Since Harriet Pearson was appointed IBMs first chief privacy officer two years ago, she has dedicated herself to creating privacy policies and initiatives that strengthen Big Blues efforts to protect personal data for its employees and customers. She has also focused on developing products that pay attention to privacy–in particular, from IBMs Tivoli group.
IBMs commitment to privacy was evident in its choice of focus for this years Almaden Institute: Privacy for Data Systems. Almaden Institute is an annual event designed to encourage research and development in a particular area. This years event, held at the IBM Almaden Research Center, in Silicon Valley, drew technologists, researchers and IT executives from organizations ranging from Warner Brothers Co. to the University of California, Berkeley.
eWEEK Labs Senior Writer Anne Chen and Senior Analyst Cameron Sturdevant spoke with Pearson–who is also IBMs Human Resources Vice President for Workforce Effectiveness–at Almaden Institute earlier this month regarding her goals as chief privacy officer and the privacy challenges facing IBM and its customers.
eWEEK: What do you hope to achieve as chief privacy officer at IBM?
Pearson: My role as chief privacy officer is to be ultimately responsible for having the right leadership policies in place for how we manage data, both on our own behalf for employees and for customers.
Second, its also to make sure we have, coordinated across the company, a unified strategy with respect to technology and how we, whether its through research or products, make sure we have a common viewpoint and … a leadership viewpoint in privacy technologies.
And third, my goal is to lead our work in public policy and in industry groups to ensure that we are participating responsibly and appropriately in developing industry standards and public policy contributions.
Top Privacy Projects
eWEEK: What are some of the top privacy projects youre working on?
Pearson: One of our hot projects is taking our global set of standards and policies, with respect to how we handle information, and making our management system around them more efficient.
A lot of it is looking at our processes and making sure we are measuring how effective we are. We have been working on a scorecard … that measures how well were doing in complying with our policies–how many complaints we might have, how many incidents we might have. [Its] a very simple and effective mechanism that makes a lot of sense.
In addition, were piloting Tivoli Privacy Manager and other Tivoli products in certain areas of the company to see if we can get the benefits of automation and more efficient use of data.
eWEEK: Employee identity management is of great concern for many of our readers. How have you handled this issue?
Pearson: Your readers should be interested in—and, obviously, we are too–a good way to address access control or access management.
Here in the United States, [IBM has] had to tackle the fact that we recently outsourced to Fidelity all of our back-office HR processes. So our payments, health enrollment, pension, 401k, etc. have all been outsourced to a group of IBMers we moved into another company. In doing that, we had individuals we knew and who had access to pretty much all data who were no longer IBMers. We had to confront how to build a firewall, in a figurative sense, for people who were no longer employees– to limit their ability to see data and control their ability to use it, more so than if they were inside our company.
This issue is becoming more and more common because companies are trying to outsource the back office. We have a history of being very protective of our employee information, and we dont want to let that down now that weve outsourced.
Patents and Privacy
eWEEK: IBM has the largest body of intellectual property of any company in the world. What is the balance between the protection of patents and privacy research at IBM?
Pearson: The World Wide Web Consortiums P3P [Platform for Privacy Preferences]is open and IBMs EPAL [Enterprise Privacy Authorization Language]is published and open. We dont have anything that says, gee, we find it so valuable that we want to keep it a secret, with the exception of Tivolis architecture. Now thats something we keep under protective thought. But from an executive level, if theres something out there thats clearly going to be fundamental to privacy, then well go through a serious analysis to see how we could possibly get it out to the public.
The Privacy Institute we set up a couple years ago has been more successful than I ever thought. We are trying to create a thought leadership that can … create a market for this issue.
eWEEK: What kind of role would you like to see IBM play in the realm of privacy and public policy?
Pearson: Weve been on record for quite a while, predating Sept. 11, on why we think privacy is an imperative and how we need to achieve a world where individuals need to exercise control over data about them–understanding, of course, that theres a balance between governmental and other societal interests.
Legislation is appropriate, absolutely, to protect privacy. Were also very strong in believing that legislation is a good mechanism to use when were trying to prevent information from being used improperly to harm somebody or used to make really big decisions about somebody
Most other areas, though, include a market mechanism approach, with industry leadership setting standards as an appropriate way to deal with privacy. Non-sensitive information is one area where youd hope marketers could set standards and use information appropriately.
Our policy is that government has a role, but that the private sector and industry should also have very significant roles. It is absolutely legitimate to have questions raised, and requirements put into processes that government is initiating, that say, Have you addressed privacy?
Privacy Concerns
eWEEK: What types of privacy concerns do IBM customers have, and how are they asking IBM to address those concerns technology-wise?
Pearson: Weve seen an incredible increase in HIPAA [Health Insurance Portability and Accountability Act]engagements. Privacy assessments, security assessments are also important. People are looking for technology-enabled solutions to manage data, and I think thats where the Tivoli folks have hit a sweet spot in what theyve designed.
eWEEK: Do enterprises see privacy and security as the same thing? Is that a mistake?
Pearson: The larger companies, enterprises as a whole, are pretty sophisticated, and they understand the difference and understand how the two come together. So I dont think theres a lot of confusion about it.
Ultimately, the consumer, the individual, normally doesnt distinguish between the two. So you have to be careful how you translate these efforts in serving your ultimate customers.
eWEEK: What advice do you have for organizations tackling privacy issue?
Pearson: Having a scorecard or getting metrics so you can build a business case and talk to senior management about what it is youre doing and why its working or not working is a good practice.
Were seeking to broaden the dialog among the thought leadership community and the technical world on privacy so that we start speaking the same language and start to intensify the work being done in areas of technology enabling privacy.
Privacy is a huge thing and has always been with us. But were trying to signal that the complexity has gotten to the point where wed better start cooperating and working together on it.