UPDATE: I recently was referred to this thoughtful blog post on a similar topic, “Nurturing an Accountable Privacy Profession.” Well-worth a read.
A few weeks ago, I was very relieved to find out I had passed the IAPP exam to be a “Certified Information Privacy Professional” or CIPP. I got this certificate and even a pin, which is more than I ever got for passing the bar exams of New York and California.
So what exactly did I need to know to become a CIPP?
To be certified in corporate privacy law, you’re expected to know what’s covered in the CIPP Body of Knowledge, primarily major U.S. privacy laws and regulations and “the legal requirements for the responsible transfer of sensitive personal data to/from the United States, the European Union and other jurisdictions.”
You’re also expected to pass the Certification Foundation, required for all three certifications offered by IAPP. That covers basic privacy law, both in the U.S. and abroad, information security principles and practices, and “online privacy,” which includes an overview of the technologies used by online companies to collect information and the particular issues to be considered in this context.
So what do you think? Should you be able to pass an all-objective, 180 question, three-hour exam (counting the CIPP and Certification Foundation exams together) on the above topics and be able to call yourself a “privacy professional”?
There are no sample questions available online, and I was too cheap to take a prep course, but if I remember correctly, a typical question on the exam went something like this:
The Gramm-Leach-Bliley Act authorizes financial institutions to share consumer information with third parties if:
a. The information is not personally identifiable.
b. The consumer is informed and given the opportunity to opt-out.
c. Any information without notice if it is shared with affiliated companies.
d. All of the above.
The answer would be “C,” since the consumer is only required to be given notice if the third party is “non-affiliated.” My sample is poorly constructed, and there are also questions that require you to analyze a fact pattern, but essentially, the exam covers existing laws, practices, and technologies.
It doesn’t ever ask you, “What would you do if you were advising RealAge and they told you they wanted to sell answers from a health questionnaire to pharmaceutical companies?” Or, “Is Facebook doing enough to prevent third parties from misusing images of Facebook members in their ads?”
IAPP presumably doesn’t ask you these questions because there’s no “objectively” right answer. There may, one day, be an objectively legal answer, depending on if and when legislation gets passed. Still, it’s obvious that in the field of privacy, the most interesting aspects are not what laws do exist, but what laws should exist, what practices should be used, what innovations, both technological and social, should be promoted to protect privacy in meaningful ways. But the exam only covers what is, not what could be or what should be.
Privacy may be an ancient concept, but it’s a very modern, very new, very undefined profession, which perhaps is even more reason for the IAPP to exist. We as a society, particularly in the U.S., are struggling to figure out what privacy means and what we need to do to protect it. While the medical profession has the Hippocratic Oath dating back to the 4th century B.C., and the legal profession’s adherence to the concept of attorney-client privilege goes back at least as far as the 16th century, the privacy profession has no clear guiding principle. We don’t know yet what it should be.
I’m not really criticizing the IAPP for having a test that doesn’t quite encompass the dynamic, constantly changing field of privacy. It’s not like other professions do better. The bar exam certainly doesn’t screen out incompetent, unethical people from practicing law, even if you are actually required to pass an ethics exam. And the IAPP does provide resources to its members for tracking changes in privacy law and policy. But I’m curious to see where the IAPP goes as it tries to “professionalize” the profession, whether the certification exam will change and what expectations will be set for IAPP-certified privacy professionals. Perhaps in another 100 years, or hopefully sooner, we’ll have a code of conduct for privacy professionals.