Select Committee on Home Affairs Written Evidence


Memorandum submitted by J Trevor Hughes, International Association of Privacy Professionals


  1.  The profession of privacy—meaning individuals skilled in counseling and managing the myriad issues related to privacy compliance and data protection—has grown significantly in the past ten years. The public and private sectors have now recognized that privacy professionals must be engaged in any discussion of new privacy standards, any development of privacy-sensitive technologies, or any initiative in which personal data is involved. Privacy professionals, in a very real way, bring to life the privacy protections promulgated by legislative and regulatory bodies around the world.

  2.  Enabling and empowering privacy professionals within the public and private sectors are effective ways to ensure that existing and emerging data protection standards are met. The opposite is also true: creating data protection standards without concurrently promoting the development of the privacy profession will undoubtedly ensure that standards are not met—and that the expectations of citizens with regards to the use of personal data are unfulfilled.

  3.  Privacy professionals have developed sophisticated tool kits to accomplish their jobs. Privacy impact assessments (PIAs) are one such tool. However, the profession of privacy has developed many other tools to respond to the challenges of maintaining trust and compliance in the information economy, including: privacy-sensitive product development, auditing, and privacy-enhancing technologies.


  4.  On behalf of the International Association of Privacy Professionals (IAPP), I am happy to provide these comments to the Home Affairs Committee's inquiry into the recent report commissioned by the Information Commissioner's Office, "A Surveillance Society?" The IAPP is a rapidly growing professional association that represents individual members working in the field of privacy and data protection. The organization works to define and promote this nascent profession through education, networking, and certification.

  5.  The IAPP currently has approximately 4,000 members in 23 countries around the world. We are based in the United States, however a sizable number of our members come from the UK and, more broadly, the European Union. One of our largest and most active chapters is located in London—with members gathering regularly to discuss issues related to the regulatory and operational challenges in today's information economy.

  6.  It is important to note that the IAPP is not an advocacy organization, and does not take policy positions on substantive matters related to data protection. We endeavour to provide our members with a great breadth of educational offerings in the field of privacy, but we do not take any position on the merits or faults of particular privacy laws, regulations, or programs.

  7.  There is one large exception to our rule against taking advocacy positions: we feel strongly that privacy professionals are a critical component to any of the responses to privacy concerns in the public or private sectors. Put simply, you cannot have effective privacy practices without skilled practitioners to define, create and maintain them. We feel that any discussion of appropriate responses to data protection challenges must necessarily include recognition of the need for privacy professionals.

  8.  The IAPP was founded six short years ago when an emerging network of privacy professionals recognized the need for a professional association. The organization has grown rapidly since those early days and now boasts over 4,000 members in 23 countries. Our recent annual conference here in Washington was, to our knowledge, one of the largest privacy conferences ever held, with over 1200 attendees. Clearly, the market has placed a very high value on privacy and the robust, but responsible use of data.

  9.  When the IAPP was initially formed, the majority of our members shared a similar title: chief privacy officer, or CPO. Indeed, many—if not most—multinational companies have now appointed a chief privacy officer. But the majority of IAPP members are not CPOs. Rather, we have seen a robust hierarchy of professional roles in privacy emerge. These privacy professionals cover issues of compliance, product development, marketing, security, human resources, customer relations, and more. The management of privacy issues in large organizations now requires a broad and deep team of professionals with increasingly sophisticated skills.

  10.  It should also be noted that the United States, while not having a privacy commissioner, has required all federal agencies to appoint a representative to be responsible for privacy issues within that agency. Through this requirement, many governmental chief privacy officers have been appointed. Further, we are beginning to see the appointment of chief privacy officers at the state level—with California and Ohio both having privacy functions created within state government. These federal and state privacy professionals have a distinctly different function than, for example, the UK Information Commissioner. Governmental privacy professionals in the United States are not regulators. Rather, they are responsible for overseeing and, in some cases, managing an agency's use of data.

  11.  The job of a privacy professional demands mastery of a complex set of laws, technology, security standards, and program management techniques. Many privacy professionals are also legal professionals, but other fields—such as accounting, technology, marketing, and security—are well represented within our membership.

  12.  In 2004, the IAPP introduced the first broad-based privacy certification to the US marketplace, the Certified Information Privacy Professional (CIPP). This credential is meant to serve as a demonstration of a candidate's mastery over a range fundamental privacy concepts. The CIPP program covers: law and policy; online privacy; information security; operations (managing a privacy program); and data transfers. To date, roughly 2000 people have taken the exam and over 1500 CIPPs have been granted worldwide. We feel strongly that the CIPP program is a crucial component to the continued professionalization of this field.

