Converging Paths: A Librarian’s Journey to Becoming a Privacy Professional

Information professionals help ensure information security, while privacy focuses on managing and securing personal information. This overlap provides a path to move from one field to the other.

I love to tell people I am a librarian.1 The title is endearing, instantly comforting and just plain badass. It implies that I possess an array of knowledge, inherent organizational skills, and a service-oriented attitude—all of which I strive to use and deliver on a daily basis. That said, my job description has taken a different direction from what I was trained to do in library school, although the skills I learned there have provided me with a foundation for becoming the privacy professional I am today.

My journey has not been a traditional one, but I’m proud of this because it means I can bring a diverse perspective to the profession. I fell in love with books as a child (and still love them today), so I focused much of my energy on the interpretation of stories. This led me to earn a bachelor’s degree in English and history, then a master of arts specializing in medieval literature. I love reading about others’ perspectives and trying to understand their paths.

I also enjoy researching and trying to uncover information to form new ideas and develop insights. Earning my master’s degree in library and information studies2 taught me that using metadata, establishing a well-defined taxonomy, and efficiently organizing and retaining information makes it possible to do these things effectively.

After receiving my MLIS, I began working in the field of knowledge management (KM), where I sourced, documented, categorized, and shared information about my consulting firm’s people and project experiences. I designed webpages, delivered training programs on information access and disclosure, and administered communications and awareness campaigns. I also tracked metrics and presented reports to senior management to demonstrate the KM program was delivering against our strategy and mandate.

During this process, I handled some data that required cleansing to remove sensitive attributes prior to distribution. I also designed information repositories that required well-defined access provisions. I became interested in keeping data secure and maintaining confidentiality while also focusing on how to make information as accessible as possible so my clients could achieve their objectives.

Information Security
Of course, information professionals have always played a major role in ensuring information security. The CIA triad (confidentiality-integrity-availability) that is fundamental in the information security profession3 parallels a basic information management (IM) tenet—getting the right information to the right person at the right time.4

I would argue that many in security tend to focus on the “right person” part of the paradigm. That said, security is a multifaceted role, and when it comes to business continuity, we know how important access becomes. Similar to IM professionals, those in security facilitate data accuracy through the application of controls and establish tools to provide timely and adequate retention and destruction of information. Given these parallels, it was relatively straightforward for me to enter the field of security.

Security is also about protecting information to prevent loss, misuse or unauthorized access. Strong security enables privacy by securing the systems, networks and even physical repositories where sensitive data resides. Security also binds a user’s identity to their behavior to enable monitoring for the appropriate use of data.5 The world of privacy, while similar to security to the extent that the CIA triad still applies, has some big differences that must be taken into account.

Privacy Basics
Let’s talk basics. First, privacy is all about appropriately managing a certain type of information, specifically information about an identifiable individual,6 also known as personal information (PI).7 Similar to the field of information management, a privacy professional is concerned with managing PI across the information life cycle, from collection, access, use and storage to sharing/disclosure, archiving and destruction. Specifically, privacy professionals focus on governing PI to make sure that it is—

  • collected appropriately from the source;
  • accurate or of the right quality;
  • accessible only to those who are authorized to use it;
  • used only in ways that it was intended;
  • safeguarded adequately; and
  • retained only as long as required or in compliance with legislative obligations.

Privacy, in many ways, is a combination of IM and information security, but with some twists.

Diving deeper, the biggest difference stems from the data and the idea of control and ownership over that data. Personal Information is not the same as other organizational data because it does not fundamentally belong to the organization; rather, the organization is a custodian of that information and can only collect, use and share it if it has the authority to do so. This authority is usually granted only after consent is received from the subject of the information, although not always (e.g., consent is waived for criminal investigative purposes). Privacy professionals will ensure that the appropriate notice is given and/or consent received from individuals prior to or during collection, and the use, disclosure and retention of PI is limited only to what is agreed upon.

Privacy Requirements for Organizations
Beyond this, organizations are bound by privacy regulatory requirements, which differ depending on the nature of the data (e.g., personal health information) and the jurisdiction in which the data/data subject resides (e.g., California vs. Florida or Canada vs. Europe). This means that organizations have varying obligations regarding how they handle and protect PI, such as the following:

  • the obligation to have a data protection officer (DPO);
  • the requirement to complete a Data Protection Impact Assessment (DPIA) for all new or changed uses of the data;
  • timing requirements for breach notification to a privacy commissioner; and
  • limits on what the organization can disclose to organizations in other jurisdictions.

