With privacy breaches and security threats making headlines around the world on a daily basis, it’s becoming increasingly obvious to most enterprises that the personal information and sensitive data they hold is an extremely valuable commodity. However, shared inappropriately—whether by accident or breach—the disclosure of sensitive data can have dramatic financial impacts on an organization and erode consumer trust. The good news here is that this should be highly preventable. So in honor of Data Privacy Day—which will be celebrated this year on Tuesday, January 28—here are 10 tips for improving your privacy and data protection programs in 2014.
A recent article in The New York Times noted that every one of Volkswagen’s (VW) manufacturing plants in the world has an employee works council except one: the VW plant in Chattanooga, TN. Works councils are popular in VW’s home country of Germany and created by a directive in the European Union. This directive mandates employees have a voice in working with management about working conditions in their environment.
U.S. chief privacy officers (CPOs) and their European counterparts—data protection officers (DPOs)—often work with works councils in many areas but especially in protecting employee privacy. In fact, German DPOs and their corporate works councils have a reputation for being strong defenders in protecting privacy rights. Want to monitor e-mail or social media in the workplace? Centralize your HR records in the U.S.? Or ready to add a whistleblower hotline? The German Works Council Act, for example, empowers the works council to agree or refuse consent of many employee-monitoring devices. All of these require consultation in advance of the organization’s works council, and you can expect to hear a strong statement in support of protecting privacy rights!
When I was Chief Privacy Officer at the U.S. Department of Homeland Security from 2009-2012, I was asked frequently how the Department of Homeland Security Privacy Office was able to ascertain whether the privacy protections initially embedded in DHS programs and systems were being applied, and whether they were effective in protecting privacy. As with many things in privacy, the answer is: auditing and accountability, the last Fair Information Practice Principle. In order to be effective, the accountability must be integrated through all parts of the information governance lifecycle, including analyzing the privacy programs at the Department and component level themselves.
To more accurately assess this inquiry, I looked outside of associations based solely on one’s education and looked for associations based on one’s role or job and I found several examples of codes of ethics for professionals. There are members of IAPP who are also members of some of these other professional associations: HCCA, ISC2, SCCE, just to name a few. Additionally, many members of the IAPP are licensed attorneys and bound by the ethics of their license; such is also true for medical professionals, accountants, social workers, teachers, and many other fields. Alex Fowler addressed this same issue.
Having experience in the medical, educational and legal environments, I am acquainted with the potential for conflict between professional obligations. For example, I occasionally faced conflicts between my obligations as a nurse and my obligations as an attorney. While there is always an eventual decision made after careful analysis, this decision is not always concrete and is subject to context and opinion.
The recent news about the extent to which the U.S. government is monitoring the communications, online interactions and activities of American citizens brings into question our ethical responsibilities as privacy professionals.
All of the companies caught up in the news that complied with secret court orders to hand over bulk user data have privacy officers and dedicated teams of privacy professionals. Yet the extent to which any of these privacy teams were involved or were aware of these orders is unclear. This simple irony provokes reflection on the role of privacy professionals and our associated ethical and social responsibilities.