Five Steps to Privacy Proficiency

"At a time of shrinking budgets, the last thing you want is to be seen as bad on privacy," says Roanne Shaddox, vice president of Jefferson Data Strategies, a Washington privacy consulting firm. "You could lose your program." She says agencies should follow five steps to establish strong privacy programs:

• 1 Name a point person, preferably a full-time chief privacy officer with expertise in the field. This person needs a budget and clout with senior management.
• 2 Create a map tracking how personal information moves throughout the organization. "The best way to do that is to talk to people," Shaddox says. Interview program managers, technology people and anyone else who works with data. Look for gaps in privacy protections and study relevant regulations.
• 3 Review existing policies. Update or create rules to address gaps. Also make sure all programs match written policies. "Look at your statement to the public," Shaddox says. "Are you living up to that standard?" Automated tools, such as Web scans, can help determine whether sites are in compliance.
• 4 Conduct training. "Give real, concrete guidance to those dealing with the data," Shaddox says. Trainees should include employees who process personal information, technology workers, program managers and contracting officers, who should build privacy requirements into requests for proposals.
• 5 Maintain policies when dealing with day-to-day issues, such as determining whether requests for data-sharing comply with privacy policies. Establish an oversight board and use third-party audits.