Add to collection(s) Add to saved
  1. Arts & Humanities
  2. Communications
  3. Marketing

Case Studies to Advance Implementation of

advertisement 
Case Studies to Advance the Implementation
of Accessible Technology in the Workplace
Final Submitted on August 24, 2011
Authored by the Assistive Technology Industry Association
Accessible Technology in the Workplace Initiative
The opinions contained in this publication are those of the contractor and do not necessarily reflect those of the U. S.
Department of Labor. In addition, the document is not intended to promote the International Association of Privacy
Professionals or any other organization discussed therein.
Accessible Technology in the Workplace Initiative – Case Studies to
Advance the Implementation of Accessible Technology in the Workforce
Table of Contents
Introduction ............................................................................................................................................ 2
International Association of Privacy Professionals (IAPP) Background .............................................. 2
Case Study – Creating a Professional Society ....................................................................................... 4
International Association of Privacy Professionals History .................................................................. 4
International Association of Privacy Professionals Programs ............................................................. 5
IAPP Programs and Activities ......................................................................................................... 6
Conclusions ....................................................................................................................................... 8
Case Study – Creating a Certification Program .................................................................................... 10
International Association of Privacy Professionals Certification History ............................................ 10
Elements of the IAPP Certification Program ..................................................................................... 10
Certification Requirements ............................................................................................................ 11
Five Certification Programs ........................................................................................................... 11
Testing.......................................................................................................................................... 12
Certification Training ..................................................................................................................... 13
Continuing Education Requirements ............................................................................................. 13
IAPP Certification Business Model ................................................................................................... 13
Future Enhancements to the IAPP Certification Program ................................................................. 14
Key to Success ............................................................................................................................. 14
Conclusions ..................................................................................................................................... 15
Case Study – Creating a Central Repository of Information to Support the Accessibility Professional . 17
International Association of Privacy Professionals Knowledge Base History .................................... 17
International Association of Privacy Professionals Web Based and Publication Programs ............... 17
Publications .................................................................................................................................. 17
Knowledge Center ........................................................................................................................ 18
Privacy Links and Blogs ................................................................................................................ 18
IAPP Business Model ....................................................................................................................... 18
Conclusions ..................................................................................................................................... 19
Final Conclusions and Recommendations ........................................................................................... 20
1
Introduction
A number of obstacles have emerged as corporations, government agencies, and educational
institutions worldwide work to understand and respond to the needs of their employees and customers
with disabilities. In light of the proliferation of technology throughout the global workplace, two such
obstacles have been a) how to gain a real-world understanding of what it means for technology to be
accessible to and usable by individuals with disabilities, and b) how to implement systems that address
these needs, i.e., how to procure and acquire accessible technology, and integrate those systems
throughout an organization’s infrastructure. IT developers are a linchpin in overcoming these
obstacles, but they can only succeed in finding accessibility solutions if they have the necessary
knowledge and tools to do so. The question then becomes how to provide IT developers with a uniform
and consistent body of knowledge that has them speaking the same language and sharing the same
standards of what successful accessibility integration means.
Fortunately, the accessibility industry is not the first IT-industry spinoff that has had to grapple with
these questions. The following three case studies explore how similar obstacles were addressed in the
IT privacy industry by the International Association of Privacy Professionals (IAPP).
The IAPP was chosen as the reference model due to its success in creating and growing the privacy
profession from a concept to a valued resource for companies around the world. Like accessibility, the
privacy domain involves technical, business and public policy considerations. The IAPP built a
professional society, a certification program, a community of professionals and related resources. The
following case studies will examine IAPP’s efforts over the past ten years to help understand the
potential for similar efforts within the accessibility industry.
The information outlined in the following report was developed from material collected through several
extensive interviews with IAPP leadership and culled from the documentation available about their
programs.
International Association of Privacy Professionals (IAPP) Background
Understanding the background and history of the formation of the IAPP provides insight to the
programs that evolved. As a professional association that manages a certification for the privacy
profession, the IAPP provides a global community for privacy professionals eager to network, share
experiences and learn. The IAPP helps define, support, and improve the privacy profession through
numerous networking opportunities, education, informational resources, and certification.
Founded in 2000, the IAPP is a global association of privacy professionals with almost 9,000 members
in 70 countries. In addition to its significant presence in the United States and broad coverage
worldwide, it has created three regional entities in Canada, Europe and Australia/New Zealand, with
executive level management to provide services, education, networking opportunities, and conferences
tailored to the unique challenges and needs of those regions.