The regulatory requirements vary depending on the privacy laws that affect the organization. This is why many of my privacy colleagues are lawyers—they assist organizations in interpreting the legislative privacy requirements. Speaking of lawyers, there is a longstanding myth that you need to be a lawyer to work in the privacy profession. This is not the case, but you do need to have a solid understanding of privacy legislation to work in the field. It’s been my experience that it is beneficial to always work closely with lawyers when defining contractual clauses and developing online privacy notices.

However, an effective privacy program takes more than legislative compliance. A mandate, terms of reference, and a strategy must be defined to guide the program. Policies and procedures, along with training and communications, must be established to enable leaders/employees to understand their privacy obligations. There are operational activities to perform, such as providing individuals with access to their PI, undertaking Privacy Engineering and Privacy Impact Assessments (PIAs) to ensure that PI is safeguarded (more on this later), and conducting privacy breach response planning.

Privacy risk management activities should also be conducted to ensure the program is operating effectively, using vehicles such as privacy program audits. It is also essential to monitor privacy metrics and conduct ongoing reporting. You need not be a lawyer to do this successfully; it takes some solid relationship building and collaboration with leaders from across the organization, strong communication skills, and the ability to solve problems.

The Complex Data and Digital Landscape
I do not want to understate the complexity involved. We live and work in a world where the use of data and digital platforms is changing rapidly. Privacy professionals are essential to making sure PI is used in the right way, for the right purpose, and with the right level of consent.

Here’s a quick snapshot of some of the complex challenges involved:

  • Data is moving to cloud environments that are managed by third-party cloud service providers.
  • Organizations are using black box technology (or artificial intelligence) for automated decision-making.
  • Data lakes are the new normal when it comes to employees accessing and manipulating massive datasets.
  • Organizations are sharing data with multiple third parties.
  • Organizations are selling and commercializing the data in their possession.

There is a lot on the go here, especially with a shifting regulatory environment, growing public fears of privacy breaches, and increasing demands for more transparency and accountability. The good news is that the regulations and public emphasis on privacy are helping privacy professionals do our job, but let’s be clear—it’s a full-time job.

Privacy professionals must keep current with what’s happening in this digital revolution. They need to know what the law requires. They must embed “privacy by design” into all processes and establish the right level of controls and safeguards.8 They must ensure this is done correctly. I compare the privacy professional to a medieval knight, continually honing a multifaceted skill set. We are one of the best lines of defense for an organization, upholding a fundamental set of societal values while serving and protecting those who have entrusted us with their data.

I will always be a librarian and strive to uphold all the values that title implies. At the same time, I want to continue in the role of a privacy professional and be instrumental in finding ways to protect the personal information and essential rights of individuals in our society. I encourage librarians and information professionals who share these goals to consider a career in the privacy field.

NOTES

  1. The terms librarian and information professional and the fields of librarianship and information management are used interchangeably here, although I am sure some may disagree with this.
  2. Recently, my alma mater changed the name of this degree to master of information, and the profession seems to be moving more in this direction.
  3. The exact origins of the term CIA triad appear to be unknown.
  4. This term spans many disciplines, although it seems to be foundational to the information management profession. For more information, see Howarth, L.C., 2018, “Stepping Out: Organizing Information in the 21st Century,” in Matarazzo, J.M., and T. Pearlstein (Eds.), The Emerald Handbook of Modern Information Management, Bingley, U.K.: Emerald Publishing Ltd.
  5. From Deloitte Canada, 2019, “Cracking the Code: Cyber Risk Services Fundamentals” (course materials).
  6. As defined in Personal Information Protection and Electronic Documents Act, SC 2000, c 5, (http://canlii.ca/t/541b8).
  7. Personal information (PI) is the term used in Canadian privacy legislation, personally identifiable information (PII) is the term used in American privacy legislation, and personal data is used in European privacy legislation (among other jurisdictions), although the terms are often used interchangeably.
  8. There’s not enough room for all the citations that privacy engineering and privacy by design deserve. I suggest doing personal research on these topics.

Editor’s Note – This article is republished with permission of the author as well as the Editor of SLA Information Outlook – the first publisher.

Posted in: Big Data, Computer Security, Cybercrime, Cybersecurity, KM, Law Librarians, Leadership, Libraries & Librarians, Privacy