Tuesday, June 14, 2005

Privacy Officers: Security Types Need Convincing

People often confuse privacy and security. Security is a part of privacy. (Security is also an important part of protecting other corporate assets.) Some may that privacy is the latest buzzword for applying security to personal information. It's more than that.

In IT Management, Ray Everett-Church writes about how to explain privacy to security-types, and particularly the need to have a privacy officer.

Privacy Officers: Security Types Need Convincing:

"I've spent much of the last six or seven years promoting the importance of privacy officers. Much to my dismay, over the course of the years, some of the greatest skepticism I've met has come from security professionals.

Much of the skepticism boils down to some basic misconceptions about the relationship between privacy and security, and fears that privacy officers are just going to be competing for the same organizational ''turf''. But as I have sat with security professionals to explain why the role of the privacy officer is complimentary, but fundamentally different, the concerns and misconceptions are easily dispelled.

Indeed, many security executives quickly realize that privacy officers get to deal with many of the murkier, subjective, and often politically-charged issues that many security officers try to avoid being drawn into -- such as marketing strategies or legal and regulatory compliance.

But let's not miss the bigger point here.

Assuming Congress could fix the law so it would require the auditing of privacy practices, instead of the day-to-day work of the privacy officer, this is something that should be encouraged. A critical element of the Federal Trade Commission's enforcement actions in the realm of privacy has been the requirement that companies bring in outside auditors to oversee their privacy fixes and ongoing practices.

If this panel believes you should only audit after a problem is discovered, then they don't appear to have a good grasp on the reality of today's privacy methodology in use at the most enlightened organizations the world over.

The methodology is pretty simple... I ought to know. I helped develop it. The four elements of a coherent privacy program are:

  • Know your current privacy-related practices;
  • Articulate those practices in a privacy policy;
  • Implement those practices through training and oversight, and
  • Audit those practices, from within and without, to ensure compliance.

All of this may be for naught, however.

According to reports, Rep. Tom Davis (R-Va.), chairman of the U.S. House of Representatives Government Reform Committee, is pushing legislation that would repeal the appropriations language that mandated the CPO appointments. But if the Davis proposal does not become law by year's end, the ranks of America's CPO population will grow by a few dozen, and somebody will finally be accountable for privacy practices at federal agencies.

And know knows... maybe by then some government committee will have grasped what these new CPOs are supposed to be doing!"

At least in Canada's legal environment, the status quo may not be acceptable. I would therefore suggest that a coherent privacy program has the following elements:

  1. Know your current personal information management practices: where it comes from, where it is kept, how it is used and to whom it is disclosed;
  2. Benchmark your current personal information management practices against a recognized standard, such as the Canadian Standards Association Model Code for the Protection of Personal Information;
  3. Modify your practices to accord with the standard (collect only what you need, use and disclose it only in the ways you've articlated, secure the information)
  4. Articulate your new practices in an easy to understand privacy statement and document them in an operational policy;
  5. Train all staff to implement your new practices; and
  6. Audit your practices.

No comments: