OneTrust_Square Banner_300x250_DD_ROS_01_19
An Open Letter to Privacy Professionals: We Need to Earn the Public's Trust

The recent news about the extent to which the U.S. government is monitoring the communications, online interactions and activities of American citizens brings into question our ethical responsibilities as privacy professionals.

All of the companies caught up in the news that complied with secret court orders to hand over bulk user data have privacy officers and dedicated teams of privacy professionals. Yet the extent to which any of these privacy teams were involved or were aware of these orders is unclear. This simple irony provokes reflection on the role of privacy professionals and our associated ethical and social responsibilities.

The role of the privacy professional has evolved over the past decade in response to the many ways personal information and data shape all dimensions of public, business and social interactions. We’re specialized advocates for our organization’s data subjects—users, consumers, employees, citizens. We work across business and IT functions to establish best practices and policies and to ensure compliance with hundreds of standards and laws governing how our organizations collect, use and safeguard personal data. In some sectors, we’re also integral to business and product strategy.

Today, privacy professionals aren’t licensed to practice and there’s no standard ethical code of conduct to which we must adhere. However, privacy professionals are often members of other professions that are bound by standards of practice that include confidentiality and data protection. For instance, those who are lawyers must respect client confidentiality. Others who are healthcare professionals are bound by standards of patient confidentiality, and there are numerous codes of conduct for technologists that set forth norms for privacy and security.

We’re obliged to honor commitments to data subjects about the specific information-handling practices and protections we set forth in notices, policies and other statements. It’s also our responsibility to write these notices, policies and statements plainly and in a way that’s not misleading. To the extent we work in jurisdictions with constitutional protections for privacy, we have ethical responsibilities to respect those. We're certainly bound to comply with the laws, regulations, contractual obligations and legal requirements pertaining to our organizations—to the extent that they are consistent with generally accepted standards of justice and human rights.

It’s tempting to say that the U.S. government is targeting individuals whose activities are unlawful or suspicious, and therefore our responsibilities related to the privacy of their data fall outside ethical or legal norms. But this is a slippery slope and difficult to justify in the context of bulk orders for a company’s data.

As privacy professionals, do we have ethical obligations to the people whose data is our professional responsibility, or only to our employers? How do we handle conflicts of loyalty that arise? Does public safety trump privacy in every case and in any circumstances? Do we have obligations to report—even secretly, under legal requirements—our objections?

As one prominent leader in our community told me, "We should be committed to the welfare of our data subjects through a sworn oath that commits us to our principles in some binding manner. For many, though, it's the paycheck that binds." As I see it, if we’re to continue to be trusted as a profession that’s dedicated to transparency, accountability and data protection, we need to earn the public’s trust by having the courage to confront the real situations and limitations we face.

For that reason, I’m appealing to all of our colleagues to weigh in on this discussion. For my next post, I will incorporate the ideas generated here and develop a draft code of ethics for further debate.

It’s vital that our profession be on the forefront of the public debate about balancing rights to privacy with needs for safety and security. Reporter-source confidentiality or attorney-client privilege strengthen the institutions within which those professions operate, and we have to use this moment to develop similar frameworks for our profession and the people whose data we protect.

photo credit: jrodmanjr via photopin cc

Written By

Alexander Fowler


If you want to comment on this post, you need to login.

  • Miles Wallace Jun 27, 2013

    I agree most wholeheartedly. Perhaps, though, we should all take on the attutude and the technology that exemplifies what President Ronald Reagan once said "Trust but Verify". To that end I have spent over a decade in the support of the building of technologies (Site Sentinel) that will absolutely do this. However, the reality is that the industry (including the marketing industry) rebukes this functionality, instead preferring to allow the erosion of privacy and security purposefully. This is evidenced in the private corporate environment with the attitude at the board level with a "plausible deniability" mind frame where remediation is too tedious and/or expensive, and, on the government side by a "we want the anarchy to continue to exist so we (the government and its security contractors) will continue to benefit from harvesting privacy and security based personally identifiable information". This reality will continue, moving forward, unless, the technologies are employed that will prohibit these big data practices. Again, "Trust but Verify!"
  • Irina Raicu Jun 27, 2013

    Wouldn't NSA gag orders trump the proposed professional code of ethics? I don't mean to suggest that such a code would be useless; it could be used to police, for example, those who might not agree that they have a "responsibility to write these notices, policies and statements plainly and in a way that’s not misleading." But the newly-revealed issues with federal surveillance and oversight have to be addressed at a different level. 
  • Eric Lybeck Jun 27, 2013

    Agree with you Alex, it seems that there should be a Code Of Ethics, for privacy professionals. As a long standing holder of the CISSP certification, I have been bound by the (ISC)2 Code of Ethics. This is a fairly simple code, with canons such as "Protect society, the common good, necessary public trust and confidence, and the infrastructure" and "Act honorably, honestly, justly, responsibly, and legally."
    Examining a code of ethics like this it is easy to see the conflict between "necessary public trust and confidence" and transparency when controversial NSA orders come to light. Yet it also reinforces the honorable, responsible and legal response to comply with those orders. 
    I think a good canon for the privacy profession would be to include the concept of accountability. If our profession could truly self-regulate instead of being subject to (and just following) legislative efforts to regulate, transparent organizations could build greater public trust and make privacy an advantage.
  • Stuart Shapiro Jun 27, 2013

