Nurturing an Accountable Privacy Profession

I. The Privacy Professional – The past two decades have seen a tremendous rate of innovation in the way that data is managed and processed. Some of this data, pertains to individuals, and how it is processed can have positive or negative consequences for the individual. Because of these consequences, a burgeoning profession has emerged to help manage these issues. 10 years ago there were relatively few individuals who considered themselves “privacy professionals”. There were lawyers, professors, IT managers, engineers and marketers who worked on privacy issues, but there were likely very few who would consider themselves “privacy professionals”. Fast forward to 2009, and there is a starkly different environment. There is an International Association of Privacy Professionals (IAPP) with over 5,300 members. The IAPP offers a Certified Information Privacy Professional (CIPP) certification, which over 2,200 individuals have obtained. Most of the Fortune 100 have Chief Privacy Officers, who oversee staffs of “privacy professionals”. Which begs the questions: 1. Why are businesses hiring, training and investing in privacy professionals?, and 2. What exactly makes someone a “privacy professional?”

II. The Accountable Organization – When drafting global privacy programs, most large companies need to look towards an increasingly confusing and non-harmonized patchwork of global legislation. While there are efforts to harmonize around central standards or legislative approaches (e.g. the 95/46 Directive is the most obvious and productive example), we will always have situations where individual countries’ unique historical, political, economic or religious environments necessitate specific approaches to the protection of personal data. These unique culture specific environments also shape the expectations of citizens on how their fundamental rights will be respected by those who collect and process information that pertains to them. Due to the difficulty in creating a global program out of such a patchwork, one useful approach has been to look at the high level principles that have been accepted broadly (albeit to different extents) over the past 40 years, and how those principles have been applied in some of the major laws. One of these basic principles is “accountability”. The accountability principle is included in:

Organisation for Economic Co-operation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (OECD Guidelines)

Asia Pacific Economic Cooperation Privacy Framework (APEC Privacy Framework)

The European Union’s Directive on the Protection of Personal Data

Canadian private-sector privacy law: The Personal Information Protection and Electronic Documents Act (PIPEDA), and

The Safeguards Rule of the Financial Services Modernization Act of 1999, commonly referred to as the Gramm Leach Bliley Act.

Definitions of what is meant by “accountability” vary in these instruments, but a useful approximation is the following amalgam written by the Center for Information Policy Leadership for a conference they convened with the OECD in Dublin, Ireland:

Accountability is the obligation and/or willingness to demonstrate and take responsibility for performance in light of agreed-upon expectations. Accountability goes beyond responsibility by obligating an organization to be answerable for its actions.

Perhaps it is this concept of accountability that is the reason why organizations are investing in privacy professionals. These companies, government organizations and NGOs all have a need to show they are accountable for how they process and use personal data.

III. Accountable to Whom?

Privacy professionals appear to know that they must be accountable. The principle is included not just in broad international articulations of goals, but also statutes and regulations that create compliance obligations. It is clear that privacy professionals must be accountable to these regulators who have the responsibility of enforcing their laws and regulations. However, most privacy regulations also include provisions about individual participation, which require accountability to the individual to whom the data pertains. This accountability to the individual is derived from the concept that in some cultures privacy is described as a Fundamental Human Right, and in many others it is considered a substantial value and interest of the individual. Therefore, I propose that accountability is best accomplished by increasing the level of the respect for privacy, while also optimizing other critical values such as economic growth and the free flow of information. This should be the goal of the privacy profession, and any regulatory system that wants to foster an empowered privacy profession.

IV. Mechanisms to Get There

If we start from the assumption that it is a laudable goal to increase the level of respect for privacy, while also increasing economic growth and the free flow of information, then the next question asked could be how to accomplish all three of those objectives. I assert there are three different mechanisms that should be used in concert:

1. Triangle of Trust – Companies, Governments and NGOs should come together to set minimum requirements. These requirements create the rules that privacy professionals must comply with, but it is important that accountability be about more than just compliance. Some of the rules should be contained in regulation, but many should be in industry best practices codified by and administered by NGOs. Rules will always trail innovation and threats to privacy. Malicious actors will always find ways to go around a structure built on a culture of compliance. An optimized privacy system should encourage accountable companies who are constantly aimed at protecting individuals, instead of merely looking to comply with rules.

2. Market Development – Companies, Governments and NGOs should help foster market factors that will encourage companies to think of privacy as a competitive advantage. Privacy outreach and education (such as was done for Data Privacy Day) can be a critical method to create situations where privacy is a value that will be sought out by individuals, and which can be a market differentiator for companies.

