Mid-Atlantic Privacy: Constructive Oversight
Note: This post is part of a series on the Mid-Atlantic Privacy Compass. Over the following weeks, Commissioner White will explore each of its Compass Points in greater detail.
Oversight means more than the actions of regulators. It can happen through courts, economic markets, self-regulatory schemes, and citizen action.
Organisations should engage with regulators, civil society, and other stakeholders as trusted advisors. No party should hold a confrontational, cat-and-mouse mind-set, but should seek proactive and constructive engagement.
Rights and privileges can only be protected if all groups work in collaboration. With the goal of providing individuals with understanding and assurance, businesses must embrace the value of oversight groups, and vice versa.
Oversight is critical to the healthy functioning of a community's sense of social responsibility. Power and privilege must always be held to account for their actions and the consequences.
Traditionally, oversight is seen to come from regulatory offices, like this one. In fact it may come from many sources, as courts and the judicial system investigate legal duties, as each of those mythical "rational" persons exerts pressure based on their purchasing power and decisions, as the business community polices itself through self-regulatory commitments and legally binding agreements, and through collective citizen action. In many ways, data protection authorities such as the Office of Privacy Commissioner for Bermuda are merely a subset of that last category, the holders of delegated power from the citizens - via our government - in order to protect their rights.
Unfortunately, the relationships between oversight groups and the organisations they supervise often sour into forms of confrontation, with one side seeing its role as playing a game of "Gotcha" and the other seeing its own role as grabbing everything it can until it gets caught. These mind-sets result in distorting behaviour on both sides and reducing the effectiveness of regulatory efforts.
Oversight bodies, particularly regulators, should keep in mind that their role is to protect and mediate, and create Incentives to focus on the true issue of preventing harm, not punishing noncompliance. They should seek proactive and constructive engagement to help organisations learn the merits of protecting privacy rights. The goal should be to show businesses how maturing their privacy processes can lead to both more trustworthy and efficient operations.
Rights may only be successfully protected through good faith efforts by all parties to create a healthy ecosystem that can withstand the occasional bad actor. Businesses need the trust of their customers or else no one would provide their personal data, and they also need to ask individuals to behave in certain ways to express privacy preferences or protect data from breach. Oversight bodies can form the bridge of trust between those two groups, lending authority to each side to help the community as a whole develop good data hygiene. By inviting oversight's involvement, organisations can ensure that their responsibilities, and the limits of those responsibilities, are understood in the community.
But the ask - for organisations to go out of their comfort zone to invite in oversight - cannot be only one-way. Oversight bodies, being government or nonprofit entities, can often be conservative in their own risk-taking, but we must also be brave. Just as the data processing organisations must earn the trust of individuals, oversight must earn trust to maintain our place in the process. We should reach out to and reward organisations who make good faith efforts.
The exact form of these outstretched hands may vary by the body's form or powers, but as my office picks up steam in its regulatory efforts, we will engage in practices such as statements of grace or regulatory comfort for those who engage in our Pink Sandbox or seek advice. We will create or identify bespoke guidance on how to implement practices under the Personal Information Protection Act, as well as persuasive guidance that may be found in other jurisdictions. We will explore ideas seen in other places, such as trust marks, seals, awards, and other recognition. Oversight should not be solely about punishment of the negative, but spotlighting the positive.
As we know in the privacy world, philosophers and psychologists have long argued that the act of being observed changes behaviour. For those organisations with responsibilities to the community, oversight of their behaviour is a necessary counterpart of that responsibility. The work of oversight is to ensure that organisations meet their responsibilities - but also are credited for their hard work.
Alexander McD White
To reach out to the Office of the Privacy Commissioner, please visit our Contact Us page.