By Rebecca Andino, PMP, CIPP/G and David Carpenter, CISM, CIPP

Public Private Partnerships (PPPs) are business models in which state, local or federal government entities and private industry establish formal partnerships to achieve mutually beneficial outcomes. According to the National Council for Public Private Partnerships (http://ncppp.org), PPPs are more common than one might think, and account for 23 out of 65 basic services in the average U.S. city.

PPPs can provide the public sector an improved or continued level of service, at reduced costs. They exist in nearly every major sector, from human services and education, to transportation infrastructure.

Privacy issues can arise when private partners collect individuals' personal information. For example, personal information is collected in PPPs when private partners perform counseling, economic development, traffic ticket issuance and air passenger screening. By definition, private partners in PPPs are not required to comply with the Privacy Act of 1974. Nor can one assume they follow any of the Fair Information Practice Principles (FIPPs), which are best practices but not necessarily required by law. Yet, a breach of personal information could result in harm to the individuals affected, reputation damage to the government sponsor and could, ultimately, cause a program to fail.

The solution is for the government sponsor to establish and enforce a comprehensive set of privacy standards that are required of private partners for a particular PPP. For the TSA Registered Traveler PPP, ICF International developed security and privacy standards based on National Institute of Standards and Technology (NIST) guidance and FIPPs. The standards are flexible enough to allow market-driven innovation, yet provide TSA assurance that its private partners maintain necessary levels of security and privacy protection of sensitive participant information.

It is important to consider privacy requirements throughout each phase of the program lifecycle; once a PPP is established, imposing additional governmental requirements could be financially or contractually burdensome or create a competitive disadvantage to the private partner. Government managers should consider the questions and recommendations below when establishing Public Private Partnerships.

1. Openness
Does the public know data is being collected? Do they have access to data use policies?

  • Write and publish a Privacy Impact Assessment.
  • Inform the public of data collection activities via publications such as the Federal Register and the agency Web site, as well as communications with news media and privacy advocate groups. Proactive communication is especially important in programs where data collection is passive, such as traffic light cameras or traffic speed detection.
  • Ensure Private Partners (PPs) develop a privacy policy, follow it and make it available to participants.

2. Collection Limitation
Does each entity in the PPP collect and maintain only the minimum required information in support of the program? Is information collected by fair and legal means?

  • Seek legal counsel to ensure the PPP activities are not an invasion of privacy in cases where individuals' data is obtained without their express consent (i.e., by traffic light cameras or in airline passenger checks).
  • Ensure that each data item collected can be justified. For example, the government is not allowed to require participants to provide their Social Security number in order to participate in or benefit from the PPP (per the Privacy Act of 1974, 2004 Edition).
  • Develop a matrix that shows the types of information accessed, stored and retained by each entity in the PPP, and the justification for each. An example based on the Registered Traveler matrix is shown in Table 1.

3. Purpose Specification
Do data collection forms explain the purpose for the collection of the information? Is there assurance that PPs will not use the data collected for purposes other than the purpose stated at the time of collection?

  • Require PPs to state the purpose of the data collection and display any required government notices on all information collection forms. For Registered Traveler, PPs are required to display a TSA Privacy Act statement on enrollment forms.
  • If PPs collect additional information for business or marketing purposes, ensure those fields are physically separated from government collection fields and clearly labeled as non-government fields.

Note that it may be desirable — or necessary — to allow PPs to collect additional data for business purposes, such as email addresses, contact preferences or credit card numbers. For Registered Traveler, TSA allows PPs to collect additional information from participants as long as forms are distinctly labeled and separate from the government collection forms.

4. Use Limitation
Does the program have assurance that PPs are using the information only for the purposes in which it was collected?

  • Do not allow PPs to use participant information in any way other than the purpose stated at the time of collection, unless they obtain opt-in consent from participants. For example, Registered Traveler PPs may only share their participant information with partner companies, such as car rental companies and hotels, if participants opt-in.

