The future of privacy is not privacy. It is larger than that. It is information. Let this brief note offer an introduction to one scenario about the future of privacy.

Over the past several years, leading privacy professionals have taken a critical look at the future of their profession. Last year, on the occasion of its tenth anniversary, the IAPP published A Call for Agility: The Next Generation Privacy Professional, essentially asking whether we need to broaden the scope of profession. The definition of what is considered personal identifiable information (PII) has broadened over the past 40 years from simple identifiers such as name, date of birth and Social Security number to include additional types of data. As technology has developed, PII may now include information that can be linked or is linkable with an individual even if the individual is never identified by name or other personal identifier.

But expanding definitions of PII are only the starting point. The profession has also begun to look out the solar system of privacy to the larger universe of "information." Some leading privacy experts have called this expansive view “strategic information management,” “information governance,” or simply “convergence.”

ADVERTISEMENT

Syrenis data privacy metrics ad

Coincidently, in February 2010, The Economist published a feature on the future of the "information industrial age" titled “New Rules for Big Data.” The feature concluded that information managers will need to address six broad areas to effectively manage big data—security, retention, processing, ownership, integrity and privacy.

Privacy professionals already possess these skills, backed up by years of experience. The profession has developed the necessary policy and operational framework to effectively manage and protect personal identifiable information (PII). The Fair Information Practice Principles (FIPPs) are essentially a more delineated version of those articulated by The Economist:

  • Transparency
  • Individual Participation
  • Purpose Specification
  • Data Minimization
  • Use Limitation
  • Data Quality and Integrity
  • Security
  • Accountability and Auditing

Private-sector privacy officers have recognized that they already possess these skills and knowledge and that they are well-positioned to manage the larger universe of sensitive information.

In the federal space, privacy professionals should also consider how the future of privacy might be transformed into a broader information-governance model. PII is only one of many areas of sensitive information that needs to be managed and protected by the federal government. One need only look at the Privacy Act's statutory cousin—the Freedom of Information Act (FOIA)—and its basic exceptions, to enumerate other sensitive categories of information such as national security information, proprietary information, financial information, intellectual property, deliberative, attorney-client, attorney work product and law enforcement. In addition to these core areas, there are more than 100 confidentiality statutes in the federal code that cover specific categories of information that congress has determined require special protection.

Based on the FIPPs, federal CPOs have created a compliance and accountability framework using Systems of Records Notices, Privacy Impact Assessments, FISMA assessments and auditing mechanisms to ensure PII is properly used. Further, federal privacy officials have developed incident-handling procedures for mitigating those situations where there is a privacy incident. The FIPPs and their implementing compliance and oversight mechanisms could be expanded to manage the full federal universe of sensitive information.

For the federal government, expanding the role of the CPO to include all sensitive information will take time and patience. While each federal privacy office is structured differently, such an expansion would implicate numerous agency actors, including the chief privacy officer, the FOIA and disclosure officer, chief records officer, chief information officer, chief information security officer and chief security officer. Each specialty could be combined into a new functional entity that has the vision to look at data in a comprehensive manner.

Such a transformation might create a new official such as a chief information governance officer (CIGO). Sensitive PII would be combined with other sensitive areas of information to be managed by the CIGO along with other information experts. Ideally, CPOs with their FIPPs skills and subject-matter expertise are in a position to grow into information governance and develop as leaders.

If big data is the future of the privacy profession, federal privacy officials need to actively participate in that transformation. That means not only participating in the debate within the profession but also, like their private-sector counterparts, persuading their organizations that they already possess the necessary skills to manage the universe of sensitive data. The skills and abilities of federal privacy professionals to manage the larger world of information is a circumstance we can anticipate right now. Failing to see the importance of this opportunity would be a real tragedy.