TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | An Open Letter to Privacy Professionals: We Need to Earn the Public's Trust Related reading: A view from DC: Is your privacy notice stuck in the ’90s?



The recent news about the extent to which the U.S. government is monitoring the communications, online interactions and activities of American citizens brings into question our ethical responsibilities as privacy professionals.

All of the companies caught up in the news that complied with secret court orders to hand over bulk user data have privacy officers and dedicated teams of privacy professionals. Yet the extent to which any of these privacy teams were involved or were aware of these orders is unclear. This simple irony provokes reflection on the role of privacy professionals and our associated ethical and social responsibilities.

The role of the privacy professional has evolved over the past decade in response to the many ways personal information and data shape all dimensions of public, business and social interactions. We’re specialized advocates for our organization’s data subjects—users, consumers, employees, citizens. We work across business and IT functions to establish best practices and policies and to ensure compliance with hundreds of standards and laws governing how our organizations collect, use and safeguard personal data. In some sectors, we’re also integral to business and product strategy.

Today, privacy professionals aren’t licensed to practice and there’s no standard ethical code of conduct to which we must adhere. However, privacy professionals are often members of other professions that are bound by standards of practice that include confidentiality and data protection. For instance, those who are lawyers must respect client confidentiality. Others who are healthcare professionals are bound by standards of patient confidentiality, and there are numerous codes of conduct for technologists that set forth norms for privacy and security.

We’re obliged to honor commitments to data subjects about the specific information-handling practices and protections we set forth in notices, policies and other statements. It’s also our responsibility to write these notices, policies and statements plainly and in a way that’s not misleading. To the extent we work in jurisdictions with constitutional protections for privacy, we have ethical responsibilities to respect those. We're certainly bound to comply with the laws, regulations, contractual obligations and legal requirements pertaining to our organizations—to the extent that they are consistent with generally accepted standards of justice and human rights.

It’s tempting to say that the U.S. government is targeting individuals whose activities are unlawful or suspicious, and therefore our responsibilities related to the privacy of their data fall outside ethical or legal norms. But this is a slippery slope and difficult to justify in the context of bulk orders for a company’s data.

As privacy professionals, do we have ethical obligations to the people whose data is our professional responsibility, or only to our employers? How do we handle conflicts of loyalty that arise? Does public safety trump privacy in every case and in any circumstances? Do we have obligations to report—even secretly, under legal requirements—our objections?

As one prominent leader in our community told me, "We should be committed to the welfare of our data subjects through a sworn oath that commits us to our principles in some binding manner. For many, though, it's the paycheck that binds." As I see it, if we’re to continue to be trusted as a profession that’s dedicated to transparency, accountability and data protection, we need to earn the public’s trust by having the courage to confront the real situations and limitations we face.

For that reason, I’m appealing to all of our colleagues to weigh in on this discussion. For my next post, I will incorporate the ideas generated here and develop a draft code of ethics for further debate.

It’s vital that our profession be on the forefront of the public debate about balancing rights to privacy with needs for safety and security. Reporter-source confidentiality or attorney-client privilege strengthen the institutions within which those professions operate, and we have to use this moment to develop similar frameworks for our profession and the people whose data we protect.

photo credit: jrodmanjr via photopin cc


If you want to comment on this post, you need to login.

