For some, the arrival of fall means the return of network sitcoms from summer hiatus and back-to-school shopping for the kids. But at the IAPP, it means our Privacy. Security. Risk. conference is approaching, and with it, awards season. There were so many submissions this year, we're recognizing not only the official winners but also what we're deeming "honorable mentions."
The HPE-IAPP Privacy Innovation Awards recognize unique programs and services in global privacy and data protection in the private and public sectors. The awards recognize organizations that integrate privacy in such a way that elevates its value as both a competitive differentiator and a centerpiece of customer and citizen trust.
This year's honorable mention goes to the U.S. Department of Health and Human Services' Office of Privacy and Information Management for its creation of a new senior executive position, the chief privacy and data-sharing officer, who will oversee HHS' newly formulated Office of Privacy and Information Management. Creating the position not only allowed the department the opportunity to consolidate efforts, such as records management, privacy, and its controlled and classified information program under one roof, but it also demonstrated the agency's commitment to data protection by elevating the role of privacy within the department.
Besides being part of the driving force behind advocating for the development of the role, Matt Olsen, CIPP/G, CIPP/US, CIPM, FIP, successfully applied for the position, so he saw the growth of the position from conception to reality. Having held privacy positions across many different fields within the federal government prior, Olsen said the transition to this new role is extremely rewarding.
The first mission of the new office was to look at the internal operations and strategize a path forward. Understanding that there was a need to examine internal governance of HHS’ own programs, Olsen said the undertaking stemmed from the fact that while HHS is known for being privacy-aware, it stores personally identifiable information for one-third of Americans, so a deeply organized understanding exactly what data is held and how it lives within the department is critical so that in the event of a breach, the data architecture immediately defines the scope.
The reason behind Olsen serving as both chief privacy and data-sharing officer is that risk mitigation is only ever truly obtainable if you can successfully answer questions surrounding the data architecture of an organization, Olsen said. Good records management means asking, "What information do you have, how did you get it, how does it move and how should it end up?" he added.
The office reports that it has been able to increase privacy-risk reviews 20-fold in the first year of operation by aligning its privacy-risk activity with other information governance requirements. In doing so, compliance became less burdensome and more efficient.
Olsen would love to see more positions like this across government. He sees the role of chief privacy and data-sharing officer as essential to agencies other than HHS. And he believes its creation has demonstrated the value that can bolster the argument for other agencies to create similar roles.
Olsen said, "If I can walk out the door and someone can just step in and not only run with it but go even further with it, that's our organization's success."
If you want to comment on this post, you need to login.