  13.  In 2005, the IAPP extended the CIPP program to include issues of governmental privacy. The CIPP/G program covers issues specific to the US public sector: such as the Privacy Act, the eGovernment Act, the Patriot Act, and more. Included in this designation is a significant focus on privacy impact assessments (PIAs), which are required of many government programs in the United States under the eGovernment Act.


  14.  Again, the IAPP does not take a position on whether a legislative requirement such as the PIA is good or bad. However, I can say that PIAs have become a very commonly used tool for privacy professionals to assess the potential data protection implications of a program prior to launch. Our members actively use such tools on a daily basis. In general, it appears that PIAs have provided an important mechanism for privacy professionals to assess and provide commentary on new programs within federal agencies.

  15.  Generally, the Department of Homeland Security describes a PIA as an analysis of how personal information is collected, used, disseminated and maintained by a US federal agency. The PIA examines how the agency has incorporated privacy concerns throughout the development, design and deployment of a program or technology.

  16.  A recent assessment by the US Office of Management and Budget (an oversight body for US governmental agency operations) found that the US Department of Homeland Security (DHS) conducted 25 assessments in 2006, up from only 11 such assessments in 2004. However, this was against a backlog of 143 DHS programs which required PIAs in 2006. In total, the DHS has completed 70 PIAs since the inception of the eGovernment Act requirements.

  17.  Commentators have applauded PIAs as a good mechanism for providing substantive feedback on the development of new programs. Further, the transparency afforded to citizens as to the uses of their data by the government can only be seen as a positive factor.


  18.  There are other tools used by privacy professionals to effectively manage privacy within an organization. Certainly, PIAs are one such tool. However, PIAs should not represent an assessment of data protection issues after a program or technology has been conceptualized. Many privacy professionals, particularly in the private sector, are actively involved in the actual development of products and services for their organization. This is particularly true in the technology industry. Indeed, the assessment of privacy concerns often occurs during the development of a product or service—as opposed to after, when the product or service may be ready for release to the marketplace. Organizations that engage in this type of privacy-sensitive development may find that there are fewer delays and smoother paths forward for the release of new offerings. Ideally, PIAs should be seen as an iterative process—one that involves an ongoing involvement by privacy professionals through the design, development and deployment stages.

  19.  Privacy professionals also actively manage audit and accountability programs to ensure that any privacy protections built into programs are actually working in the manner intended. We have certainly found that privacy issues cannot be managed effectively from a distance. Privacy professionals must become actively involved in overseeing the use of data (through audits and other controls) to ensure that expectations regarding privacy are indeed met. In fact, a substantial industry of external privacy auditors has emerged around the world to help to review and assess compliance with both privacy laws and internal privacy policies.

  20.  We have also witnessed the development of privacy enhancing technologies in the marketplace (PETs). Some PETs are available to the marketplace as responses to concerns associated with disruptive or troubling privacy practices. Anti-spyware programs, spam filters, and pop-up blockers are good examples of such "after-market" solutions. Other PETs are built into the technology itself. Within many internet browsers, controls exist to manage and block privacy-sensitive technologies such as cookies. Indeed, Microsoft's Internet Explorer browser includes a sophisticated tool which requires certain cookies to be associated with a condensed privacy statement. Failure to associate some cookies with a privacy policy may result in them being blocked outright by the browser.

  21.  It must be said again that any of the tools described above are useless without trained and skilled professionals to use them effectively. My personal experience is that the addition of privacy professional to an organization's staff can only improve that organization's respect for personal information. Privacy professionals are, quite simply, good for privacy.


  22.  Clearly, the profession of privacy has cemented its position as a critical resource in any organization that deals with data—whether in the public or private sectors, or both. I encourage members of the committee to visit the IAPP's website,, to learn more about the profession of privacy. And, as a CIPP myself, I strongly recommend that the committee consider the value of such privacy certifications as a tool to ensure privacy issues are properly identified and addressed in the public and private sectors. I thank you for this opportunity to testify before your Committee today.

June 2007

previous page contents next page

House of Commons home page Parliament home page House of Lords home page search page enquiries index

© Parliamentary copyright 2008
Prepared 8 June 2008