Five Things Every CSO Needs to Know About the Chief Privacy Officer
CPOs and CSOs need to cultivate common ground between security and privacy
February 01, 2005 — CSO — It was the annual crunch time between Thanksgiving and the new year, and Nuala O'Connor Kelly had just sent to the printer the first-ever report to Congress by a chief privacy officer.
This was it, the historic report
to get once members of Congress got their mitts on her report, she wasn't letting on.
"It's actually a great moment for the [privacy] office to sit back and take stock of where we are now and where we're going for the next two, three, four, five years," says O'Connor Kelly, dashing from one meeting to the next with one of her staff members.
At the time, O'Connor Kelly was the only federal government CPO whose position was mandated by law and who was required to file an annual report to Congress. But this seemed on the brink of change. Congress's consolidated 2005 appropriations bill, signed by President Bush in December, contains a provision that
These new CPOs would be charged with protecting privacy within their own agencies, evaluating proposed laws and regulations, training employees about privacy policies and ensuring compliance with applicable laws. They would have to report on their progress annually to Congress. And every other year, their agency's Inspector General would have to hire "a recognized leader in privacy consulting" to do an independent review of their program's effectiveness.
The law would do a lot more than create a crew of federal CPOs in O'Connor Kelly's image. In the private sector, government demand for privacy expertise is expected to lead to greater awareness, more stringent certifications and stricter standards around privacy.
And for CSOs, it ensures that their best friend and nemesis, the CPO, is not going away.
"There are some conflicts between the philosophical approaches to the two positions," says Lynn Mattice, vice president and CSO at Boston Scientific. "The CSO's responsibility is to ensure that the business enterprise is safeguarded, and the privacy officer is primarily concerned with safeguarding the individual's privacy. That's where you can have some points of contention."