The IAPP was chosen as a candidate for investigation because of the similarities that exist between the
needs in the accessibility and privacy fields. While there are other valuable publications or conferences
which provide information to the privacy professional, the IAPP provides a comprehensive and
coordinated collection of resources, knowledge, and experts who have a common goal - a commitment
to the profession of privacy and to delivering solutions that allow the professional to effectively guide
their organizations through the quickly changing privacy industry.
2
The IAPP was formed in 2000 at a time when it was recognized that privacy was of growing importance
but not yet an established priority in many organizations. Leadership was needed to address the
requirements driven by the regulations being adopted and to help companies or agencies interpret and
implement the often conflicting or competing legislative requirements and customer needs. By
establishing the role of ―privacy professional‖ to serve both public and private sector organizations, the
industry was able to create a leadership role dedicated to privacy knowledge. And the IAPP provided
the guidance and support infrastructure to that professional.
The reasons for formation of an association for the privacy industry are very similar to the current need
within the accessibility industry. Therefore, the IAPP will be used for comparison purposes in all three
of the following case studies.
3
Case Study – Creating a Professional Society
The International Association of Privacy Professionals (IAPP) is a 501(c)(6) professional association. It
has almost 9,000 members from 70 countries and a staff of 46. The IAPP has approximately $8.0M in
annual revenue, and members of the association come from public and private sectors ranging from
small to large organizations.
With the growth of the privacy industry, both in the United States and internationally, and a need for
direction and information by an expanded population of professionals who require some level of privacy
expertise, the IAPP anticipates it will be reaching 100,000 individuals in five years through one or more
of its offerings.
International Association of Privacy Professionals History
The privacy profession began slowly. A privacy professional was first defined in Germany in the early
1970s, but the concept took root and expanded quickly over the past 10 to 15 years as laws in the U.S.
and Europe drove the need for the profession. Laws such as the Gramm–Leach–Bliley Act (GLB), also
known as the Financial Services Modernization Act of 1999, Health Insurance Portability and
Accountability Act (HIPAA) of 1996, and the European Data Protection Directive, combined with the
growing demand for privacy policies for websites, pushed large corporations to hire privacy
professionals.
Since that time, additional legislation has been enacted. However, today, the environment is still one of
instability and turbulence with much that is unclear and not covered by law or regulation. Many
standards have emerged – some more successful than others – and the industry continues to struggle
with inconsistency amongst international standards.
Much of the privacy dialogue in the early days was focused within each specific industry such as
healthcare (due to HIPPA), financial services, and other industries. It was recognized early by leaders
in the industry that, although they were coming from different industries, they were all struggling with
the same questions regarding how to deliver privacy compliance.
The Information Security industry is a closely related industry which had been in place for 15 to 20
years prior to the explosion of the privacy industry. The discussion around information security tends to
be more technology-focused and integrated with IT. The privacy discussion relates to how data is
managed and how an organization must comply with the law – this leads to a more business oriented
discussion. Facts show that 40-45% of privacy professionals are lawyers, which reflects the importance
of the compliance side of the discussion.
According to Trevor Hughes, President and CEO of IAPP, ―If an industry is in chaos, there is a greater
need for professionals who understand the problems. It is that instability, that turbulence, that lack of
predictability that creates the need for professionals – people who can understand and do risk
management across the broad spectrum of issues.‖
The need for the development of a community focused on privacy started with a group of individuals
dealing with privacy issues in their jobs. They recognized a need to bring others like themselves
together, and this collaboration resulted in a conference being developed and a professional
association formed to run the conference in 2000. The conference was held and considered a success
with approximately 200 attendees.
4
With this grass roots initiative, the original approach was to utilize a 12 member volunteer Board to run
the organization. However, it was quickly recognized that this approach was not effective given the
size of the effort needed to run the conference and the association. It also was not effective in
providing the resources needed to evolve the association and have an impact on the industry. In 2002,
an Executive Director was hired. Over a relatively short period of time, additional staff has been hired
up to the IAPP’s current employee population of 46 which has allowed the organization to add
significant services to its membership including the development of IAPP’s five certification programs.
