Industry body to highlight privacy for professionals

8 Dec 2004

The international association of privacy professionals (IAPP), an industry body aimed at defining and supporting those working in the field of data protection, is looking to set up a chapter in Ireland.

The group is holding a series of briefings around Europe during the month of December in association with Ernst & Young. It held a meeting in Dublin yesterday which was the first of its kind to be held outside the US.

According to Trevor Hughes, executive director of the IAPP, the last five years have seen the rise of a new position within organisations – the chief privacy officer (CPO) – whose role is to oversee compliance with data protection directives. This trend will be even more evident from next year as all US federal agencies must employ a CPO.

Hughes said that these employees are drawn from a range of backgrounds, such as marketing, law, information technology and public relations. The nature of a CPO’s role calls for multiple disciplines, he added. “To understand privacy on the web, you have to understand how a cookie works.”

He outlined the driving factors for privacy and data protection which include regulatory compliance and a need to earn customer trust by demonstrating that information about them is handled responsibly.

The IAPP has also introduced a certification programme for privacy professionals; the CIPP. So far 150 professionals in the US have taken this exam and earlier this week 5 staffers from HP Ireland became certified; the first in Europe to hold this qualification.

Also speaking at the event, Janet McCoy, chief privacy officer of US-based Sovereign Bank explained how the institution first employed a privacy officer in 2000. She noted that the bank’s senior counsel advised that the job should not be filled by a lawyer. The reason for this is that notifying employees and customers of the bank would require a simpler, easier to understand version of the organisation’s privacy policy. “Marketing takes the lead and the legal side supports this,” said McCoy. “The bank has a version of its privacy statement that complies with the rules but explains in plain English.”

Brian Tretick, principal with Technology and Security Risk Services at Ernst & Young, gave an overview of many key issues facing privacy professionals; including safeguarding personal information from unauthorised access, compliance with legislation and the complex privacy implications of outsourcing deals.

Training and awareness throughout an organisation also figured highly on Tretick’s list. “You need to train employees to appropriately protect and handle personal information. Privacy needs to become part of the corporate culture,” he said.

Tretick recalled the “old days” of the internet around 1998 when sites routinely gathered lots of data for profiling visitors. “You wanted to get as much customer information as possible, to get as close to them as possible: now, you can’t go there.”

He also referred to the Sarbanes-Oxley legislation as “the ugliest words in industry today” because of what organisations need to do to comply. “For privacy and data protection, SOX asks for more than is necessary in a normal environment.”

Ireland’s Data Protection Commissioner Joe Meade, also present at the briefing, welcomed the efforts of the IAPP as they would help to raise the profile of privacy and the need for organisations to handle customer or public information responsibly and appropriately.

By Gordon Smith