I. The Privacy Professional – The past two decades have seen a tremendous rate of innovation in the way that data is managed and processed. Some of this data, pertains to individuals, and how it is processed can have positive or negative consequences for the individual. Because of these consequences, a burgeoning profession has emerged to help manage these issues. 10 years ago there were relatively few individuals who considered themselves “privacy professionals”. There were lawyers, professors, IT managers, engineers and marketers who worked on privacy issues, but there were likely very few who would consider themselves “privacy professionals”. Fast forward to 2009, and there is a starkly different environment. There is an International Association of Privacy Professionals (IAPP) with over 5,300 members. The IAPP offers a Certified Information Privacy Professional (CIPP) certification, which over 2,200 individuals have obtained. Most of the Fortune 100 have Chief Privacy Officers, who oversee staffs of “privacy professionals”. Which begs the questions: 1. Why are businesses hiring, training and investing in privacy professionals?, and 2. What exactly makes someone a “privacy professional?”II. The Accountable Organization – When drafting global privacy programs, most large companies need to look towards an increasingly confusing and non-harmonized patchwork of global legislation. While there are efforts to harmonize around central standards or legislative approaches (e.g. the 95/46 Directive is the most obvious and productive example), we will always have situations where individual countries’ unique historical, political, economic or religious environments necessitate specific approaches to the protection of personal data. These unique culture specific environments also shape the expectations of citizens on how their fundamental rights will be respected by those who collect and process information that pertains to them. Due to the difficulty in creating a global program out of such a patchwork, one useful approach has been to look at the high level principles that have been accepted broadly (albeit to different extents) over the past 40 years, and how those principles have been applied in some of the major laws. One of these basic principles is “accountability”. The accountability principle is included in: Organisation for Economic Co-operation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (OECD Guidelines) Asia Pacific Economic Cooperation Privacy Framework (APEC Privacy Framework) The European Union’s Directive on the Protection of Personal Data Canadian private-sector privacy law: The Personal Information Protection and Electronic Documents Act (PIPEDA), and The Safeguards Rule of the Financial Services Modernization Act of 1999, commonly referred to as the Gramm Leach Bliley Act. Definitions of what is meant by “accountability” vary in these instruments, but a useful approximation is the following amalgam written by the Center for Information Policy Leadership for a conference they convened with the OECD in Dublin, Ireland: Accountability is the obligation and/or willingness to demonstrate and take responsibility for performance in light of agreed-upon expectations. Accountability goes beyond responsibility by obligating an organization to be answerable for its actions. Perhaps it is this concept of accountability that is the reason why organizations are investing in privacy professionals. These companies, government organizations and NGOs all have a need to show they are accountable for how they process and use personal data. III. Accountable to Whom? Privacy professionals appear to know that they must be accountable. The principle is included not just in broad international articulations of goals, but also statutes and regulations that create compliance obligations. It is clear that privacy professionals must be accountable to these regulators who have the responsibility of enforcing their laws and regulations. However, most privacy regulations also include provisions about individual participation, which require accountability to the individual to whom the data pertains. This accountability to the individual is derived from the concept that in some cultures privacy is described as a Fundamental Human Right, and in many others it is considered a substantial value and interest of the individual. Therefore, I propose that accountability is best accomplished by increasing the level of the respect for privacy, while also optimizing other critical values such as economic growth and the free flow of information. This should be the goal of the privacy profession, and any regulatory system that wants to foster an empowered privacy profession. IV. Mechanisms to Get There If we start from the assumption that it is a laudable goal to increase the level of respect for privacy, while also increasing economic growth and the free flow of information, then the next question asked could be how to accomplish all three of those objectives. I assert there are three different mechanisms that should be used in concert: 1. Triangle of Trust – Companies, Governments and NGOs should come together to set minimum requirements. These requirements create the rules that privacy professionals must comply with, but it is important that accountability be about more than just compliance. Some of the rules should be contained in regulation, but many should be in industry best practices codified by and administered by NGOs. Rules will always trail innovation and threats to privacy. Malicious actors will always find ways to go around a structure built on a culture of compliance. An optimized privacy system should encourage accountable companies who are constantly aimed at protecting individuals, instead of merely looking to comply with rules. 2. Market Development – Companies, Governments and NGOs should help foster market factors that will encourage companies to think of privacy as a competitive advantage. Privacy outreach and education (such as was done for Data Privacy Day) can be a critical method to create situations where privacy is a value that will be sought out by individuals, and which can be a market differentiator for companies. 3. Aspirational Goals – For privacy to be a real profession, the profession must stand for something. I have stated above that I believe what the profession should stand for is the increased level of respect for privacy. Privacy professionals cannot truly be accountable to the individuals to whom the data pertains, if they are solely focused on minimizing the liability of their employers. Privacy professionals should take on an oath to “work towards furthering the respect of privacy for individuals.” It is this goal that should be the lens through which the privacy professionals should view their work. Doctors are charged with an oath to look beyond the profits of their employers. Lawyers are often charged with the duty to respect Constitutions and ethical codes. Accountants now have an oath which requires service towards the public good. A similar Privacy Professional oath could galvanize and strengthen privacy as one of the critical professions for our digital world. Further, certified privacy professionals should be expected to do pro-bono privacy service to the community. This could be educating young people about privacy risks, or helping senior citizens to understand the issues created by today’s wondrous technology innovations. Some fear aspirational goals, because they do not understand the implications of what would happen to individuals who are deemed to fall short. However, to help nurture a privacy profession, we do not need to start with detailed ethical codes, enforcement and penalties. Instead, a first step should be merely to have the privacy professional take an oath to say they will work to increase the level of respect for the privacy of the individual. This step alone may take the profession further towards accountability than any detailed ethical code.
Connect with Us