New Face in the C-Suite

Privacy officers have a growing say in how HR professionals do their jobs.

By Rita Zeidner Jan 1, 2010

January CoverAs Rochester, N.Y.-based Eastman Kodak struggles to transform from a film dinosaur to a digital powerhouse, it falls to Chief Privacy Officer Brian O’Connor to keep identity thieves away from EasyShare, Kodak’s photo-sharing web site.

It’s also his job to ensure that HR and line managers don’t put the company at risk by overzealously investigating job applicants.

Welcome to the world of the chief privacy officer (CPO), a young profession with a complicated mandate: protecting the privacy of consumer and employment data.

At Kodak, where O’Connor has served as CPO since 2005, safeguarding customer information—including the millions of digital photos shutterbugs add to EasyShare each day—is key to survival. But it is also at the heart of a complex tangle of federal, state and international rules governing how organizations handle personal information.

It behooves HR professionals to pay attention to the emerging role of CPOs such as O’Connor. They may be asked to hire one or to answer to one. Or, like O’Connor, who formerly counseled Kodak on employment law matters, they may decide to become one.

Turning to the Experts

Not long ago, CPOs were a rare breed. But with the risks of data privacy breaches mounting, business leaders are turning privacy protection over to experts, says Trevor Hughes, an attorney who heads the International Association of Privacy Professionals (IAPP), a York, Maine-based professional group. Threats run the gamut from the inadvertent disclosure of private information hidden on spreadsheets to sophisticated identity theft schemes carried out halfway around the world. Regardless of how a breach occurs, such incidents can devastate business, causing customers to flee, employees to sue or regulators to levy fines.

The first privacy officer positions were created in the late 1990s to help companies deal with government oversight, recalls Kirk Herath. His job as a lobbyist for Columbus, Ohio-based Nationwide Mutual Insurance Co. morphed into a CPO position in 2000––largely to ensure compliance with new requirements surrounding health care, financial and insurance records.

While no one keeps tabs on the number of privacy officials, the IAPP’s rapid growth suggests robust demand for their expertise. Founded in 2000 by a handful of high-tech and financial executives from U.S. Fortune 500 companies, the association now has 6,300 members in 51 countries. Membership increased by 20 percent in 2009, and Hughes expects similar growth this year.

Judging by IAPP demographics, CPOs’ profiles are varied. Like Hughes, about two-thirds of IAPP members are lawyers, although IT professionals, risk managers, marketing and government affairs executives, and a smattering of HR types are also in the mix.

"Privacy really is a hybrid role," says Hughes. "We have seen a diversification in the type of professionals who are out there."

Today, privacy officers most likely work for health care, high-tech and financial services companies, although their roles in government are also growing, particularly in law enforcement. But it’s no longer just the largest organizations making room for them in the C-suite. Twenty-one percent of IAPP members responding to a straw poll in 2009 said their companies’ revenues were below $100 million; 20 percent reported working for companies with fewer than 500 employees. In contrast, 33 percent indicated revenues of more than $20 billion and 29 percent reported headcount of more than 75,000 employees.

CPOs typically earn enviable salaries. Nearly 90 percent of privacy leaders responding to the IAPP’s 2009 survey said they earn more than $100,000 annually, with 29 percent earning $200,000 to $300,000 per year. Three percent of CPOs said they earn more than $500,000 annually. Not surprisingly, the most highly paid privacy officers work in the largest companies.

Culture of Privacy

Unlike professions such as law, architecture, engineering or accounting, there are no educational requirements to become a privacy officer. About a third of U.S. professional privacy jobs, however, require a Certified Information Privacy Professional (CIPP) credential or equivalent, according to the IAPP, administrator of the certificate program. To qualify for domestic accreditation, individuals must score 70 percent or higher on a three-hour test.

While they need not be lawyers, CPOs must understand "the legal side of data, including how it moves, who handles it, how it’s being used and why you need it," says O’Connor, who helps develop CIPP training materials.

Knowledge of international privacy law is crucial, particularly at global companies operating in Europe, where privacy policies are far more restrictive than in the United States. Such rules become a factor when companies need to move customer, employee or applicant data cross-border via the Internet, O’Connor says.

In addition, CPOs need to be versed in the regulation of privacy in the U.S. workplace, including laws governing background screening, drug testing, workplace monitoring and protection of health data.

Educating others about privacy practices is a key part of the job. At Kodak, O’Connor developed mandatory privacy training for all employees handling confidential data, including those working in information technology, HR, finance and risk management.

All of Nationwide’s 35,000 employees—janitors to executives—are required to sign a confidentiality agreement.

