This month on the Privacy List

Privacy pros continue to use the Privacy List as a forum to query their peers on a host of issues, both large and small. Participants put forth a variety of questions through which resources and practical advice are sought and discovered.

In recent weeks, the privacy community has employed the list to share information on the potential impact of breaking news. For example, when news of Epsilon’s data breach came in early April, privacy pros turned to the list to share their knowledge of which businesses were affected, posting running tallies as they became known.

In the past month, the Privacy List has also been used to seek suggestions for improving the privacy culture of an organization. One privacy pro received advice on finding a resource comparing the major privacy frameworks in order to model a privacy program for his organization. Another gained guidance on eLearning privacy training programs, and still another received insight on resources and best practices for developing an employee awareness program.

Forthright answers to daunting questions are common on the Privacy List. Several users responded to a question about the pros and cons of becoming Safe Harbor certified versus having model contract provisions. Respondents provided insight and pointed out the advantages, disadvantages and consequences for each action.

Also this month, a privacy pro sought advice on notifications when using conduits that deliver content covered by HIPAA. A colleague noted that several issues had been raised in the discussion, saying, “As a general matter, companies will always want to assess how they transmit any information. That consideration involves both the ‘how’ it will be transmitted—encrypted, not encrypted and who will deliver—but also the ‘what’ will be transmitted.” As an example, the colleague explained, organizations should avoid using Social Security numbers to avoid unnecessary risk.

One of the most engaging dialogues on the list in recent weeks centered on a philosophical question posed about defining the role of the privacy professional.

“There seems to be…a fundamental misunderstanding of the role of a privacy professional in many organizations,” the participant wrote. “What distinguishes a privacy professional in your eyes? Is anyone working primarily in the fields of security, law, compliance, risk management, governance, records, etc., whose job supports consumer or employee privacy a privacy professional? Or should it be more narrowly defined to be someone who thinks privacy first and then interacts with all those disciplines to ensure privacy within a firm?”

The question generated a flurry of responses from more than a dozen privacy pros. One participant forecast that companies are consolidating the once separate roles of chief privacy officer, chief information security officer and physical security officer into “something more generic, such as a chief security officer.”

Another noted that her company says “privacy is the ‘why,’ and security is the ‘how,’” arguing that combining the roles would be a mistake, but each of the three major positions needs to have a “deep understanding” of their roles.

Others cited a pragmatic approach to the current needs or available funds of a particular organization, while still others pointed out the difference could depend on the sector.

Citing

, one peer noted that “a privacy professional is a combination of a very disparate set of skills: technology, law, compliance, security, business acumen, etc.”

“Examples…and my experience,” added another participant, “point me to a belief that privacy really is separate from security. Perfectly secure systems can exist without privacy, but I find it difficult to imagine compliance marketing campaigns, vendor agreements and business operations that would use those systems without a strong privacy group.”