Five Things Every CSO Needs to Know About the Chief Privacy Officer

CPOs and CSOs need to cultivate common ground between security and privacy

February 01, 2005 — CSO — It was the annual crunch time between Thanksgiving and the new year, and Nuala O'Connor Kelly had just sent to the printer the first-ever report to Congress by a chief privacy officer.

This was it, the historic reporta 40-page description of what O'Connor Kelly had been doing during her first year as the first CPO of the U.S. Department of Homeland Security. Like addressing concerns about DHS's policies with privacy officers from other countries. Examining the department's growing use of biometrics. And reading irate e-mails from the public about controversial initiatives like the Transportation Security Administration's passenger screening program. If O'Connor Kelly was nervous about the grilling she was likely

to get once members of Congress got their mitts on her report, she wasn't letting on.

"It's actually a great moment for the [privacy] office to sit back and take stock of where we are now and where we're going for the next two, three, four, five years," says O'Connor Kelly, dashing from one meeting to the next with one of her staff members.

At the time, O'Connor Kelly was the only federal government CPO whose position was mandated by law and who was required to file an annual report to Congress. But this seemed on the brink of change. Congress's consolidated 2005 appropriations bill, signed by President Bush in December, contains a provision thatdepending on how the White House's Office of Management and Budget interprets itwould create a handful or more of CPOs at federal agencies.

These new CPOs would be charged with protecting privacy within their own agencies, evaluating proposed laws and regulations, training employees about privacy policies and ensuring compliance with applicable laws. They would have to report on their progress annually to Congress. And every other year, their agency's Inspector General would have to hire "a recognized leader in privacy consulting" to do an independent review of their program's effectiveness.

The law would do a lot more than create a crew of federal CPOs in O'Connor Kelly's image. In the private sector, government demand for privacy expertise is expected to lead to greater awareness, more stringent certifications and stricter standards around privacy.

And for CSOs, it ensures that their best friend and nemesis, the CPO, is not going away.

"There are some conflicts between the philosophical approaches to the two positions," says Lynn Mattice, vice president and CSO at Boston Scientific. "The CSO's responsibility is to ensure that the business enterprise is safeguarded, and the privacy officer is primarily concerned with safeguarding the individual's privacy. That's where you can have some points of contention."