The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.

On Twitter

About this page and the author

The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.

For full contact information and a brief bio, please see David's profile.

Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.

Privacy Calendar

Links

RSS FEED for this site

Blogs I Follow

Small Print

The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.

This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.

Saturday, December 16, 2006

Privacy Officers stuck in the middle

Privacy Officers have an interesting role in an organization, both as an advocate for their organization and as a voice for the privacy concerns of different stakeholders. Robert Gellman has an interesting take on the conflicting pressures:

Chief privacy officers stuck in the middle: CPO's have to live by their wits, and be useful
By Robert Gellman, Special to GCN
Let’s try a role-playing exercise. You are the newly appointed chief privacy officer at your agency. How can you represent privacy interests internally, look functional to outsiders and not get your agency’s management mad at you? It isn’t easy to balance all these conflicting objectives.
A CPO in any organization is a person in the middle. It’s true for a CPO in a company, and it is true for a CPO in a federal agency. Even well-established internal privacy offices have to walk a tightrope.
CPOs face several institutional problems. They typically have little real power, limited resources and no natural base of support. Privacy remains a novel issue at many agencies. It often doesn’t even appear on the radar screen unless there is a crisis.
You will recall that Congress in 2004 directed agencies to establish CPOs. As the new kid on the block, a CPO has to define the role of the privacy office. It’s true that agencies have had to comply with the Privacy Act of 1974 for a generation, but most Privacy Act staffers have little power and influence. Can CPOs do better?
CPOs should not look to the Office of General Counsel as a role model. At most agencies, everyone hates the lawyers. The lawyers have the power to stop anything they don’t like by declaring it contrary to law. Agency lawyers frequently have no incentive to be helpful because they know that they can’t be fired, evaded or ignored by their clients. Anyway, a CPO does not have the clout a lawyer has.
Program offices may accept help from a CPO, but it is more likely that the CPO will have to prove something first. Some offices with privacy issues may require the CPO to bring the Wicked Witch’s broomstick—or the bureaucratic equivalent, which is a directive from the head of the agency—just to get in the door.
A CPO will have to live by his or her wits, but mostly by being useful. Often that means being a team player, finding practical solutions and, most important, doing things instead of telling others what to do. Another problem faced by an externally visible CPO comes when the battle has been lost. A privacy issue surfaces in your agency, and you recommend that the agency take specific steps to minimize privacy intrusions. You fight it out internally, and the agency rejects your advice.
That’s bad enough, but here comes a call from a reporter asking what you think of the agency’s decision. If you say that the decision was wrong, you will surely tick off your agency head as well as the program office. Good luck having any influence in the future. But if you say the decision was right, you will lose your credibility with congressional critics and with the privacy advocates who are screaming that your agency just joined Big Brother’s team.
See what I mean about being in the middle? There is no place to turn without digging yourself in deeper. So what to do? I have an answer.
The solution is that a CPO has to be able to respond procedurally. If you don’t want to say that a decision was substantively right or wrong, the best answer is that the agency duly considered privacy when it made its decision. CPOs should define their own role in procedural terms to avoid being forced to lie or being left with nothing to say. That procedural response is appropriate even when the agency did the right thing for privacy.
In a better world, we would have a truly independent privacy office that could responsibly praise or criticize an agency, the administration, Congress or the courts without losing budget or influence. But without independence, the best that we can hope for is that privacy officials represent privacy assertively, be creative, work hard and live to fight another day.

Labels: privacy