The Emergence of the Chief Privacy Officer

hoice, access, and security. One such program, TRUSTe, a nonprofit alliance
of several hundred Web sites, requires members to adhere to established
privacy practices and to comply with published oversight and alternative
dispute resolution practices. The TRUSTe privacy seal, or “trustmark,”
is an online branded seal that indicates compliance with the program and
takes users directly to a site’s privacy statement. In addition, more
sites are giving their privacy statements prominent placement on the homepage
and using those statements to direct users to consumer advocacy organizations
such as www.netcoalition.com
and www.privacyalliance.org.

The IAB’s CPO Council seeks to promote privacy standards and expand
the role of the CPO (www.iab.net).
“Standards are still evolving in the U.S.,” says Polonetsky, and companies
that take a proactive stance will have more say in shaping those standards.

Staffing the CPO
Position

The trend toward hiring CPOs originates in the executive suite and in
business units. “Since discretion and trust are crucial for customers’
attitudes, business managers are well aware of the importance of the CPO,”
says Jorgensen.

In Polonetsky’s opinion, CPOs do not have to be technologists but may
come from marketing, legal, or other backgrounds.

The amount of legal knowledge required by the CPO varies according to
the industry, but most agree that a working knowledge of relevant laws
and codes is sufficient. The key to making the position function, says
Polonetsky, is that the CPO should report directly to the board of directors,
as he does, or at least to a senior executive level, such as the CEO or
COO.

In Europe, where the whole system is geared to guaranteeing the privacy
of data, Hunze says, companies might not see the need for a separate CPO
position. “In certain ways, I am the CPO, but it’s just considered part
of my job, something that is part of the enterprise strategy and required
by law.” Hunze notes that he received privacy training as part of his
overall programming education. “If you do your job right, the privacy
issue is just taken care of,” he says.

Up to now, privacy issues have been handled by CIOs or IT directors
both here and abroad. With increasing complexity, however, the CIO and
CPO positions are beginning to branch off.

Steve Rayner, information systems manager at Northland Health Limited,
a public health provider in Whangarei (pronounced fung-are-ray), New Zealand,
reports that one health organization was rebuked by the New Zealand privacy
commissioner’s office for assigning privacy responsibilities to its CIO.
“It was roundly condemned as a conflict of interest,” he says.

According
to Rayner, “One of the CIO’s strategic objectives was to share patients’
health information with all relevant providers of care in order to maximize
the potential care benefits. The privacy commissioner considered that
the CIO had two conflicting missions – the dissemination of information
and the protection of that information. One cannot be a champion for opposite
points of view.”

Conflicts of interest also arise between competing corporate functions.
“Marketing people want to maximize interaction with consumers, whereas
the legal department wants t