In 2003-2004, a strategic decision was made to implement a certification to recognize the critical
importance of privacy. A Certification Director was hired to manage the process of identifying the
requirements and building the exam.
Step by step, the IAPP formalized its approach and broadened its range of services as outlined below.
It has taken a very entrepreneurial approach to the services delivered and improved on those services
over time while adding many new ones. This effort continues today with new projects to develop
computer based testing, increased online education, and alternative formats for certification training,
among others.
International Association of Privacy Professionals Programs
Today, the strategy of the International Association of Privacy Professionals is a mix of activities that it
believes provides a high level of value to its members and potential members. IAPP delivers solutions
to obstacles identified in the early days of the privacy industry. Its education and conferences offer
opportunities to network. Membership in the association provides a sense of belonging to the larger
community. The certification gives consistency and credibility to people identifying themselves as
―privacy professionals.‖ Its publications deliver the reliable, needed information in a timely fashion to
keep the privacy expert up-to-date and capable of demonstrating leadership to their management.
The interconnection between the IAPP offerings is well-choreographed. Privacy professionals must be
members to gain and maintain their privacy certification. Certification and continuing education can be
achieved by attending their conferences and the related training and testing. Website information and
publications available to non-members help professionals develop knowledge and skills regarding
privacy. This results in many cases with career advancement that then leads to the need for the
privacy credential.
When it comes to legislation, the IAPP is a non-advocacy organization. Its role is only to advocate on
behalf of the privacy profession as appropriate. Its philosophy is to represent all of its members and to
not take positions that may split the membership or portions of it. Other organizations exist that it feels
can and do play the role of legislative advocates.
The IAPP is also not a technical standards organization. Though, while it does not develop standards,
it does provide the forum through its conferences and other networking activities to allow the debate
about standards to occur. The IAPP believes that it is critical for the organization to remain impartial.
The IAPP is, however, the standards organization when it comes to the creation and maintenance of
the certification standards. Its certification reflects the current state of the industry without bias towards
any one standard or policy. Where multiple standards exist, the certification program will train and test
for them all.
5
It has developed an excellent relationship with policy makers, regulators, and industry advocates who
are instrumental in keeping the IAPP’s conferences, publications, and other deliverables accurate and
meaningful.
Today, the organization is engaged with as many as 18,000 professionals – 9,000 as members and
3,600 as certified professionals. It has been experiencing 25-40% growth year after year. Its target in
five years is to significantly grow the organization to potentially 100,000 engaged individuals. That
expansion will be fueled by growth within its existing base but also through outreach to associated
populations having needs within the privacy space such as Information Security professionals, HR
Managers, and Operations Managers.
IAPP Programs and Activities
The IAPP provides the only privacy industry certification recognized by public and private sector
organizations. It also delivers a number of supporting but critical events and resources. Note:
Certification and the knowledge repository provided by the IAPP will be discussed further in separate
case studies.
Events - The IAPP conducts several conferences or events for its industry each year. Its events are a
vehicle for privacy professionals to come together to network and discuss the most urgent issues of the
day. While there are other valuable privacy conferences conducted by other organizations, the IAPP
events stay focused on discussing current and sometimes controversial topics to bring needed energy
and discussion in the industry. It also schedules its certification training and testing around the
conferences to offer privacy professionals a convenient opportunity to gain their education, networking,
and certification all at one time.
KnowledgeNet – These are local meetings conducted exclusively for IAPP members to maintain an
ongoing vehicle for networking throughout the year. The IAPP conducts at least two meetings per year
for each location and supports 48 locations currently. In addition to informal opportunities to share
experiences and network with peers, these meetings may include a presentation by an expert on a
timely privacy topic and/or interactive discussions.
Certification – The IAPP offers five credentials: CIPP, CIPP/G, CIPP/C (Canada), CIPP/E (Europe),
and CIPP/IT.
The CIPP credential offers the industry-standard certification in compliance with U.S. private sector
privacy laws and regulations as well as European requirements for transfers of personal data. CIPP/C
is targeted to the specific needs of Canadian privacy professionals as well as any practitioner who
manages information that is subject to Canadian jurisdiction. The CIPP/E encompasses pan-European
and national data protection laws, the European model for privacy enforcement, key privacy
terminology, and practical concepts concerning the protection of personal data and trans-border data
flows. The CIPP/G is designed exclusively for employees of U.S. federal and state government
agencies as well as vendors and consultants who serve U.S. government clients. The CIPP/IT
assesses understanding of privacy and data protection practices in the development, engineering,
deployment, and auditing of IT products and services.