5. Data Quality
Are participants able to access and correct their data? Are there adequate quality assurance processes on both sides of the PPP?

  • Develop metrics for measuring data quality, particularly across system boundaries. One method of measuring data quality is to schedule regular checks to compare PP records with government records to ensure data values are consistent. Perform in-depth reviews to reconcile any conflicting results and correct any processing issues.
  • Build data quality checks into the business processes. For example, all Registered Traveler fingerprint enrollments are checked against all existing enrollments as a fraud detection measure.

6. Individual Participation
Do individuals have the right to appeal decisions made by the PPP that affect them?

  • Develop and publish a redress process or appeals process.
  • Consider implementing mechanisms for the government to interact directly with participants in special circumstances. For example, TSA communicates directly with participants, bypassing the PP, to discuss redress matters.

7. Security Safeguards
Is individual data secured by the PP and the government? Is a security and privacy program implemented that provides the government reasonable assurance of the security of individuals' PPP information?

  • Develop and publish security and privacy standards for the program. The standards should contain general as well as program-specific controls to ensure information is protected at the appropriate levels. It is recommended that the standards be a tailored version of an industry standard such as NIST SP 800-53 or ISO 27002.
  • Assess PP compliance with security and privacy standards. Use an IPA firm or other auditor to provide the government assurance of information protection.
  • Ensure data in transit is protected between the PP and the government. For example, TSA requires data in transit to be encrypted using the Triple Data Encryption Standard as specified by FIPS 140-2. However, other methods of data protection, such as virtual private networks (VPN) and hand-delivery, may also be acceptable depending on the circumstances.
  • If the PPP issues participant identification items (such as SmartCards or RFID fobs), minimize the amount of sensitive information stored on the card in case the card is lost or stolen. However, to support industry participation and marketing efforts, the government may decide to allow the PPs to apply branding to identification items, provided certain guidelines are met. In Registered Traveler, the government permits the PPs to store marketing and customer reward information in a separate payload on the identification card, as long as the cards meet certain minimum standards.
  • Establish a process and timeframe for reporting security incidents and privacy breaches to the government.

8. Accountability
Is there a clear understanding of the security and privacy obligations of PPs and consequences for non-compliance?

  • Require PPs to designate a single point of contact responsible for all security and privacy matters for their company.
  • Do not authorize PPs to begin operations until they demonstrate adequate security and privacy protections are in place. Develop a checklist to assist PPs through the approval process. For Registered Traveler, PPs may not begin operations until a number of requirements are met, including an initial IPA attestation of compliance.
  • Ensure that PPs are responsible for the security of personal information. Verify that there are appropriate levels of security through periodic IPA attestations and ad hoc audits.
  • Reserve the right to halt operations for non-compliance with security and privacy requirements, data or privacy breaches, or any other significant concerns about data protection.

Rebecca Andino, PMP, CIPP/G, is president and founder of Highlight Technologies, a firm providing program management and privacy consulting services to national security programs. In her previous position at ICF International, she provided privacy consulting, program management and strategic planning to TSA's Registered Traveler program. Rebecca Andino may be contacted at randino@highlighttech.com or 202-271-0469.

David Carpenter, CISM, CIPP, is a Technical Specialist at ICF International and serves as Information Security Manager for TSA's Registered Traveler program. Mr. Carpenter played a key role in the development and implementation of the Information Security, Privacy, and Compliance framework for the RT Program. He may be contacted at dcarpenter@icfi.com or 571-226-7994.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum is sold out! But you can still add your name to the wait list, and we'll keep in touch about your status. Good luck!

Asia Privacy Forum 2017

Call for Speakers open! Join the Forum in Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region.

Privacy. Security. Risk. 2017

Call for Speakers open! This year, we're bringing P.S.R. to San Diego. Submit today and be a part of something big! Submission deadline: February 26.

Europe Data Protection Congress 2017

Call for Speakers open! The Congress is your source for European policy debate, multi-level strategic thinking and thought-provoking discussion. Submit a proposal by March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»