Is it time for your company to consider appointing a CPO (Chief Privacy Officer)?
The Privacy Amendment (Private Sector) Act 2000 commenced with little fanfare on December 21, 2001, effectively regulating the way that non-government organisations gather, use, store, secure, and disclose personal information.
Essentially it means that personal information (which can identify an individual) cannot be gathered, kept or used without complying with the National Privacy Principles.
Individuals must be offered access to properly formulated privacy policies, supported by high-integrity systems. They must know who is gathering information, why, what will happen to it, who will use it, and for what specific purpose.
The ramifications for ICT specialists are complex and potentially expensive--particularly given the dramatic growth of customer relationship management (CRM) applications in recent years.
It requires a deep integration of the ICT role with the management, legal, marketing, and public affairs segments of the enterprise to convince its customers and consumers of an adequate level of trust.
ICT professionals must know how information flows out of a company via an inherently open Internet as well as how it flows in.
Privacy compliance is also inextricably linked with information security, adding to an already testing burden for ICT managers who must not only ensure that an organisation's systems contain and provide legitimately useable data but that its secure against unwanted intrusion.
Dealing with CRM or personalisation software vendors that have not built in adequate privacy controls allowing customers the ability to opt in or out of data retention or distribution arrangements can also be an issue.
To build adequate infrastructure to manage privacy concerns, ICT managers must first fossick through mountains of files to identify and isolate pertinent data. Then customer preferences must be tracked and rules built into enterprise systems.
Under the Australian legislation, customers must be given access to their personal data to ensure its accuracy, and any request by an individual to view their data must be acknowledged--generally within 14 days--and the information provided within 14 to 30 days.
In the US, legislators are struggling with a slew of regulatory initiatives: financial privacy legislation (Gramm-Leach-Bliley), for example, requires every financial institution to communicate their privacy policies to customers by July to allow them to opt out of marketing solicitations.
So just where in the organisation does responsibility lie? The emergence of the Chief Privacy Officer (CPO)--500 are predicted to be appointed in the US in 2002--reflects an American anxiety to get in step with world trends.
An Australian perspective
Few Australian organisations may go that far, but an accepted CPO job description provides a useful outline of corporate responsibility whether handled by a specialised individual or team:
- Determine, oversee, and implement data privacy policies and consumer protection initiatives;
- Ensure the firm adheres to and follows all guidelines as they relate to the organisation;
- Work with IT, marketing, sales, legal, HR, and public relations to buy in to privacy policies and actions;
- Educate employees about privacy policies and practices, and build trust with internal groups;
- Respond to customer complaints and questions and/or be involved with serious complaints;
- Work with consumer advisory agencies.
Privacy is an extraordinarily complex matter and organisations must make value judgements as well as technology decisions.
The Australian legislation is complaints-based and does not include criminal penalties. Determinations which can include compensation, will be made by the Privacy Commissioner Malcolm Crompton, whose Web site is a good starting point for those seeking guidance.
The ACS has been directly involved in developing discussions, papers, and Senate submissions from the outset of Australian moves towards privacy legislation.
Richard Hogg is president of the Australian Computer Society (ACS). The ACS is the recognised association for Information Technology (IT) professionals, attracting a large and active membership (over 16,000) from all levels of the IT industry and providing a wide range of services. A member of the Australian Council of Professions, the ACS is the guardian of professional ethics and standards in the IT industry, with a commitment to the wider community to ensure the beneficial use of IT.
