as privacy risks and expectations continue to evolve. This year, Data Privacy Week is taking place from January 26-30, 2026, with the theme “Take Control of Your Data.”
At the University of California Office of the President (UCOP), systemwide Privacy Officer Al Lavassani leads efforts to advance privacy across the UC system. With deep expertise in security, governance, risk and compliance, Al is focused on strengthening UC’s privacy framework while helping the organization navigate an increasingly complex landscape of data use, risk and regulation.
In February 2025, we spoke with Lavassani during National Data Privacy Week, where he outlined several key priorities for building UC’s privacy program. One year later, we asked him to share updates on how that work is progressing.
Priority #1: Establishing a Privacy Office to identify and manage privacy risk and compliance issues
Q: What does that office look like today, and what new capabilities does it bring to UC?
A: Today, UC’s Privacy Office functions as a systemwide coordination and oversight hub that supports UCOP units and campuses while respecting UC’s decentralized operating model. The office provides consistent guidance on privacy compliance, risk management, and best practices, while also serving as a central point for interpreting evolving privacy laws and regulatory expectations.
Also, the office assesses processing activities involving personal data, working closely with security, IT, Legal, and procurement partners. During 2025, we helped shift privacy from a reactive function to a proactive and embedded part of how UC operates and will continue to do so in 2026 and beyond.
Q: How does a centralized privacy office help campuses and units do their work more effectively while also reducing risk for UC as a whole?
A: A centralized privacy office reduces duplication of effort and uncertainty by providing shared tools, guidance, and standards that campuses and units can rely on. Instead of each unit independently interpreting privacy requirements, they can align to a common approach that is tailored locally but consistent systemwide.
This model also improves risk visibility. By having a clearer picture of data processing activities across UC, the Privacy Office can identify patterns, emerging risks, and opportunities for improvement earlier—benefiting individual campuses and reducing systemic risk for UC as a whole.
Priority #2: Creating systemwide privacy training materials
Q: What training resources are now available, and who should be using them?
A: UC offers some systemwide privacy training resources designed for a broad audience, from general awareness training to role-based guidance for those who regularly handle personal or sensitive data. These materials are intended for faculty, staff, researchers, and administrators across all campuses and units. Check out UCSD’s Privacy Training, which we can all benefit from. We are planning to add more training materials in 2026.
The goal is to make privacy concepts practical and relevant, helping people understand not only their obligations, but also how privacy considerations fit into everyday activities such as procurement and system design.
Q: Why is privacy training so important for UC employees, faculty, staff and even those who don’t think they handle sensitive data?
A: Privacy is not limited to obvious sensitive datasets. Many privacy risks arise from everyday information—names, email addresses, student records, employee data, or research-related information—that people may not initially think of as “high risk.”
Training helps build a shared baseline of awareness so individuals can recognize when personal data is involved, ask the right questions early, and know when to seek guidance. This proactive awareness is one of the most effective ways to prevent issues before they occur.
Priority #3: Raising awareness through a significant increase in outreach
Q: What new efforts or programs have been launched to raise awareness across UC?
A: Over the past year, UC has expanded outreach through coordinated communications, targeted presentations, campus partnerships, and the integration of privacy messaging into existing security and compliance initiatives. Privacy Awareness Week itself has become an important focal point for these efforts.
By meeting people where they are through various governance and working groups, training programs, and operational workflows, we’ve been able to reach a broader audience and make privacy a more visible and approachable topic.
Q: How have you seen these outreach efforts change how people think about privacy in their day-to-day work?
A: We are seeing a shift from privacy being viewed as a barrier or a “check-the-box” requirement to being recognized as an enabler of trust and responsible innovation. More teams are engaging in the Privacy Office earlier in projects, asking better questions about data use, and thinking more intentionally about documentation and transparency.
This cultural change is gradual, but it is one of the most meaningful indicators of progress.
Priority #4: Enhancing vendor risk assessments with a focus on privacy and AI
Q: How has UC strengthened its approach to evaluating vendors from a privacy and AI perspective?
A: UC has enhanced vendor risk assessments by placing greater emphasis on how vendors collect, use, share, and protect personal data, as well as how AI tools are trained and deployed. This includes clearer expectations around data governance, transparency, and accountability.
Privacy, security, legal, risk, procurement, and IT teams now work more closely together to evaluate risks holistically, rather than in silos. This collaborative approach is especially important as AI-enabled tools become more common across teaching, research, and administration.
Q: What should departments and researchers keep in mind when selecting or using third-party tools that process UC data?
A: Departments and researchers should think carefully about what data a tool or activity requires, how that data will be used, and whether the use aligns with UC’s values, obligations, and privacy principles. It’s critical to involve privacy, security, legal, risk, and IT partners early, before a tool or process is adopted or data is shared.
Clear documentation of data flows, purposes, and safeguards is not just a compliance exercise; it helps ensure informed decision-making and reduces surprises later.
Priority #5: Improving internal and vendor reviews and risk assessment processes and tools
Q: What has changed over the past year?
A: Over the past year, UC has refined its internal review processes to make them more consistent, scalable, and transparent. There is a stronger focus on documenting processing activities, identifying risks earlier in a project’s lifecycle, and aligning reviews across privacy, security, legal, risk, and IT.
Q: How do these improvements help UC identify and mitigate privacy risks earlier and more effectively?
A: By embedding privacy considerations earlier and using clearer, more standardized processes, risks can be identified when they are easier and less costly to address. Early engagement also supports better system design, stronger controls, and clearer accountability.
Ultimately, this leads to better outcomes for individuals whose data we steward and for UC as an institution.
A Broader View of Privacy
Now that we’ve covered UCOP privacy objectives, let’s talk a little bit about privacy in general.
Q: What’s the biggest misconception people still have about privacy?
A: One of the biggest misconceptions is that privacy is only about compliance or avoiding penalties. In reality, privacy is about trust, transparency, and responsible stewardship of information. Strong privacy practices support UC’s mission by enabling ethical research, effective operations, and confidence among students, faculty, staff, and the public.
Q: If you look ahead three years, what would success look like for UC’s privacy program?
A: Success would mean privacy is consistently embedded into decision-making, system design, and operations across UC. We would have clear, well-documented processes for managing personal data; strong collaboration between privacy, security, legal, risk, procurement, and IT; and a culture where people feel empowered to ask questions and raise concerns about their personal data.
Most importantly, success would be reflected in the trust placed in UC by the communities we serve.
Q: Is there anything else you’d like to add?
A: Privacy is a shared responsibility. While policies and offices are important, lasting progress depends on everyday choices made across the institution. Continued collaboration and open communication are key.
Q: For UC faculty, staff, students and researchers reading this, what is one simple action they can take right now to better protect privacy?
A: Pause and ask a simple question before collecting or sharing data: Do I need this information, and do I understand how it will be used and protected? That moment of reflection can prevent many common privacy issues.
Q: Where should people go if they have questions about privacy or want to learn more about UC’s privacy resources?
A: Start with your local campus privacy or compliance resources and the UC systemwide privacy and security websites. The Privacy Office (privacy@ucop.edu) is also available to help connect individuals with the right guidance and partners.
Additionally, learn more through these resources:
- Systemwide Information Security website
- UC Privacy Compliance
- UC Privacy Values and Principles
- Data Privacy Week – National Cybersecurity Alliance
- National Cybersecurity Alliance Launches Data Privacy Week 2026
Contact
Al Lavassani
Privacy Officer
UC Office of the President
