IAPP-GDPR Web Banners-300x250-FINAL

By Rebecca Andino, PMP, CIPP/G and David Carpenter, CISM, CIPP

Public Private Partnerships (PPPs) are business models in which state, local or federal government entities and private industry establish formal partnerships to achieve mutually beneficial outcomes. According to the National Council for Public Private Partnerships (http://ncppp.org), PPPs are more common than one might think, and account for 23 out of 65 basic services in the average U.S. city.

PPPs can provide the public sector an improved or continued level of service, at reduced costs. They exist in nearly every major sector, from human services and education, to transportation infrastructure.

Privacy issues can arise when private partners collect individuals' personal information. For example, personal information is collected in PPPs when private partners perform counseling, economic development, traffic ticket issuance and air passenger screening. By definition, private partners in PPPs are not required to comply with the Privacy Act of 1974. Nor can one assume they follow any of the Fair Information Practice Principles (FIPPs), which are best practices but not necessarily required by law. Yet, a breach of personal information could result in harm to the individuals affected, reputation damage to the government sponsor and could, ultimately, cause a program to fail.

The solution is for the government sponsor to establish and enforce a comprehensive set of privacy standards that are required of private partners for a particular PPP. For the TSA Registered Traveler PPP, ICF International developed security and privacy standards based on National Institute of Standards and Technology (NIST) guidance and FIPPs. The standards are flexible enough to allow market-driven innovation, yet provide TSA assurance that its private partners maintain necessary levels of security and privacy protection of sensitive participant information.

It is important to consider privacy requirements throughout each phase of the program lifecycle; once a PPP is established, imposing additional governmental requirements could be financially or contractually burdensome or create a competitive disadvantage to the private partner. Government managers should consider the questions and recommendations below when establishing Public Private Partnerships.

1. Openness
Does the public know data is being collected? Do they have access to data use policies?

  • Write and publish a Privacy Impact Assessment.
  • Inform the public of data collection activities via publications such as the Federal Register and the agency Web site, as well as communications with news media and privacy advocate groups. Proactive communication is especially important in programs where data collection is passive, such as traffic light cameras or traffic speed detection.
  • Ensure Private Partners (PPs) develop a privacy policy, follow it and make it available to participants.

2. Collection Limitation
Does each entity in the PPP collect and maintain only the minimum required information in support of the program? Is information collected by fair and legal means?

  • Seek legal counsel to ensure the PPP activities are not an invasion of privacy in cases where individuals' data is obtained without their express consent (i.e., by traffic light cameras or in airline passenger checks).
  • Ensure that each data item collected can be justified. For example, the government is not allowed to require participants to provide their Social Security number in order to participate in or benefit from the PPP (per the Privacy Act of 1974, 2004 Edition).
  • Develop a matrix that shows the types of information accessed, stored and retained by each entity in the PPP, and the justification for each. An example based on the Registered Traveler matrix is shown in Table 1.

3. Purpose Specification
Do data collection forms explain the purpose for the collection of the information? Is there assurance that PPs will not use the data collected for purposes other than the purpose stated at the time of collection?

  • Require PPs to state the purpose of the data collection and display any required government notices on all information collection forms. For Registered Traveler, PPs are required to display a TSA Privacy Act statement on enrollment forms.
  • If PPs collect additional information for business or marketing purposes, ensure those fields are physically separated from government collection fields and clearly labeled as non-government fields.

Note that it may be desirable — or necessary — to allow PPs to collect additional data for business purposes, such as email addresses, contact preferences or credit card numbers. For Registered Traveler, TSA allows PPs to collect additional information from participants as long as forms are distinctly labeled and separate from the government collection forms.

4. Use Limitation
Does the program have assurance that PPs are using the information only for the purposes in which it was collected?

  • Do not allow PPs to use participant information in any way other than the purpose stated at the time of collection, unless they obtain opt-in consent from participants. For example, Registered Traveler PPs may only share their participant information with partner companies, such as car rental companies and hotels, if participants opt-in.

