The President’s executive order was part of a massive Cybersecurity National Action Plan, which includes funding in an amount of $19 billion, an overhaul of government cyber infrastructure, the creation of a new federal chief information security officer, the tightening of collaboration with the private sector, and the support of new research initiatives. It recognized that “[the] proper functioning of Government requires the public's trust, and to maintain that trust the Government must strive to uphold the highest standards for collecting, maintaining, and using personal data.” This is true for any organization – in the business sector or government alike. Respect for the privacy of citizens, consumers and employees is key to trust in government and the digital economy.
The president’s plan is a resounding endorsement of the longstanding mission of privacy professionals. It highlights several key messages:
First, privacy is a profession. The president’s embrace of privacy is focused on fomenting agency and inter-agency privacy management programs; creating and sharing best practices for protecting privacy and implementing appropriate privacy safeguards; and improving the processes for hiring, training, and professional development of privacy professionals in government.
These goals are precisely within the purview of the IAPP, which seeks to define, support, and improve the privacy profession through training and certification, conferences and publications, resources and research tools. Becoming a member of the privacy workforce today means more than just being tasked by an HR or IT manager to “do privacy.” It entails becoming steeped in a growing interdisciplinary body of knowledge, and maintaining a firm grasp of new developments in technology, business, law, and policy. Sound data management practices are not common knowledge. They require laborious training, continuous education, and a verifiable method of certifying skills. The president’s plan recognizes that just as qualified civil engineers build bridges and certified dentists perform root canals, so too should government data managers be duly qualified and adequately trained.
Second, privacy is not the same as security. Too many times, executives conflate the two concepts, replying that they have firewalls and end-to-end encryption when asked if privacy is under control. To be sure, good security is important and necessary to ensure data privacy; but privacy means more than just appropriate access controls. It means being transparent, responsible, and ethical in organizational uses of personal data, managing individuals’ expectations, and minimizing data flows. By devoting an entire module of the Cybersecurity National Action Plan to privacy, the president recognized that privacy is a key standalone concept that must be addressed alongside data security.
Third, privacy is not the opposite of security. The dichotomy between privacy and security is a false one. Privacy skeptics sometimes depict privacy as a roadblock to good security on- and offline. Without privacy, surveillance agencies would ostensibly protect national security unimpeded by human rights considerations, companies would monetize individuals’ information, and employers would scrutinize their employees’ every move. Yet, who would want to live in such a world? As the President states, “Privacy has been at the heart of our democracy from its inception, and we need it now more than ever.” Rather than being diametric opposites, privacy and security are two sides of the same coin. Without privacy, security defeats its purpose of protecting our democracy and way of life. With this in mind, the president devotes a portion of the energy stirred by the Cybersecurity National Action Plan to reinvigorating privacy in the federal government.
Rather than being the culmination of a process, the president’s Executive Order is the beginning of one. It is a path toward the institution of privacy management programs in every government agency, not only in the federal government but also in states and municipalities. It is a call for training a privacy-conscious workforce, including not only members of an organization’s privacy office, but also any employee who touches personal information in her daily job. It is a mandate to ensure that privacy does not stay on the books but is translated to institutions and facts on the ground.
If you want to comment on this post, you need to login.