3. Aspirational Goals – For privacy to be a real profession, the profession must stand for something. I have stated above that I believe what the profession should stand for is the increased level of respect for privacy. Privacy professionals cannot truly be accountable to the individuals to whom the data pertains, if they are solely focused on minimizing the liability of their employers. Privacy professionals should take on an oath to “work towards furthering the respect of privacy for individuals.” It is this goal that should be the lens through which the privacy professionals should view their work. Doctors are charged with an oath to look beyond the profits of their employers. Lawyers are often charged with the duty to respect Constitutions and ethical codes. Accountants now have an oath which requires service towards the public good. A similar Privacy Professional oath could galvanize and strengthen privacy as one of the critical professions for our digital world. Further, certified privacy professionals should be expected to do pro-bono privacy service to the community. This could be educating young people about privacy risks, or helping senior citizens to understand the issues created by today’s wondrous technology innovations. Some fear aspirational goals, because they do not understand the implications of what would happen to individuals who are deemed to fall short. However, to help nurture a privacy profession, we do not need to start with detailed ethical codes, enforcement and penalties. Instead, a first step should be merely to have the privacy professional take an oath to say they will work to increase the level of respect for the privacy of the individual. This step alone may take the profession further towards accountability than any detailed ethical code.

7 Responses to Nurturing an Accountable Privacy Profession

  1. Increasing the level of respect for privacy and the individual is something that should be inherent to all privacy professionals as we (hopefully) best understand the risks and impact of the loss or misuse of personal information to an individual and/or an organization.
    An “oath of privacy” is a good idea to establish some basic principles around accountability and our responsibilities, but in the end, our actions are still determined by our values and desire or willingness to help and protect others.
    Eric Nelson
    President
    Secure Privacy Solutions

  2. Kirk Herath says:

    Accountability is and should always be at the center of everything we do that’s important to us – with our families, our religions, and our work. I generally believe that most of us have already spoken the oath that you seek – whether silently to ourselves or publicly to those we work with thoughout our businesses. Generally, I would also think that our individual success, or not, is predicated on our ability to evangelize the idea of privacy and how it makes good sense for us and our customers. When I think about where we were 10 years ago and how privacy has now been largely engrained into most of our corporate cultures, it could never have happened without a priesthood of “believers”. Thus, my friend, I believe that the general foundational oath for which you are arguing already exists. I know that I made it.

  3. Well said, David. The challenge though is that not every privacy officer is indeed an accountable privacy pro – some are lawyers representing the goals of their business, some are public policy professionals, government affairs folks or advocacy outreach or training professionals. All noble jobs, but the accountability to the user isnt present in many of these gigs. Agreed that it would be of great value to make it clear that to have the title, you are accountable to a higher cause and have an ethical mandate to live up to.

  4. Jay Libove, CISSP, CIPP says:

    I address this from the private sector perspective. (A similar argument can also be made for the public sector). The degree to which a privacy professional can actually honor this oath (which I, too, have personally taken) is limited, forcefully, by the economic situation and the leanings of senior management. Only in an effectively legislated and regulated society (such as in some countries in Europe and elsewhere) could a privacy professional not be frequently in a conflict of interest between corporate goals and an oath to enhance privacy accountability.
    I agree with your principle, David. I simply warn that we not promote a situation in which members of our profession must too often make the choice between keeping their jobs and keeping their oath. I’ve personally been there.
    Until then, we can best achieve the goals of this proposed oath by continuing our education efforts everywhere – individuals, private enterprise, governments, and NGOs – towards the day when most societies are effectively legislated and regulated for privacy accountability, and it no longer is a conflict of interest for a privacy professional to honor that oath.

  5. Spot on, David. This pursuit began as a community of people interested in doing the right thing for our customers and our businesses. What we realized then was that data privacy, like liberty, is a common good – respecting PII yields societal benefits. I agree that it is now time that we all pursue privacy in a purposeful way, with real goals of respecting and protecting PII in all its many forms. Through explicit standards, accepted norms, and personal commitments, we can further our profession and, above all, energize trust, which is sorely lacking in our society, markets, and communities.

  6. David,I am delighted that this dialogue has been initiated. My personal opinion is that this is exactly the right time to engage in such a dialogue and perhaps develop a Code of Conduct, ethics guidelines, etc. The profession really cannot fully evolve in a meaningful and responsible sense without such. That said, in these relatively early phases, such guidance, codes,etc. should not be applied in a punitive sense, but rather designed with a goal of community enhancement/awareness perspective.

  7. john kropf says:

    David,
    Well said. While directed at the commercial world, I think accountability as you describe it can also be applied to the governnment space.
    Also like your real world statement that “accountability is best accomplished by increasing the level of the respect for privacy, while also optimizing other critical values such as economic growth and the free flow of information.” Likewise, government also has to factor in security and other individual values.