  • comment Miles Wallace • Jun 27, 2013
    I agree most wholeheartedly. Perhaps, though, we should all take on the attutude and the technology that exemplifies what President Ronald Reagan once said "Trust but Verify". To that end I have spent over a decade in the support of the building of technologies (Site Sentinel) that will absolutely do this. However, the reality is that the industry (including the marketing industry) rebukes this functionality, instead preferring to allow the erosion of privacy and security purposefully. This is evidenced in the private corporate environment with the attitude at the board level with a "plausible deniability" mind frame where remediation is too tedious and/or expensive, and, on the government side by a "we want the anarchy to continue to exist so we (the government and its security contractors) will continue to benefit from harvesting privacy and security based personally identifiable information". This reality will continue, moving forward, unless, the technologies are employed that will prohibit these big data practices. Again, "Trust but Verify!"
  • comment Irina Raicu • Jun 27, 2013
    Wouldn't NSA gag orders trump the proposed professional code of ethics? I don't mean to suggest that such a code would be useless; it could be used to police, for example, those who might not agree that they have a "responsibility to write these notices, policies and statements plainly and in a way that’s not misleading." But the newly-revealed issues with federal surveillance and oversight have to be addressed at a different level. 
  • comment Eric Lybeck • Jun 27, 2013
    Agree with you Alex, it seems that there should be a Code Of Ethics, for privacy professionals. As a long standing holder of the CISSP certification, I have been bound by the (ISC)2 Code of Ethics. This is a fairly simple code, with canons such as "Protect society, the common good, necessary public trust and confidence, and the infrastructure" and "Act honorably, honestly, justly, responsibly, and legally."
    Examining a code of ethics like this it is easy to see the conflict between "necessary public trust and confidence" and transparency when controversial NSA orders come to light. Yet it also reinforces the honorable, responsible and legal response to comply with those orders. 
    I think a good canon for the privacy profession would be to include the concept of accountability. If our profession could truly self-regulate instead of being subject to (and just following) legislative efforts to regulate, transparent organizations could build greater public trust and make privacy an advantage.
  • comment Stuart Shapiro • Jun 27, 2013
    A more useful analogy would be with engineering. The tension between loyalty to employer and responsibility to society is one with a long history in engineering and was frequently a focus of discussions of engineering professionalism. This concern and the complexities surrounding it have led to the development of an entire sub-field of engineering ethics, including dedicated textbooks.
  • comment IAPP Member • Jun 27, 2013
    The idea of a Privacy Professional Code of Ethics goes back to the early formation days of the IAPP.  It's a positive and relatively non-controversial step.  Perhaps it becomes part of completing the CIPP foundation.  However, let's keep in mind that while 'codes of conduct' or ‘ethics’, whether professional or corporate, guide our behaviors and daily activities, those codes in of themselves don't stop well-intentioned individuals from violating the spirit if not the letter of whatever codes to which one has committed.  Surely those involved at the companies believed they were 'Acting honorably.....legally'?  Were these individuals in a position to judge the legal, ethical or moral quality of the FISA Court Orders?  And to Alex's point - if the privacy officer (or equivalent accountable individual) isn't even involved or aware, then how can one take action based on a code of ethics?   
    Please don’t misunderstand – as a long standing member of the privacy community, I believe privacy professionals and leaders have accountabilities to data subjects of all types – customers, users, visitors, vendors, employees and other stakeholders (like our employers and shareholders/members/investors).    The current controversy presents a ripe opportunity to have on-point conversations with the departments and the colleagues who are tasked with responding to highly sensitive government requests for data – to create (or update) and communicate an internal policy, standard, guideline or process that enables responsible review of the government requests, one that explicitly includes the privacy pro.  We in leadership positions (CPOs), carry a deep sense of responsibility (and yes of course ethics) about the important work we do – taking legal, regulatory, best practices, data subject/customer/employee expectations about privacy and data use – and building them into products, services, and/or processes.  I don’t need a code of ethics to guide or remind me to do that.
  • comment Barb Lawler • Jun 28, 2013
    The "IAPP Member" comment above is from me, Barb Lawler (Intuit CPO, past member of IAPP Board, past HP CPO).  Don't know why that did not come through with the original post.
  • comment IAPP Member • Jun 28, 2013
    For a proposed oath or code of ethics to have any real-world effect, as opposed to simply being a feel-good measure, then it must be backed by first by the IAPP and then by law(s).
    The best example I've seen to-date is Sec. 4, Art. 35, paragraph 7 of the EU General Data Protection Regulation (aka, "the proposed regulation"), which states, "The controller or the processor shall designate a data protection officer for a period of at least two years. The data protection officer may be reappointed for further terms. During their term of office, the data protection officer may only be dismissed, if the data protection officer no longer fulfils the conditions required for the performance of their duties."  This temporary "job security" approach, while not perfect, is a step in the right direction because it provides at least minimal authority for privacy professionals to do the right thing in the short term without fear of immediate retaliation by their employer.
    Another alternate/complimentary approach would be for legislators to establish meaningful whistleblower statutes that reward the reporting of wrongful behavior that is not in the best interest of data subjects.
    In short, I think the responsibility here falls squarely in the lap of IAPP leadership to become the voice(s) for these types of changes with lawmakers worldwide.  Unless and until that happens, our posts are interesting fodder, but of little or no value in the real world of information privacy rights.
  • comment IAPP Member • Jun 28, 2013
    The “IAPP Member” comment above is from me, Charlie Frayer, JD, MS, CIPP.  I, too, don’t know why that did not come through with the original post.
  • comment Laura Liguori • Jul 10, 2013
    I like th idea of a code of conduct for privacy professionals. What I like the most is that - ideally - the Code could bind all privacy professionals, wherever they are based, regardless of whether they have the European "fundamental right" approach or the US "consumer right" approach. This might be a good start and a step towards the sharing of basic common principles of which we have discussed - among other topics - at the last Europe IAPP Conference. 
  • comment Eric Lybeck • Jul 10, 2013
    I like your comment Laura - I've seen some of the tension on a global privacy team where different cultural foundations affect one's view of privacy "rights." Having a common code of ethics could help with some common ground, especially as privacy programs mature and where more and more professionals on engineering, design, marketing, IT, security, etc teams work on privacy issues.
  • comment Natasha Leger • Jul 17, 2013
    We, at the Location Forum could not agree more. We would like to offer our Location Data Privacy Guidelines, Assessment & Recommendations as a starting point for this much-needed initiative. While the Guidelines focus specifically on the complexity of location data, they were built on broader privacy principles. The Guidelines were developed for those on the front lines of location data product and service development; those that have to deal with the day to day issues of managing location data in a world with little legal and policy guidance, or where guidance exists a diversity of laws and regulations which lead to angst and frustration. The Guidelines include a scorecard to help in assessing risks associated with handling location data.
  • comment Ed McNicholas, Sidley Austin • Aug 2, 2013
    I proposed a code of ethics at the 2011 Dallas IAPP event in a presentation on "Ethical Privacy."  I would happy to share that presentation with anyone interested.  
  • comment al roker • Mar 13, 2014