Privacy training: An emerging part of the corporate education canon

Author’s Note: Privacy education is booming. For a long time, I thought that most people who learned about privacy did so in law school courses or at IAPP events. But in fact, hundreds of thousands of people learn about privacy through corporate privacy education. I became aware of this when I started TeachPrivacy and spoke with nearly 100 CPOs about privacy training in the past year. In this article, I’ll discuss some of the things I learned. I didn’t set out to undertake an empirical study, so my conclusions below are my impressions based on my conversations. Privacy training is increasingly becoming a staple in the corporate education canon. At most large institutions, privacy training is on the training curriculum, which is a challenging task given the quantity of corporate training and the value of employee time. The length of the training ranges from 10 minutes to about one hour, with the average span being 25 to 45 minutes. Healthcare and finance industries are leaders in privacy education. Law and education are lagging. I’ve found that certain industries—healthcare, finance—are leaders in training, whereas others—law, education—are lagging. Technology companies and retail are in the middle. As for education, I couldn’t find one K–12 school system that provides data security or privacy training. Higher education isn’t much better. Only about 30 colleges and universities have CPOs. A small percentage have data security training, and a smaller number cover privacy, typically under the Family Educational Rights and Privacy Act (FERPA). I couldn’t find a school with mandatory training. At law firms, both privacy and security training are not being done as systematically and frequently as in business. Many law firms lack any kind of privacy/security training, an ironic fact because privacy lawyers routinely advise clients to have a training program. Given increased security threats to law firms, clients who increasingly demand training before transferring data and the HITECH Act’s application of HIPAA enforcement to business associates, my prediction is that within five years, most midsize and large law firms will have some form of privacy/security training. Another interesting thing I learned is that companies are training in privacy even when it is not required by regulation. Given the great value of employee time, the existence of privacy training when not mandated represents a significant recognition by companies of the importance of protecting privacy. Privacy and data security are sometimes combined, sometimes separate. I found a lot of inconsistency in the division of training between privacy and data security. Sometimes, privacy and security are combined in the same training module. Other times, they are covered separately. Generally, as a conceptual matter, the relationship between privacy and data security could use much more clarification. Privacy training course structure involves baseline training in basic awareness and role-based training about particular regulations. A lot of privacy training consists of a baseline involving basic privacy awareness, such as the Fair Information Practices. This is supplemented by training in specific privacy regulations based on particular employee roles. Most privacy training is annual, with some CPOs issuing periodic short supplemental training. Many CPOs stated that short training sessions over a period of time would be more effective than dumping a lot of information on employees at one sitting. But due to logistical constraints, there is often just one opportunity for mandatory privacy training. Some CPOs create short, voluntary training events throughout the year so training is more periodic. The biggest challenge is making employees care. A number of CPOs stressed said that it was easy to tell employees about privacy rules but much harder to make them care. One way to make employees care is to show them how privacy affects them personally.