The recent news about the extent to which the U.S. government is monitoring the communications, online interactions and activities of American citizens brings into question our ethical responsibilities as privacy professionals.
All of the companies caught up in the news that complied with secret court orders to hand over bulk user data have privacy officers and dedicated teams of privacy professionals. Yet the extent to which any of these privacy teams were involved or were aware of these orders is unclear. This simple irony provokes reflection on the role of privacy professionals and our associated ethical and social responsibilities.
The role of the privacy professional has evolved over the past decade in response to the many ways personal information and data shape all dimensions of public, business and social interactions. We’re specialized advocates for our organization’s data subjects—users, consumers, employees, citizens. We work across business and IT functions to establish best practices and policies and to ensure compliance with hundreds of standards and laws governing how our organizations collect, use and safeguard personal data. In some sectors, we’re also integral to business and product strategy.
Today, privacy professionals aren’t licensed to practice and there’s no standard ethical code of conduct to which we must adhere. However, privacy professionals are often members of other professions that are bound by standards of practice that include confidentiality and data protection. For instance, those who are lawyers must respect client confidentiality. Others who are healthcare professionals are bound by standards of patient confidentiality, and there are numerous codes of conduct for technologists that set forth norms for privacy and security.
We’re obliged to honor commitments to data subjects about the specific information-handling practices and protections we set forth in notices, policies and other statements. It’s also our responsibility to write these notices, policies and statements plainly and in a way that’s not misleading. To the extent we work in jurisdictions with constitutional protections for privacy, we have ethical responsibilities to respect those. We're certainly bound to comply with the laws, regulations, contractual obligations and legal requirements pertaining to our organizations—to the extent that they are consistent with generally accepted standards of justice and human rights.
It’s tempting to say that the U.S. government is targeting individuals whose activities are unlawful or suspicious, and therefore our responsibilities related to the privacy of their data fall outside ethical or legal norms. But this is a slippery slope and difficult to justify in the context of bulk orders for a company’s data.
As privacy professionals, do we have ethical obligations to the people whose data is our professional responsibility, or only to our employers? How do we handle conflicts of loyalty that arise? Does public safety trump privacy in every case and in any circumstances? Do we have obligations to report—even secretly, under legal requirements—our objections?
As one prominent leader in our community told me, "We should be committed to the welfare of our data subjects through a sworn oath that commits us to our principles in some binding manner. For many, though, it's the paycheck that binds." As I see it, if we’re to continue to be trusted as a profession that’s dedicated to transparency, accountability and data protection, we need to earn the public’s trust by having the courage to confront the real situations and limitations we face.
For that reason, I’m appealing to all of our colleagues to weigh in on this discussion. For my next post, I will incorporate the ideas generated here and develop a draft code of ethics for further debate.
It’s vital that our profession be on the forefront of the public debate about balancing rights to privacy with needs for safety and security. Reporter-source confidentiality or attorney-client privilege strengthen the institutions within which those professions operate, and we have to use this moment to develop similar frameworks for our profession and the people whose data we protect.