All certifications require that the individual first pass the Certification Foundation exam which covers
elementary concepts of privacy and data protection from a global perspective.
More information on certifications will be provided through the case study discussion on Creating a
Certification Program.
6
Publications – The IAPP publications have a subscriber base of 18,000 consisting of both members
and non-members. The primary publication is an e-newsletter called The Daily Dashboard which
delivers the top ten privacy stories every day.
IAPP Membership – The IAPP offers both individual and corporate memberships and all IAPP
members receive an extensive array of benefits.
The IAPP offers six levels of individual memberships which include a Professional level open to privacy
professionals and a Business level open to lawyers, consultants, and vendors which provides the
additional opportunity to be highlighted in the consultant and lawyer section of the IAPP Membership
Directory. Discounted membership rates are available for not-for-profits, students, higher education,
and government employees.
The IAPP also offers several levels of corporate memberships. Corporate membership levels vary
depending upon the number of members within the corporation to be given membership status and the
desired benefit package which can include complimentary passes to conferences, priority
sponsorship/exhibition, and visibility through the IAPP’s website and publications.
Awards - Each year the IAPP recognizes the top organizations and professionals in privacy and data
protection through three annual awards. These awards honor members of the international privacy
community who have made significant and notable contributions to their field.
The HP-IAPP Privacy Innovation Award recognizes unique programs and services in global privacy and
data protection across both private and public sectors. The IAPP Privacy Vanguard Award is given
each year to the individual professional who best demonstrates outstanding leadership, knowledge, and
creativity in the field of privacy and data protection, whether through spearheading projects or programs
that positively impact the privacy profession or through achievements over the course of an entire
tenure or career. The Privacy Leadership Award is an honorary recognition of a global leader in the
field of privacy and data protection who has demonstrated an ongoing commitment to furthering privacy
policy, promoting recognition of privacy issues, and advancing the growth and visibility of the privacy
profession.
IAPP Business Model
As discussed earlier, when the IAPP was in start-up mode, it was completely dependent upon a
volunteer staff and grants or sponsorships to fund the activities of the association.
Initial Staffing
The IAPP started with a volunteer staff to run the association and initial conference. Additionally,
contributions of publication content were provided by professionals within the industry. While this
enabled the first conference to get off the ground, it hindered growth of the organization overall.
Volunteer staff with limited time and competing priorities and pressures could not provide the resources
needed to support multiple conferences and the development of new programs for the association.
Initial Revenue Sources
Contributions were provided by corporations to under-write major activities such as the hiring of key
staff and the development of the certification training and exams.
Current Staffing
The volunteer staff was quickly replaced by full-time staff to execute critical tasks and supplemented by
volunteers in advisory roles to ensure public acceptance. Advisors continue to provide some content
for publications. The operations of the IAPP are conducted by paid staff with the recent exception of
7
the creation of a pool of IAPP-trained trainers paid on a per diem basis who are scheduled as needed
by the IAPP to deliver IAPP certification courses.
Current Revenue Model
The revenues of the IAPP are now self-sustaining and are divided as follows:



Conference Registration Fees/Conference Exhibitors/Conference Sponsorships – 50%
Membership Dues – 30%
Certification Training/Certification Testing/Continuing Education – 20%
Conclusions
The International Association of Privacy Professionals has taken a leadership position within its industry
to bring needed education, consistency, and collaboration to a fragmented industry.
It has been able to do for the privacy industry what is sorely needed within the accessibility industry.
Many parallels between the two industries exist. Just like the IAPP in the late 1990s, the accessibility
industry has recognized today that progress will continue to be slow without a certification program. A
program to create an accessibility credential can bring credibility to those who have developed the skills
to assess, communicate, and deliver accessible technology and provide a measuring stick to ensure
that development candidates are hired or trained to deliver the necessary results in the workplace.
Professional societies such as the IAPP can be critical in making this happen. Not only is there a need
for the entity to develop and manage the certification program, but an organization is needed to provide
ongoing nurturing of the professional. Certification is not one moment in time. Certification needs to be
maintained to ensure that the professional remains current with the emerging technologies, changing
legislation, and evolving needs of the profession. The professional society needs to provide ongoing
education, networking, and support resources to help the individual continue to be successful in a
dynamic industry. The IAPP has made what it considers to be a critical strategic decision to make
membership in the IAPP a prerequisite to certification because of this need to nurture the profession.
