Privacy Officers: A Regulated Profession?
A conversation about privacy and ethics last week led to an intriguing thought: should privacy officers become self-regulated?
There are organizations that represent the “profession”: the International Association of Privacy Professionals (“IAPP”) is probably the most recognizable and one that should be commended for advancing the interests of its membership through education and networking opportunities. In Canada, there is also the Canadian Association of Professional Access and Privacy Administrators (“CAPAPA”), perhaps lesser known but no less dedicated to assisting its membership. Both either have or are establishing certification programs. Job offerings for privacy officers often call for some sort of privacy certification as a desirable attribute in candidates and privacy officers have responded by seeking such designations. In short, privacy has made enormous strides in professionalism in a short period of time (recognizing that public sector access/privacy officers have existed since at least the 1970s).
But no matter the degree of professionalism, privacy officers in public and private sector organizations “represent” the organization. A rough analogy might be made to “workplace safety officers”, some of whom do very good jobs mediating the interests of workers in ensuring a safe workplace but also are firmly on the management side of the equation.
How do these “good officers” get the balance right? I suspect in large part, leaving workplace politics and strict legal compliance aside, because they ask, “what’s the right thing to do?” In other words, ethics plays a part. By “ethics”, I mean, standards of right and wrong coupled with personal conduct and judgment.
So why a regulated profession? Two thoughts converge here. First, the advent of data protection laws in Canada, including the eventual spread of breach notification requirements, clearly puts privacy as a societal value to be respected, arguably buttressed by numerous public surveys on the subject. This inserts a “public interest” into the collection, use and disclosure of personal information.
Second, accounting for a “public interest” has evolved as a core feature of self-regulated professions – at least in the view of the Supreme Court of Canada: See Rocket v. Royal College of Dental Surgeons of Ontario, [1990] 2 S.C.R. 232 and Pearlman v. Manitoba Law Society Judicial Committee, [1991] 2 S.C.R. 869. If the public expects ethical behaviour from privacy officers (and the organizations that employ them), how is that to be enforced?
One has to bear in mind that protecting the “public interest” in self-regulated professions reflects a form of social compact: the profession is granted the right to regulate itself on the understanding that it will do so in the public interest. In holding licensed members of the profession to standards that recognize and protect the public interest, the profession self-regulates by determining those who are fit to be licensed. As any professional is well aware, licenses that have been granted may be withdrawn or restricted.
Most people think of doctors, lawyers and accountants as regulated professions. In Canada, professional licensing is a provincial responsibility and, in Ontario, according to this source, there are 38 regulated professions, ranging from the health professions to others I wouldn’t have immediately thought of as regulated professions: foresters, geoscientists, drugless therapy/naturopathy and social workers. Adding privacy officers to such a list is not a far-fetched notion.
Privacy officers do bring a specialized combination of knowledge and skills to the table. If the protection of privacy is in the public interest, arguably this places a duty on a member above personal interest or gain. Knowledge, skill and duty are key words that make a profession one worthy of consideration as a self-regulated profession.
Self-regulation goes beyond certification into licensing. I’ve always thought certification is designed to strengthen the profession itself while licensing is designed to protect the public. Licensing a profession brings with it a number of responsibilities but, for the purposes of this posting, two come to mind: (1) compliance with a Code of Ethics, which exists, in part, to govern a professional’s relationships with the public, clients and other professionals; and (2) a responsibility on the part of the profession to regulate its own members. Compliance with such a Code would respects the social needs of individuals – of all degrees of vulnerability – to the adverse effects of insufficient privacy rather than just blanket compliance with statutes or technical standards.
Self-regulation, therefore, brings the enforcement component to bear on the ethical obligations of members of the profession, arguably making the protection of privacy a goal to which the profession dedicates itself rather than just a career specialization for the profession’s membership. (Or, as one person suggested to me, preventing title inflation for executives who have CPO added to their other employment duties by CEOs looking to “park” privacy “somewhere”.)
To the extent, privacy officers serve as an interface between the public and organizations, public trust would certainly be enhanced if there was the knowledge of an enforceable ethics requirement behind the conduct of the privacy officer and a requirement that privacy professionals act according to principles that serve the public interest.
Admittedly, this is a somewhat radical idea but given the changes in the profession over the last 10 years, who knows what might happen?
It is useful to draw the distinction, as you do later in the post, between mandatory licensing i.e. you can’t do the job without a license (e.g. lawyers, architects, physicians), and a certification that gives you the right to a protected title (protected by statute, e.g. Chartered Accountant, or protected by a certification mark, e.g. ACCI for real estate appraiser). Certification does not allow you to keep anyone else out of your field, but it may attract business because of your recognized high standards.
