Ideal Job Qualifications For a Chief Privacy Officer

The newest fad in the privacy arena is the privacy officer. A fair number of companies have created or are considering creating these positions.

Some of the salaries are notable. I have heard that some reach well into six figures. The salaries are so large, in at least some cases, that I wouldn’t be surprised to see some privacy skeptics reconsider their views and decide that privacy is worthwhile after all.

Calling the privacy officer movement a fad is probably unfair. For companies that have lots of personal data, managing privacy is a significant challenge. The federal bank restructuring bill, known as Gramm-Leach-Bliley, may have been the catalyst for the establishment of privacy officers at financial institutions.

The demand for privacy officers is likely to increase in the near future. The 1996 Health Insurance Portability and Accountability Act mandated that the secretary of health and human services establish health privacy rules. The rules, issued in final form in December, require each covered entity to designate a privacy officer. The position at a healthcare institution does not need to be full time.

Many companies in other sectors that maintain reams of personal data might also do well with part-time privacy or even contract officers. The biggest challenge for a privacy officer is establishing a policy in the first place. But keeping a policy up-to-date takes more effort than you might think.

What are the qualifications for a privacy officer? That is not an easy question to answer. I see five general skills that are important to serving as a privacy officer in an institutional setting.

First, it would be nice if a privacy officer knew something about privacy. As regular readers of this column know, privacy is a difficult concept with no consensus definition. A privacy officer needs to be able to define the boundaries of privacy for her own institution.

Second, the law is an increasingly important element of privacy protection. While the United States has a small number of mostly narrowly focused privacy laws, the number and scope of privacy laws will increase. The ability to read and understand Gramm-Leach-Bliley or HIPAA will be essential, depending on the industry involved.

Another important privacy law, at least for Web sites, is the Children’s Online Privacy Protection Act. International privacy laws also may be relevant for multinational companies. You do not have to be a lawyer to be a privacy officer, but it doesn’t hurt.

Third, technical skills are essential in today’s Internet environment. For any Web-based function, knowledge of the technology is crucial. Is a Web site using cookies, Web logs, Web bugs? Anyone who does not have some understanding of these features will not be able to talk usefully about the design and operations of a Web site that collects or dispenses personal information.

I want to make it clear that not every privacy-related activity has an Internet connection. In the medical arena, for example, most information is still on paper, and electronic patient records are rarely Internet-based today. Similarly, many financial institutions continue to do business as though the Internet did not exist. But the trends are clear enough, and more personal data will migrate to the Internet in the future.

Fourth, for a privacy officer to function effectively in any institution, the person with the job must have a basic understanding of the institution and its functions. When I talk to a business about its privacy needs, the first thing I want to know is how the business collects, maintains, uses and discloses personal information. You cannot do privacy without a good grounding in the basics of a company and an industry.

Developing and implementing privacy policy always requires a context. The same overall policies may be appropriate for all record keepers, but the application of those policies requires local adjustments. It is appropriate for a hospital and a supermarket to apply fair information practices to their personal data activities, but they will apply the general principles in different ways.

To develop a privacy policy, it is important to know how alternatives will affect fundamental operations. A policy that protects privacy but puts a company out of business is not helpful. Privacy and profits must be and can be compatible.

Finally, a privacy officer needs to know how to get things done. Privacy rules can have a broad effect in any institution. Nearly every component that has anything to do, directly or indirectly, with personal data may be affected. A good privacy officer will be able to find everyone who has an interest, understand their operations and work together to find realistic solutions.

So where will you find someone with all of these skills? It is most likely that you won’t. We don’t have that much privacy expertise yet in this country. However, privacy officers can be successful anyway as long as they bring some skills and are willing to learn the other things they need to know.

If you have most of the relevant skills, you might want to get your resume out right away. Privacy may no longer be an impediment. It may be a career.

Related Posts