Within the accessibility industry, there is currently no professional society that represents the needs of
the accessibility developer. While there are numerous organizations that represent developers in
general, they provide little information or support in the area of accessibility. With these organizations,
accessibility is a low priority if a priority at all. To gain added focus and grow the number of
professionals who are knowledgeable on accessibility, it is important to have an organization that
represents their unique needs.
While there are groups that provide needed attention to the technical issues of Web development, this
addresses only a piece of the problem. Just like the early days of the privacy industry when discussion
and focus were vertically driven, there is a need to bring all professionals together to address the
expansive and inter-related accessibility issues of Web, software, hardware, mobile, and emerging
technologies. Through groups like the IAPP, there is the need to consolidate and discuss issues with
the wide range of professionals who are critical to accessibility success.
The IAPP also has addressed the global nature of its profession by creating regionally based content,
services and certifications while maintaining consistency of quality and structure. The European,
Canadian, and Australian/New Zealand communities are dedicated to addressing the unique needs of
these regions. This may be a way to unfold an accessibility society as well. While there are similarities
between issues around the globe in accessibility, having regionally designed content will support both
8
local and international dialogue amongst accessibility professionals. This type of global strategy (like
IAPP’s) would strengthen the entire global infrastructure for the accessibility professional.
While many parallels exist between the accessibility and the privacy industry, some differences were
also identified. Partnerships with universities are just now becoming an area of focus for the IAPP as
privacy professionals are typically not entry level employees but advance to their careers after some
years on the job. With accessibility, it is much more critical that some level of accessibility expertise be
integrated into the post-secondary development curriculum quickly so that accessibility can become a
part of the design and initial development rather than a costly after-thought. A professional society
could take the lead on developing these partnerships. Many professional societies nurture this aspect
of the profession and enable ongoing growth of the profession to keep up with the ever changing
landscape of the industry.
Another difference is the strong partnership between the accessibility industry and the federal
government. While the IAPP has excellent relationships with many federal agencies, it does not have
agencies that are as focused as the U.S. Department of Labor’s Office of Disability Employment Policy
(ODEP), the U.S. Access Board, the General Services Administration (GSA) and others in removing the
obstacles to achieving accessible technology in the workplace. If a professional society and
certification program were created, government agencies and federal contractors would likely benefit
from tools created when hiring or developing accessibility professionals within their organizations, and
may want to consider the possibility of furthering their efforts around accessibility by establishing
requirements to hire certified accessibility professionals or, at a minimum, providing preference in hiring
to those with accessibility professional credentials.
If this step is taken, corporations contracting with or selling to the federal government will have
incentive to hire or train accessibility professionals. As more accessibility professionals are created, the
results of their efforts will become more evident in the technology, and accessibility will become an
integral part of the engineering process rather than an after-thought.
As the demand for a certified accessibility professional grows, it will drive interest amongst universities
to build curricula for students which will position them to meet this demand in the workplace.
The greatest challenge for the accessibility industry may be that it has to deal with both a policy aspect
and a technical aspect. This was less true for privacy at the beginning but is something the industry
now faces. This highlights the growing importance of having knowledgeable IT staff and application
developers who understand privacy requirements and technical challenges. Fortunately, due to the
IAPP, the privacy field has a strong community of privacy professionals across the business to help
drive that effort forward.
The success of organizations such as IAPP is encouraging to the accessibility industry. It is clear from
the lessons learned by the IAPP that such entities can have a significant impact upon the industry. The
IAPP was a critical part of the evolution of the privacy profession and having a similar professional
entity focused on accessibility to provide information, certification, and supporting infrastructure could
help the accessibility industry advance in much the same way.
9
Case Study – Creating a Certification Program
International Association of Privacy Professionals Certification History
The International Association of Privacy Professionals (IAPP) is the only global provider of certification
for the privacy industry. The IAPP Certification provides an impartial, third-party assessment that an
individual has achieved a certain level of privacy knowledge and experience.
