Friday 25 April 2014

Privacy seals: What does the market really want?

Almost exactly a year ago, the ICO’s Information Rights Committee considered “a proposal to implement a framework for ICO accreditation of a third party to operate a privacy seal or trust mark scheme.” It was agreed that the proposal should be taken forward in principle. Subsequently, various discussions have taken place with various data protection bods, but I’m not entirely sure how much concrete progress has been made.

I was among those consulted on earlier attempts to implement a similar initiative. The last one was a couple of years back, and was sponsored by the consumer rights organisation, Which? I also remember being consulted on similar initiatives before that – all of which suffered a similar fate.

I was dubious about the proposal then, and remain ambivalent about it now. I just can’t see the business case for persuading responsible data controllers that they should pay to have their internal processes examined by a third party in order that they might be awarded a privacy seal that so few of their customers might actually take any notice of or care about anyway.

Webmasters and marketing teams are usually very determined to control all the images that appear on their landing pages, and surely hardly any of them would welcome a proposal that their precious pixels should be devoted to displaying a logo about non-statutory, non-corporate stuff.

The Which? proposal fell at an early hurdle because Which? and its chosen audit partner couldn’t develop a business plan that made much financial sense. How many data controllers were sufficiently confident about their internal processes that they were happy for a third party to inspect them? How much was this audit exercise going to cost, and how frequently might it need to be repeated for the privacy seal to be of any value? And, most crucially, how high was the privacy bar to be set? No one knew.

The main point about privacy seals is, presumably, that some people will not be able to attain them. So, anyone who is at all worried that they might not pass probably won’t apply for an audit in the first place. Organisations don’t like to set themselves up to fail. And, as one size does not fit all, it’s extraordinarily hard to develop an audit methodology that gives equivalent assurance about large and not-so-large organisations. I can’t ask precisely the same audit questions to different sized organisations, particularly when their business models relate to very different privacy risks.  

The next point about privacy seals is that, presumably, independent auditors will need to be assured that there is sufficient demand for that service before they seek to become an accredited audit partner. And if the proposed standards deter potential applicants, auditors will face natural demands to lower the standards, to increase the pool of certificate holders (and hence increase the pool of organisations that will need to be re-audited in a few years time).

I see this pattern in the current race to “accredit” data protection officers.   An increasing range of organisations are vying to offer data protection training and accreditation services to privacy (and other) professionals, and the result is that said professionals can now choose how much (or how little) effort they commit to getting their privacy qualification.

Certifications of competence can be obtained by learning by rote, writing short essays, filling in multiple choice questionnaires or by completing longer pieces of written research. On-line, in your own time, or in a classroom.  Just take your choice.

The costs vary from a few hundred to several thousand pounds – particularly when a certification provider requires that certificate holders commit to purchasing continuing professional development courses every year from a restricted range of suppliers.

But which privacy qualifications are actually worth having, from the perspective of the privacy practitioner, and which qualifications simply meet the commercial needs of the relevant training provider?

It would be indelicate to venture too far into this debate today, but it is a debate that needs to be had. Particularly when people are spending their own time and money seeking a decent qualification, it would be helpful for an independent assessment to be available about the relative merits of the offerings of the current range of training providers. 

So, my plea to the ICO's Information Rights Committee is that it should devote less time developing a framework of privacy seals that enabled third parties to accredit the practices of data controllers, and more time developing an assurance framework about privacy training providers.

To the extent that there is a demand for seals or trust marks, I sense that the demand is currently far stronger from the privacy professionals themselves, who seek credible privacy qualifications from competent accredited training providers, than it is from organisations whose customers really couldn't care less if an independent privacy audit had been carried out.


Source:

Image credit: