Expand mobile version menu
nd.gov: Official Portal for North Dakota State Government
North Dakota: Legendary

Information Technology

Chief Privacy Officer

Interviews

Insider Info

Interpreting laws and policies is a central part of what chief policy officers do. It's not surprising, therefore, that many are lawyers. Michael Spadea is one example. Spadea became interested in privacy law while in law school. He practiced law for a number of years, doing a little privacy law but mostly other types of law.

Spadea networked as much as he could with privacy professionals. His networking led to a position as the head of privacy for a large financial firm. He's now a privacy manager in the commercial (as opposed to the consumer) division at Microsoft. He protects the privacy of the businesses that use Microsoft's products and services.

Let's say a business that uses Microsoft software has a problem with how its servers are configured. This can cause that business's servers to crash.

"They'll call up support, and that's my division, and in order to solve the problem they often have to provide us with a lot of information," says Spadea. "We may just basically dial directly into the server and be able to manipulate settings on their server. If we don't think there's a configuration problem, we may want to look at their data, so they may send us their database, and we will set up what we call a virtual environment -- basically an environment here on our own servers that mirror theirs and try to solve the problem, so there's a big transfer or accessing of data."

Companies are very nervous about sharing data. If their data were to leak out, they could go out of business. Millions (or billions) of dollars could be lost and thousands of people could lose their jobs.

"One of the things I'm responsible for is making sure there are rules in place -- that there's a policy that governs how secure that server can be, who's allowed to access that server, [and] that any applications and tools that we use to diagnose programs... go through an evaluation process so that there's no data leakage," says Spadea. "It's making sure that the rules are actually there."

Since the stakes are high when you're a privacy officer, you're under a lot of pressure. Spadea says there are two main things that help a privacy officer deal with that pressure. The first is having a solid knowledge of the law and regulations. You have to know what the laws say and how courts are interpreting them. The second is simply spending time dealing with privacy issues.

"Some of it's just experience," says Spadea. "I mean, being a privacy officer is not an entry-level position. You need to be able to argue about budget. You need to be able to sit in front of your chief operating officer for a billion-dollar-revenue company and say, 'We need to shut down X, Y, and Z systems and lose...revenue because there's a breach and these are the consequences if you don't do that.'

"And that's an unpleasant conversation to have," Spadea adds. "And... it just takes sound judgment to be able to do that. And that really comes from experience, and quite honestly from making some mistakes and learning from them."

Merri Beth Lavagnino came into the privacy field from a technology background. She also has a background as a librarian, so her training is in information science. She's the chief privacy officer and compliance coordinator for Indiana University.

"I like helping the business unit (at the university) do what they need to do while still protecting people like me and you -- keeping our data being used ethically and in a manner that won't put our privacy at risk, balancing that," says Lavagnino. "And almost every time we can figure out a way for the business to do what they need to do while not being too invasive with privacy."

Lavagnino says the work of a privacy officer has two main aspects.

"If you have a lawyer background, you're likely to do more of the user agreement, the language on the privacy notice, the language that makes it clear to a user what you're doing and what their choices are," says Lavagnino.

"And if you came from a technical side, you would be more in the data protection -- trying to take technical steps on your network and with your computing environment to prevent the loss of personally identifiable information, to prevent that being leaked, to prevent computer intrusions that can steal your data, etc."

Some chief privacy officers also have other roles in their organization. This is the case for Bruce Roney. He's the CEO and chief privacy officer with a branch of the Humane Society.

"There's a surprising number of privacy questions at a humane society," says Roney. "Probably the single most frequent one is a third party requesting information about an animal.

"[For example], you hear that your neighbor surrendered their dog to us and you've always loved that dog, or you're really mad at your neighbor for doing it and say they shouldn't have done that," says Roney. "If you call up and say, 'My neighbor, I think, sent his dog there. I want to take it.' Well, we can't do that.

"Or maybe it's a family situation... where a mother of a university-age person will call and say, 'My son, I think he adopted a cat and he doesn't have the money for that, and he shouldn't be doing this, and tell me if he did this or not.' But we can't share this information. People are shocked about that kind of thing. They don't necessarily think of privacy as applying to us."

The Humane Society is also responsible for investigating allegations of animal cruelty. Usually, an investigation is triggered when a member of the public reports that someone might be mistreating an animal.

"The person who has the complaint made about them almost always wants to know who made the complaint," says Roney. "And that's a privacy issue. The complainant has a right to confidentiality. Now of course if it's taken to court that [confidentiality] is blown, but certainly as for our releasing that information, we can't do it."

When a privacy question comes up, Roney looks to the privacy policy that he developed for the Humane Society. That policy was based on federal privacy legislation. He interprets that policy and applies it to the specific facts before him.

"It's a logical extrapolation, because you can't write down every scenario," says Roney. "I realized early on that it's all well and good to say, 'Here are some scenarios.' But there are going to be hundreds, literally, so you have to be able to read between the lines and take the spirit [of the policy]."