For the first three years after the founding of the IAPP, conferences and publications remained the
priority. However, the need for a certification program was quickly identified by the association and the
IAPP Board of Directors as a major requirement within the privacy industry. Corporations needed to
expand their focus on privacy. The IAPP felt that having professionals who could demonstrate a
comprehensive knowledge of privacy principles and practices was an important step for a rapidly
evolving field. Achieving an IAPP credential would validate the individual’s expertise and distinguish
them from others in the field.
Development of the IAPP Certification Program started in 2003, with the hiring of a full-time Certification
Director to lead the project to build the body of knowledge and create the exam. In 2004, the first IAPP
certification exam, the CIPP, was launched. The first exam was taken on October 26, 2004 by 150
privacy professionals at the IAPP Conference.
―One of the really big, fundamental, strategic decisions that we made as a Board was that of
certification. There was enormous concern on the part of the Board as to whether we were mature
enough as an organization. There was concern that the field of privacy was too broad and that you
could not define it into a body of knowledge that was testable. But it was ultimately agreed that we
should not let the pursuit of the great keep us from achieving the good,‖ said Trevor Hughes, President
and CEO of IAPP.
The conclusion by the Board was that certification was too critical for the industry to delay and the
association needed to ―get the ball rolling.‖ In addition to the hiring of the Certification Director, an
Advisory Group was formed to develop the information and test questions. Additional review and
vetting was provided by the IAPP Board of Directors consisting of 20 individuals. Its first effort focused
on a collaborative, more informal process to identify the information to be tested and create the
certification exam. It was not taken to the public prior to release for a broader review.
IAPP’s process has significantly advanced since then, but the initial efforts were instrumental in
recognizing the need for the privacy credential and gaining focus for the profession. The initial
certification developed was for the U.S. based privacy professionals. It was followed by a certification
specifically designed for the privacy professional based in a government agency. Since then, three
more certification exams have been created.
Elements of the IAPP Certification Program
Today, the IAPP Certification Program offers five credentials: CIPP (US), CIPP/G, CIPP/C (Canada),
CIPP/E (Europe), and CIPP/IT. Each is designed to demonstrate mastery of a principles-based
framework and knowledge base. There are currently 3,600 IAPP members who have completed the
certification steps and now have at least one of the five credentials. This makes up about 40% of the
total IAPP membership base. The remaining 60% consists of individuals who are in the process of
achieving their certification or who find significant value in membership but do not require the
certification.
10
All candidates seeking their first IAPP privacy certification (CIPP, CIPP/G, CIPP/C, CIPP/E, or CIPP/IT
credential) need to pass an exam called the Certification Foundation. The Certification Foundation
covers elementary concepts of privacy and data protection from a global perspective and provides the
basis for a multi-faceted approach. It allows other more specific IAPP privacy certifications to build
upon this foundation with minimal repetition.
The IAPP certification is an entry level certification. It is not a license or masters program although that
could be part of the IAPP’s future strategy. However, the certifications are critical elements to those
who are a Chief Privacy Officer in a company or government agency or even those who have privacy
defined to be less than 20% of their job but still consider themselves to be a privacy professional.
Certification Requirements
IAPP membership- Each certification candidate must become an IAPP member prior to testing.
Certification testing- Successful completion of both the Certification Foundation exam and one of the
module exams (CIPP, CIPP/G, CIPP/C, CIPP/E, or CIPP/IT) will result in the award of the
corresponding certification. The certification exams are offered exclusively by the IAPP.
The Certification Foundation exam is a two-hour, three-part, 120-item, objective test. Each of the three
Foundation exam sections is composed of 30 multiple choice items plus one case study with 10
true/false questions for a total of 120 exam items.
Five Certification Programs
The Certified Information Privacy Professional (CIPP) credential was the first certification developed
by the IAPP. The CIPP module exam is a one-hour, 60-item exam that consists of two sections: U.S.
Private Sector Privacy Law/Compliance and U.S. Private Sector Privacy Practices. Each section is
comprised of 20 multiple choice items plus one case study with 10 true/false items for a total of 60
exam items. The IAPP developed the CIPP program in coordination with a large number of Fortune
500 corporations.
The Certified Information Privacy Professional/Government (CIPP/G) is the first publicly available
privacy certification designed for employees of U.S. federal, state, county, and local government
agencies. It also is available to vendors, suppliers, and consultants who serve government clients.
The CIPP/G addresses U.S. government privacy laws, regulations, and policies specific to government
practice as well as those more broadly applicable to the public and private sectors in the U.S. It also
covers U.S. government-standard practices for privacy program development and management,
privacy compliance and auditing, records management, and agency reporting obligations for privacy.