It seems to me that privacy professionals have got to work themselves into a good market position through certification before they can justify preventing any non-member of their organizations from competing with them.
Being able to guarantee one’s ethics by showing that one is subject to effective discipline for unethical behaviour is a good start to a valuable reputation. It might be necesary – and it would be difficult at present – to show that the public was at risk from unethical behaviour from non-member privacy professionals, in the absence of a statutory monopoly on the practice.
EMP: A private correspondent offered the following in response to John’s comment. I received permission to post it in order to facilitate discussion.
“Isn’t this a further sign of the need for some serious discussion about what ethics actually means for privacy and its practitioners and whether, in particular, it signals something more than complying with laws, protecting your organization, and excluding others from your marketplace?”
Hello Michael,
Excellent article! FYI, it is a requirement of CAPAPA’s professional certification programs that the applicant sign a document indicating that they will abide by our code of professional conduct. Violations of the code could result in loss of certification status.
Regards,
Patrick Kenny
I am in agreement with all of the above comments. I would like to respond to Michael’s comment about the difference between certification and licensing (self-regulation). John G also commented in support of the idea that privacy professionals have got to work themselves into a good market position through certification before they can justify preventing any non-member of their organizations from competing with them.
This is exactly the approach that CAPAPA has adopted in its certification program. In 2004, I wrote a discussion paper for CAPAPA that described four different models for professional designations. This was the basis for the design of CAPAPA’s certification program that was launched in 2009.
(see http://www.capapa.org/Documents/Discussion%20Paper%20on%20Professional%20Certification%20May2004%20FINAL.pdf)
The first model, which is where all professions start, is an un-organized, loosely defined profession without any specific legal basis preventing anyone from calling themselves anything they want. Anyone can claim they are a “Certified Privacy Professional”, however no organization would have any basis for suing a person who was making such a claim. Examples of this category of designation include some course and program certificates from commercial training and academic institutions.
The second model, which is where CAPAPA is at now, having launched its first two designations in a family of eventually four professional designations, is a “semi-protected” designation or Certification mark. They are owned by an organization which then authorizes their use to people who meet defined standards.
The third model is called a Protected Designation. This a step CAPAPA will take sometime in the future. In this case, a specific provincial statute or an Order-in-Council pursuant to a general statute like the BC Society Act provides that only a person who is a full member of a particular professional organization may use that title and that anyone who contravenes this requirement is guilty of an offence. This is what Michael referred to as licensing or self-regulation.
However, in contrast with the fourth and highest professional designation model, called an “exclusive” designation, the statute in the Protected Designation model does not state that ONLY a registered person may practice the particular profession.
I don’t expect that CAPAPA will seek to establish the Access and Privacy Profession in Canada as an “exclusive” profession like the legal profession or engineering, but I may be wrong. This will be a question I will discuss with CAPAPA’s Certification and Accredition Advisory Board at an appropriate time.
In the meantime, we still have a lot of work to do to roll out our next certification level, the Chartered Access and Privacy Professional designation, which is based on the semi-protected model. Just as Michael has wish for, the requirements for CAPAPA’s professional designations place a strong emphasis on applicants having the knowledge, skills, education and experience to competently perform access and privacy tasks consistent with the high standards set out in CAPAPA’s Professional Code of Ethical Principles and Professional Conduct. To become certified, applicants must sign an agree to abide by these standards.
To see CAPAPA’s Code of Ethics, go to http://www.capapa.org/Documents/CAPAPA%20Code%20of%20Ethics.pdf
Eric Lawton
Director of Professional Certification
CAPAPA
Dear Colleagues,
I agree that self regulation is a great approach and works in most professions if it is effective. As issues arise and the self regulating body is unable to address those issues it becomes apparent that there needs to be some legal teeth.
I disagree that IAPP or CAPAPA are the undisputed governing bodies of the privacy sector in Canada. I believe that if a professional was to look beneath the covers they would see some questionable conflicts of interest.
I also disagree the privacy should be a separate stream of information security, after all it’s just another form of information classification.
The problem with building these ivory towers is that they end up institutionalizing a new stream of overhead and associated costs that is not necessary. There are solutions to address the privacy issues.
For example data protection/privacy laws can be mapped into standard information handling procedures and control deck. Breach notification can be handled by a CSIRT, after all a breach can’t occur unless a breach of information security has occurred first. The response can be well defined communication strategy. Any mitigation activities can be managed through a corrective action and preventative action process or continuous improvement process.
The benefits are obvious but there’s more. The vulnerability management process can keep an ear to the ground for any new threats. The risk management process can continue to monitor and manage risks associated with data protection. The risk management process may also integrate with PMO, SDLC and QA to facilitate risk assessments and privacy impact assessments.
Sincerely,
Mark.