5. Data Quality
Are participants able to access and correct their data? Are there adequate quality assurance processes on both sides of the PPP?

  • Develop metrics for measuring data quality, particularly across system boundaries. One method of measuring data quality is to schedule regular checks to compare PP records with government records to ensure data values are consistent. Perform in-depth reviews to reconcile any conflicting results and correct any processing issues.
  • Build data quality checks into the business processes. For example, all Registered Traveler fingerprint enrollments are checked against all existing enrollments as a fraud detection measure.

6. Individual Participation
Do individuals have the right to appeal decisions made by the PPP that affect them?

  • Develop and publish a redress process or appeals process.
  • Consider implementing mechanisms for the government to interact directly with participants in special circumstances. For example, TSA communicates directly with participants, bypassing the PP, to discuss redress matters.

7. Security Safeguards
Is individual data secured by the PP and the government? Is a security and privacy program implemented that provides the government reasonable assurance of the security of individuals' PPP information?

  • Develop and publish security and privacy standards for the program. The standards should contain general as well as program-specific controls to ensure information is protected at the appropriate levels. It is recommended that the standards be a tailored version of an industry standard such as NIST SP 800-53 or ISO 27002.
  • Assess PP compliance with security and privacy standards. Use an IPA firm or other auditor to provide the government assurance of information protection.
  • Ensure data in transit is protected between the PP and the government. For example, TSA requires data in transit to be encrypted using the Triple Data Encryption Standard as specified by FIPS 140-2. However, other methods of data protection, such as virtual private networks (VPN) and hand-delivery, may also be acceptable depending on the circumstances.
  • If the PPP issues participant identification items (such as SmartCards or RFID fobs), minimize the amount of sensitive information stored on the card in case the card is lost or stolen. However, to support industry participation and marketing efforts, the government may decide to allow the PPs to apply branding to identification items, provided certain guidelines are met. In Registered Traveler, the government permits the PPs to store marketing and customer reward information in a separate payload on the identification card, as long as the cards meet certain minimum standards.
  • Establish a process and timeframe for reporting security incidents and privacy breaches to the government.

8. Accountability
Is there a clear understanding of the security and privacy obligations of PPs and consequences for non-compliance?

  • Require PPs to designate a single point of contact responsible for all security and privacy matters for their company.
  • Do not authorize PPs to begin operations until they demonstrate adequate security and privacy protections are in place. Develop a checklist to assist PPs through the approval process. For Registered Traveler, PPs may not begin operations until a number of requirements are met, including an initial IPA attestation of compliance.
  • Ensure that PPs are responsible for the security of personal information. Verify that there are appropriate levels of security through periodic IPA attestations and ad hoc audits.
  • Reserve the right to halt operations for non-compliance with security and privacy requirements, data or privacy breaches, or any other significant concerns about data protection.

Rebecca Andino, PMP, CIPP/G, is president and founder of Highlight Technologies, a firm providing program management and privacy consulting services to national security programs. In her previous position at ICF International, she provided privacy consulting, program management and strategic planning to TSA's Registered Traveler program. Rebecca Andino may be contacted at randino@highlighttech.com or 202-271-0469.

David Carpenter, CISM, CIPP, is a Technical Specialist at ICF International and serves as Information Security Manager for TSA's Registered Traveler program. Mr. Carpenter played a key role in the development and implementation of the Information Security, Privacy, and Compliance framework for the RT Program. He may be contacted at dcarpenter@icfi.com or 571-226-7994.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Spots Going Fast

With the top minds in the field leading this exceptional program, it's no wonder it's filling quickly. Register now to secure your spot.

Be Part of Something Big: Join the Summit

Registration is open for the Global Privacy Summit 2016. Discounted early bird rates available for a short time, register today!

Data Protection Intensive Returns to London

Registration is now open for the IAPP Europe Data Protection Intensive in London. Check out the program!

P.S.R. Call for Speakers Open!

P.S.R. is THE privacy + cloud security event of the year, and you can take a leading role. Propose a session for this year's program.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»