Employees have "to understand what is expected," Herath says. "This is about building a culture of privacy and security to safeguard customer confidentiality."

Growing HR Partnership

Compared to the care given to customer data, employee records often get short shrift. But that is changing––in part because the improper handling of employee information has resulted in high-profile and embarrassing data breaches. In 2006, for instance, the theft of a U.S. Department of Veterans Affairs (VA) laptop computer containing benefits information compromised the personal data of 26.5 million veterans and active-duty military employees.

The VA is among several organizations forced to fend off damage claims filed by employees or retirees whose data was compromised. At least two employees sued Starbucks after receiving notification that a laptop containing their personal data had gone missing in 2008.

Courts tend to dismiss damage claims brought by employees notified of a data breach. Still, organizations’ poor handling of employee data can cast a shadow on their other operations, according to attorney Philip Gordon, chair of the privacy practice at Littler Mendelson in Denver.

And, even if a claim is dismissed, companies still must deal with associated costs and headaches, says attorney Christine Lyons, a partner in the privacy practice at Morrison & Foerster in Palo Alto, Calif. As part of risk control, she says, many companies are turning oversight of employee data over to the CPO, who, in turn, puts in place technological safeguards and keeps HR colleagues abreast of new laws and best practices that can minimize risk.

CPOs also are sensitizing HR to increasingly thorny privacy-related issues. It used to be that privacy officers routinely went head-to-head with HR managers about the handling of Social Security numbers (SSNs)––particularly when data were collected from applicants and later used as employee identifiers. Today, those debates are less frequent, in part because the risks of having such data on hand can outweigh the benefits. For employers, the cost of complying with breach notification laws—now in place in 45 states, Washington, D.C., and several territories––can be staggering. And since it’s illegal in some states to use the SSN for more than its original purpose, there’s no need to collect it.

The explosive popularity of social networking sites such as Facebook, however, is creating new tension between privacy officers and HR professionals. Some managers rely on the sites to screen potential hires, claiming that the sites provide valuable insights about whether an applicant is a good fit.

But the practice raises a red flag for privacy experts. Some states prohibit hiring decisions based on certain types of off-duty conduct; employers who jilt candidates because of information gleaned from social networking sites may be opening themselves up to privacy claims.

"There are risks of reviewing social networking sites during the hiring process, that’s for sure," says Gordon.

O’Connor understands recruiters’ desire to look at social networking sites but adds, "You have to weigh the risk of finding out something you don’t want to know."

Nevermind that an applicant might reveal through Facebook that he likes slasher movies, is a cross-dresser or has other hobbies a hiring manager might find objectionable. Just knowing, by accessing a social networking account, an applicant’s race, sex or religion might open up an organization to a claim of illegal discrimination.

The cultural clash between privacy experts and HR came to a head in June 2009 when members of the media learned that the City of Bozeman, Mont., required job applicants to hand in information about personal, professional and social networking web sites, including login information and passwords, as part of its background screening. When the policy became a lightning rod for criticism, red-faced city officials backed off.

"The extent of our request for a candidate’s password, user name or other Internet information appears to have exceeded that which is acceptable to our community," City Manager Chris A. Kukulski said in a statement. "Human Resources, our Police and Fire Departments were doing something they believed was consistent with our core values," he said, calling the requirement "an honest mistake."

A CPO, says Hughes, would have identified the mistake before it became a problem.

The author is senior writer for HR Magazine.

Web Extras

SHRM article: To Catch a Data Thief (HR Magazine)

SHRM article: Personal Privacy in the Workplace: An EU Perspective (SHRM Online Legal Issues)

SHRM article: Out of the Breach (HR Magazine)

SHRM article: Avoiding the Perils of Electronic Data (HR Magazine)

SHRM sample job description: Privacy officer

SHRM resource: State laws regarding access to personnel files

SHRM video: Attorney Declan Leonard of Albo and Oblon explains the importance of policies for employee use of e-mail and other communications technologies

SHRM video: Jason Morris, president and chief operation officer of employeescreenIQ, discusses safekeeping employee and applicant data.

Article: Wellness Programs and Lifestyle Discrimination—The Legal Limits (New England Journal of Medicine)

Article: Six Clicks of Separation: The Legal Ramifications of Employers Using Social Networking Sites to Research Applicants (Vanderbilt Journal of Entertainment and Technology Law)

Web site: International Association of Privacy Professionals

Web site: Privacy Rights Clearinghouse

Web page: Data breach notification laws (National Conference of State Legislatures)


Job Finder

Find an HR Job Near You
Post a Job


Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 10,000 companies

Search & Connect