    A more useful analogy would be with engineering. The tension between loyalty to employer and responsibility to society is one with a long history in engineering and was frequently a focus of discussions of engineering professionalism. This concern and the complexities surrounding it have led to the development of an entire sub-field of engineering ethics, including dedicated textbooks.
  • IAPP Member Jun 27, 2013

    The idea of a Privacy Professional Code of Ethics goes back to the early formation days of the IAPP.  It's a positive and relatively non-controversial step.  Perhaps it becomes part of completing the CIPP foundation.  However, let's keep in mind that while 'codes of conduct' or ‘ethics’, whether professional or corporate, guide our behaviors and daily activities, those codes in of themselves don't stop well-intentioned individuals from violating the spirit if not the letter of whatever codes to which one has committed.  Surely those involved at the companies believed they were 'Acting honorably.....legally'?  Were these individuals in a position to judge the legal, ethical or moral quality of the FISA Court Orders?  And to Alex's point - if the privacy officer (or equivalent accountable individual) isn't even involved or aware, then how can one take action based on a code of ethics?   
    Please don’t misunderstand – as a long standing member of the privacy community, I believe privacy professionals and leaders have accountabilities to data subjects of all types – customers, users, visitors, vendors, employees and other stakeholders (like our employers and shareholders/members/investors).    The current controversy presents a ripe opportunity to have on-point conversations with the departments and the colleagues who are tasked with responding to highly sensitive government requests for data – to create (or update) and communicate an internal policy, standard, guideline or process that enables responsible review of the government requests, one that explicitly includes the privacy pro.  We in leadership positions (CPOs), carry a deep sense of responsibility (and yes of course ethics) about the important work we do – taking legal, regulatory, best practices, data subject/customer/employee expectations about privacy and data use – and building them into products, services, and/or processes.  I don’t need a code of ethics to guide or remind me to do that.
  • Barb Lawler Jun 28, 2013

    The "IAPP Member" comment above is from me, Barb Lawler (Intuit CPO, past member of IAPP Board, past HP CPO).  Don't know why that did not come through with the original post.
  • IAPP Member Jun 28, 2013

    For a proposed oath or code of ethics to have any real-world effect, as opposed to simply being a feel-good measure, then it must be backed by first by the IAPP and then by law(s).
    The best example I've seen to-date is Sec. 4, Art. 35, paragraph 7 of the EU General Data Protection Regulation (aka, "the proposed regulation"), which states, "The controller or the processor shall designate a data protection officer for a period of at least two years. The data protection officer may be reappointed for further terms. During their term of office, the data protection officer may only be dismissed, if the data protection officer no longer fulfils the conditions required for the performance of their duties."  This temporary "job security" approach, while not perfect, is a step in the right direction because it provides at least minimal authority for privacy professionals to do the right thing in the short term without fear of immediate retaliation by their employer.
    Another alternate/complimentary approach would be for legislators to establish meaningful whistleblower statutes that reward the reporting of wrongful behavior that is not in the best interest of data subjects.
    In short, I think the responsibility here falls squarely in the lap of IAPP leadership to become the voice(s) for these types of changes with lawmakers worldwide.  Unless and until that happens, our posts are interesting fodder, but of little or no value in the real world of information privacy rights.
  • IAPP Member Jun 28, 2013

    The “IAPP Member” comment above is from me, Charlie Frayer, JD, MS, CIPP.  I, too, don’t know why that did not come through with the original post.
  • Laura Liguori Jul 10, 2013

    I like th idea of a code of conduct for privacy professionals. What I like the most is that - ideally - the Code could bind all privacy professionals, wherever they are based, regardless of whether they have the European "fundamental right" approach or the US "consumer right" approach. This might be a good start and a step towards the sharing of basic common principles of which we have discussed - among other topics - at the last Europe IAPP Conference. 
  • Eric Lybeck Jul 10, 2013

    I like your comment Laura - I've seen some of the tension on a global privacy team where different cultural foundations affect one's view of privacy "rights." Having a common code of ethics could help with some common ground, especially as privacy programs mature and where more and more professionals on engineering, design, marketing, IT, security, etc teams work on privacy issues.
  • Natasha Leger Jul 17, 2013

    We, at the Location Forum could not agree more. We would like to offer our Location Data Privacy Guidelines, Assessment & Recommendations as a starting point for this much-needed initiative. While the Guidelines focus specifically on the complexity of location data, they were built on broader privacy principles. The Guidelines were developed for those on the front lines of location data product and service development; those that have to deal with the day to day issues of managing location data in a world with little legal and policy guidance, or where guidance exists a diversity of laws and regulations which lead to angst and frustration. The Guidelines include a scorecard to help in assessing risks associated with handling location data.
  • Ed McNicholas, Sidley Austin Aug 2, 2013

    I proposed a code of ethics at the 2011 Dallas IAPP event in a presentation on "Ethical Privacy."  I would happy to share that presentation with anyone interested.  
  • al roker Mar 13, 2014



Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum returns to Washington, DC April 21, delivering renowned keynote speakers and a distinguished panel of legal and privacy experts.

Asia Privacy Forum 2017

The Forum returns to Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region. Call for Speakers open!

Privacy. Security. Risk. 2017

This year, we're bringing P.S.R. to San Diego. The Call for Speakers is now open. Submit today and be a part of something big! Submission deadline: February 26.

Europe Data Protection Congress 2017

European policy debate, multi-level strategic thinking and thought-provoking discussion. The Call for Speakers is open until March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»