Thanks to David Canton for leading me to this interesting article from IT Business. It discusses the recent breach in which unencrypted health information on a portable hard drive was lost in Toronto's airport. Looking at the issue from a practical angle, it concludes that all employees who touch personal information have to take responsibility for it.
IT Business: Everyone's a CPO: Why privacy needs to spread across every line of business
...Departmental executives need to do a couple of things. First, they need to perform an inventory on the devices they personally own but which may be used for work. What level of security is already in place and what might need to be upgraded? Are there technologies that could be added to help easily recover a device if it goes missing for some reason? Are there organization-wide guidelines or procedures with which personal devices need to comply before they can be used for work purposes? This is where a dialogue with IT should probably begin, and it may lead some IT managers to reject requests that such devices be able to access a corporate network.
A potentially bigger challenge will be for line of business executives to think in "big picture" terms of what kind of data they are managing, and what kind of responsibilities they have towards protecting the privacy of that information. We usually tackle these cases by looking at what kind of safeguards IT departments or senior management could have put in place from the beginning. As time goes on, the focus will be much more on what individual employees are doing to bolster those safeguards. No one is merely a VP of marketing, finance or HR anymore. If you touch customer or employee data in any way, shape or form, you're a chief privacy officer, too.