Privacy Officers: A Regulated Profession?
A conversation about privacy and ethics last week led to an intriguing thought: should privacy officers become self-regulated?
There are organizations that represent the “profession”: the International Association of Privacy Professionals (“IAPP”) is probably the most recognizable and one that should be commended for advancing the interests of its membership through education and networking opportunities. In Canada, there is also the Canadian Association of Professional Access and Privacy Administrators (“CAPAPA”), perhaps lesser known but no less dedicated to assisting its membership. Both either have or are establishing certification programs. Job offerings for privacy officers often call for some sort of privacy certification as a desirable attribute in candidates and privacy officers have responded by seeking such designations. In short, privacy has made enormous strides in professionalism in a short period of time (recognizing that public sector access/privacy officers have existed since at least the 1970s).
But no matter the degree of professionalism, privacy officers in public and private sector organizations “represent” the organization. A rough analogy might be made to “workplace safety officers”, some of whom do very good jobs mediating the interests of workers in ensuring a safe workplace but also are firmly on the management side of the equation.
How do these “good officers” get the balance right? I suspect in large part, leaving workplace politics and strict legal compliance aside, because they ask, “what’s the right thing to do?” In other words, ethics plays a part. By “ethics”, I mean, standards of right and wrong coupled with personal conduct and judgment.
So why a regulated profession? Two thoughts converge here. First, the advent of data protection laws in Canada, including the eventual spread of breach notification requirements, clearly puts privacy as a societal value to be respected, arguably buttressed by numerous public surveys on the subject. This inserts a “public interest” into the collection, use and disclosure of personal information.
Second, accounting for a “public interest” has evolved as a core feature of self-regulated professions – at least in the view of the Supreme Court of Canada: See Rocket v. Royal College of Dental Surgeons of Ontario,  2 S.C.R. 232 and Pearlman v. Manitoba Law Society Judicial Committee,  2 S.C.R. 869. If the public expects ethical behaviour from privacy officers (and the organizations that employ them), how is that to be enforced?
One has to bear in mind that protecting the “public interest” in self-regulated professions reflects a form of social compact: the profession is granted the right to regulate itself on the understanding that it will do so in the public interest. In holding licensed members of the profession to standards that recognize and protect the public interest, the profession self-regulates by determining those who are fit to be licensed. As any professional is well aware, licenses that have been granted may be withdrawn or restricted.
Most people think of doctors, lawyers and accountants as regulated professions. In Canada, professional licensing is a provincial responsibility and, in Ontario, according to this source, there are 38 regulated professions, ranging from the health professions to others I wouldn’t have immediately thought of as regulated professions: foresters, geoscientists, drugless therapy/naturopathy and social workers. Adding privacy officers to such a list is not a far-fetched notion.
Privacy officers do bring a specialized combination of knowledge and skills to the table. If the protection of privacy is in the public interest, arguably this places a duty on a member above personal interest or gain. Knowledge, skill and duty are key words that make a profession one worthy of consideration as a self-regulated profession.
Self-regulation goes beyond certification into licensing. I’ve always thought certification is designed to strengthen the profession itself while licensing is designed to protect the public. Licensing a profession brings with it a number of responsibilities but, for the purposes of this posting, two come to mind: (1) compliance with a Code of Ethics, which exists, in part, to govern a professional’s relationships with the public, clients and other professionals; and (2) a responsibility on the part of the profession to regulate its own members. Compliance with such a Code would respects the social needs of individuals – of all degrees of vulnerability – to the adverse effects of insufficient privacy rather than just blanket compliance with statutes or technical standards.
Self-regulation, therefore, brings the enforcement component to bear on the ethical obligations of members of the profession, arguably making the protection of privacy a goal to which the profession dedicates itself rather than just a career specialization for the profession’s membership. (Or, as one person suggested to me, preventing title inflation for executives who have CPO added to their other employment duties by CEOs looking to “park” privacy “somewhere”.)
To the extent, privacy officers serve as an interface between the public and organizations, public trust would certainly be enhanced if there was the knowledge of an enforceable ethics requirement behind the conduct of the privacy officer and a requirement that privacy professionals act according to principles that serve the public interest.
Admittedly, this is a somewhat radical idea but given the changes in the profession over the last 10 years, who knows what might happen?