Thursday, April 5, 2012

Random Thoughts on Privacy and Test Taking

·       On February 22, the White House issued a Consumer Privacy Bill of Rights.
·       On March 26, the Federal Trade Commission called for greater regulation of online consumer privacy.
·       On March 9, I took two examinations to become a Certified Information Privacy Professional.
The certification exams followed my attendance at the Global Privacy Summit in Washington, DC, sponsored by the International Association of Privacy Professionals (IAPP). The first exam covered privacy and data protection from a global perspective, including privacy principles and definitions, information security controls, and online privacy protection. These general principles are essential to all privacy professionals regardless of industry, practice, or jurisdiction. The second exam was specific to United States privacy laws and regulations as well as the transfer of personal data to and from the United States, European Union, and other jurisdictions.
There was one prerequisite for this certification exambring a sharpened #2 pencil. The invitation clearly stated that no extra pencils would be available at the test. Our law firm supply room had mechanical pencils and some thin black #10 graphite pencils. Cool looking pencils, but I was looking for the old-fashioned maize-colored Ticonderoga brand. Thanks to a fellow test-taker who apparently had a zest for the use of the eraser, I was able to borrow one of the pink “Dora the Explorer” pencils that he had been given by his young daughter.
The last test I took was the Minnesota bar exam in 1985 and the outcome was positive. I expect to get the results of these certification exams within a few weeks. If I pass, I will certainly make the results public. If not, I may assert my right to keep private such personally identifiable information (otherwise known as “PII”).
Yes, the privacy professional lives in a world of acronyms and technical jargon. Consider the following:
PII, FTCA, COPPA, HIPAA, GLBA,ECPA,ADA,OSHA,GINA, PIPEDA,FACTA,CAN-SPAM, TCPA, CARU, DMA,PCI-DSS, TSR, JFPA, CALEA, EPP,FOIA, HITECH, ISO 27002 SECURITY STANDARDS,  COOKIES, BEACONS, SSL, TLS,PHISHING, CROSS-SITE SCRIPTING, HTML, SCRAPING, SPIDERS, HTTPS, VPN,P3P,W3C, ENCRYPTION
Right now, my knowledge of privacy law and related issues is at its zenith. If you ask me questions about any of the above privacy-related laws and terminology, I will likely answer quickly and with confidence. How long can I keep so much information stored in my brain for such instant recall?
How do I sum up the most important lesson learned from my recent studies? Say what you do and do what you say.
If you have a privacy notice and policy posted on your website, make sure that it is consistent with how you actually use the PII. If you say you will not share the PII with third parties, make sure that you do not share information with third parties. Even if the sharing is otherwise legal, your inaccurate privacy policy may subject you to a claim of deceptive trade practices.
Cory Doctorow, a keynote speaker at the Summit and co-editor of the weblog boing boing.net, suggested that people undervalue their privacy and that data-driven companies exploit this. He asserted that the privacy bargain made with Facebook to give up personal data in exchange for a free service is not a fair exchange.
At the other end of the spectrum was the perspective shared by Summit speaker Jeff Jarvis. Author of Public PartsHow Sharing in the Digital Age Improves the Way We Work and Live, Jarvis professes that “public is better than private” and that the sharing of PII can be beneficial. When Jeff decided to tell the world about his prostate cancer he happily blogged about his malfunctioning penis and the adult diapers he had to wear. He views technology as enabling the sharing of information and that the digital conversations we are having are like nothing we have ever experienced in our history.
Should the collection, processing, and use of PII follow the European model and require more informed consent by individuals? Are new federal laws and regulations necessary? How many more acronyms will I have to learn to give sage counsel in the privacy arena? How different will the certification exams look next year from the ones I just took?
Note to self: when you take a multiple choice test with a pencil and eraser, try not to sit next to the heavy set guy who makes the entire table shake each and every time he makes use of his eraser. You just might find that your attempt to fill in “A” ends up in the “B” box.

UPDATE: JUST RECEIVED NOTICE THAT I AM NOW A CERTIFIED INFORMATION PRIVACY PROFESSIONAL/UNITED STATES.  THANK YOU, DORA THE EXPLORER!

No comments :

Post a Comment