It was the annual crunch time between Thanksgiving and the new year, and Nuala O’Connor Kelly had just sent to the printer the first-ever report to Congress by a chief privacy officer. This was it, the historic report—a 40-page description of what O’Connor Kelly had been doing during her first year as the first CPO of the U.S. Department of Homeland Security. Like addressing concerns about DHS’s policies with privacy officers from other countries. Examining the department’s growing use of biometrics. And reading irate e-mails from the public about controversial initiatives like the Transportation Security Administration’s passenger screening program. If O’Connor Kelly was nervous about the grilling she was likely to get once members of Congress got their mitts on her report, she wasn’t letting on. “It’s actually a great moment for the [privacy] office to sit back and take stock of where we are now and where we’re going for the next two, three, four, five years,” says O’Connor Kelly, dashing from one meeting to the next with one of her staff members. “We’re helping fine-tune programs to make better decisions for privacy, and to make better programs themselves. We can be enhancers of the business,” says Nuala O’Connor Kelly, chief privacy officer at the Department of Homeland Security.
At the time, O’Connor Kelly was the only federal government CPO whose position was mandated by law and who was required to file an annual report to Congress. Congress’s consolidated 2005 appropriations bill, signed by President Bush in December, contains a provision that—depending on how the White House’s Office of Management and Budget interprets it—would create a handful or more of CPOs at federal agencies. These new CPOs would be charged with protecting privacy within their own agencies, evaluating proposed laws and regulations, training employees about privacy policies and ensuring compliance with applicable laws.
In the private sector, government demand for privacy expertise is expected to lead to greater awareness, more stringent certifications and stricter standards around privacy. “There are some conflicts between the philosophical approaches to the two positions,” says Lynn Mattice, vice president and CSO at Boston Scientific. “The CSO’s responsibility is to ensure that the business enterprise is safeguarded, and the privacy officer is primarily concerned with safeguarding the individual’s privacy.
The new position was hailed as a sign that corporate America was going to start paying attention to the privacy of both employee and customer information. That’s because the emergence of the CPO has much in common with that of the CSO. Hiring a CPO became either a regulatory necessity or a way of sticking a flag in the ground that said, “Customer data protected here.” Growing concern about identity theft is bringing privacy to the forefront, and lawmakers are responding.
Meanwhile, the International Association of Privacy Professionals (IAPP), created when Westin’s group merged with another privacy association, has issued the profession’s first certification. Now, she says, “You can add CIPP after my name.” Of course, not all the people earning this certification or serving as privacy officers are true strategic privacy executives—just as not all those with CISSPs, CPPs or the “security officer” moniker are true strategic security executives.
“Nobody yet that I’m aware of is planning the widespread use of these RFID tags on any consumer products, but you still see the concern about tracking consumers by satellite,” says Sandy Hughes, global privacy executive at Procter & Gamble. Hughes is spending a lot of her time these days talking about radio frequency ID tags, or RFIDs.
At E-Loan, an Internet startup that sold $153 million in loans in 2003, CPO Tess Koleczek says she is focused on solutions, not problems. “If something comes up that might compromise our policy, I can’t go in and say, ‘You can’t do that,'” Koleczek says. As with the CSO, the success of the CPO depends on his or her ability to make a business case for the protection of information. “There have been some CPOs who have really done a very good job in showing how privacy affects the bottom line,” says Ari Schwartz, associate director of the Center for Democracy & Technology, a consumer advocacy group.
“You get into a lot of discussions,” acknowledges Boston Scientific’s Mattice, after posing the preceding scenario as an example of the kind of conversation he might have with his legal department over privacy issues. (His inclination, by the way, is that if employees are using company resources, why shouldn’t the company be able to monitor what they’re doing?) “These are business issues, and there’s certainly nothing personal,” he says. I hope they’re not contentious discussions—although I’m very passionate about what I do, and I love to debate.”
But it would be naive to think that such relationships are always harmonious. The fact is: CSOs and CPOs come from very different cultures. While many CSOs have a background in law enforcement, CPOs tend to come up through marketing. The two don’t always see eye to eye. “Security officers are a bit like lawyers in that there’s no piece of information they don’t think they should have,” EPIC’s Perrin says. “They want to know what’s going on. If they have video surveillance tapes, they just want to keep them in case they need to know what’s going on. A privacy person will look at those videotapes more from the individual’s point of view. Security goes in the opposite direction of privacy in many respects.”
Yet many in the privacy community are trying to find common ground between security and privacy, even in these murky spaces. This is especially true in the government, where CPOs find themselves under a steady barrage of attacks from observers who believe that the government is trampling on citizens’ privacy in the name of national security. For instance, much of O’Connor Kelly’s attention in the past year has been on DHS’s controversial US-Visit program, which uses biometric identifiers to screen foreign visitors to the United States.
One thing is certain: going forward, the two executives will continue to be dependent upon each other—however that future may look. “It’s my contention, frankly, that the role of the CPO will transition, and we won’t recognize the CPO of the future in the way we will today,” says Richard Purcell, a former CPO of Microsoft who went on to found a consultancy, the Corporate Privacy Group. “Security and information management and legal compliance will combine into a differently structured role than we see today. This may happen under the umbrella of emerging risk management departments.”
http://www.csoonline.com/read/020105/fivethings.html