Posted in Privacy Officers
Recently, as I was speaking to a talented group of law students, I was asked the above question. This has also been a related theme underlying some of the recent posts on the IAPP Privacy List. I’m not sure if this list is what those who want to enter the privacy field should cultivate in themselves, what current privacy officers are like or what we should be aiming for as a profession.
To build this list, I searched online for the top 10 traits or characteristics of compliance officers, salespeople, CEOs and managers. In essence, I could stop this blog entry now—that is what we are and should be: compliance officers, salespeople, CEOs, managers and let’s include janitors as well. In fact, let’s look at it that way: What job skills does one need to be an effective privacy officer? If we were to brew the perfect privacy officer, what career fields would we throw into the kettle?
Hard for me to believe, but it’s now been a year since we rolled out Perspectives, our very first blog here at the IAPP. As an organization, we were veering into uncharted territory, but our ultimate purpose was and continues to be to provide a forum for the difficult or practical or funny or just plain outlandish privacy conversations to play out.
Just before Christmas, we posted our top ten blog posts of 2013—all based on page views. But now that a full calendar year has gone by, I thought it worth looking back with a bit more nuance.
Leadership is crucial to a successful privacy program. It is leadership that engages senior executives, inspires an extended team and provides hope to advocates and confidence to regulators.
But what drives leadership in 2014? Is it the need to have a highly compliant organization in an era where compliance is very complex? Or is a strategic approach to information governance when data moves from being a business facilitator to the driver of innovation?
With privacy breaches and security threats making headlines around the world on a daily basis, it’s becoming increasingly obvious to most enterprises that the personal information and sensitive data they hold is an extremely valuable commodity. However, shared inappropriately—whether by accident or breach—the disclosure of sensitive data can have dramatic financial impacts on an organization and erode consumer trust. The good news here is that this should be highly preventable. So in honor of Data Privacy Day—which will be celebrated this year on Tuesday, January 28—here are 10 tips for improving your privacy and data protection programs in 2014.
A recent article in The New York Times noted that every one of Volkswagen’s (VW) manufacturing plants in the world has an employee works council except one: the VW plant in Chattanooga, TN. Works councils are popular in VW’s home country of Germany and created by a directive in the European Union. This directive mandates employees have a voice in working with management about working conditions in their environment.
U.S. chief privacy officers (CPOs) and their European counterparts—data protection officers (DPOs)—often work with works councils in many areas but especially in protecting employee privacy. In fact, German DPOs and their corporate works councils have a reputation for being strong defenders in protecting privacy rights. Want to monitor e-mail or social media in the workplace? Centralize your HR records in the U.S.? Or ready to add a whistleblower hotline? The German Works Council Act, for example, empowers the works council to agree or refuse consent of many employee-monitoring devices. All of these require consultation in advance of the organization’s works council, and you can expect to hear a strong statement in support of protecting privacy rights!
When I was Chief Privacy Officer at the U.S. Department of Homeland Security from 2009-2012, I was asked frequently how the Department of Homeland Security Privacy Office was able to ascertain whether the privacy protections initially embedded in DHS programs and systems were being applied, and whether they were effective in protecting privacy. As with many things in privacy, the answer is: auditing and accountability, the last Fair Information Practice Principle. In order to be effective, the accountability must be integrated through all parts of the information governance lifecycle, including analyzing the privacy programs at the Department and component level themselves.
To more accurately assess this inquiry, I looked outside of associations based solely on one’s education and looked for associations based on one’s role or job and I found several examples of codes of ethics for professionals. There are members of IAPP who are also members of some of these other professional associations: HCCA, ISC2, SCCE, just to name a few. Additionally, many members of the IAPP are licensed attorneys and bound by the ethics of their license; such is also true for medical professionals, accountants, social workers, teachers, and many other fields. Alex Fowler addressed this same issue.
Having experience in the medical, educational and legal environments, I am acquainted with the potential for conflict between professional obligations. For example, I occasionally faced conflicts between my obligations as a nurse and my obligations as an attorney. While there is always an eventual decision made after careful analysis, this decision is not always concrete and is subject to context and opinion.