The CIPP/G is a one-hour, 60-item exam that consists of two sections: U.S. Government Privacy Laws
and U.S. Government Privacy Practices. Each section is comprised of 20 multiple choice items plus
one case study with 10 true/false items for a total of 60 exam items.
The IAPP created the CIPP/G program with the assistance of privacy officers from U.S. federal
agencies, including the Postal Service, the Department of Justice, the Department of Veterans Affairs,
the Office of Management and Budget, and the Internal Revenue Service as well as U.S. state
agencies such as the California Department of Consumer Affairs. Leading government services
vendors also advised the development of the examination, training programs, and reference materials.
11
The Certified Information Privacy Professional/Canada (CIPP/C) is the Canadian certification to be
offered in privacy and data protection. It is targeted to the specific needs of Canadian privacy
professionals as well as any practitioner who manages information that is subject to Canadian
jurisdiction.
The CIPP/C is a one-hour, 60-item exam that consists of three sections: Canadian Privacy
Fundamentals, Canadian Privacy Laws and Practices - Private Sector, Canadian Privacy Laws and
Practices - Public Sector. Each section is comprised of 10 multiple choice items and one case study
with 10 true/false items for a total of 60 exam items.
The CIPP/C is the product of the combined efforts of the IAPP and leading Canadian privacy officers
from a number of corporations. The program has been reviewed by the Canadian federal, territorial,
and provincial information and privacy commissioners.
The Certified Information Privacy Professional/Europe (CIPP/E) program is the professional
credential specific to European data protection professionals. The CIPP/E encompasses pan-European
and national data protection laws, the European model for privacy enforcement, key privacy
terminology, and practical concepts concerning the protection of personal data and trans-border data
flows.
The CIPP/E is a one-hour, 60-item exam covering the following three general topics: Introduction to
European Data Protection, European Data Protection Law/Regulation, and Compliance with European
Data Protection Law and Regulation. All 60 test items are multiple-choice format, including ten
associated with three scenarios.
The IAPP created the CIPP/E program with the assistance of its European Advisory Board which
includes members from large international corporations, consulting/law firms, and data protection
authorities/associations from the UK, Ireland, Spain, and Germany.
The Certified Information Privacy Professional/Information Technology (CIPP/IT) is the global
privacy certification for IT practitioners. It assesses understanding of privacy and data protection
practices in the development, engineering, deployment, and auditing of IT products and services. The
CIPP/IT certifies individuals in their knowledge of privacy-related issues and practices in the context of
the design and implementation of information and communication technologies.
The CIPP/IT is a one-hour, 60-item exam composed of 40 multiple choice questions and one case
study with 20 true/false items. The CIPP/IT was developed by the IAPP and closely advised by IT
privacy and security experts from global corporations, professional associations, government agencies,
and higher education institutions.
Testing
The IAPP offers privacy certification testing at its major annual conferences and throughout the year at
sponsored events and at partner sites in select cities. It also provides group onsite testing which is
arranged on request. An individual may retake IAPP privacy exams as many times as required to pass.
All exams are taken in-person at an IAPP sponsored location. In the future, the IAPP plans to partner
with a testing company with multiple locations so as to offer computer based testing.
12
Certification Training
The IAPP provides a number of resources and training opportunities to help an individual prepare for
their certification exam. The formats available to gain the training required include:
Live training - These workshops are offered on-site during IAPP conference events throughout the
year or can be scheduled on request at corporate locations. A certification candidate is not required to
attend the IAPP conference event in order to attend the privacy certification training.
DVD training - DVD training workshops are filmed versions of the live training workshop. The content
and presentation are identical to a live training workshop, but provide the convenience of viewing the
presentation at their own pace.
Textbooks - The IAPP publishes textbooks as an additional resource to aid in exam preparation and
for use as general reference guides. In addition to covering material that appears on privacy
certification exams, the books are useful as a source of information covering privacy and data
protection laws and standards. The textbooks are generally considered as supplements to the IAPP
training workshops.
Free study resources - The IAPP offers a number of freely available information resources, which, in
combination with other efforts, can help a certification candidate achieve success on the certification
exam.
Continuing Education Requirements
Once certified, all IAPP professionals must keep their IAPP membership status current as well as meet
a minimum of 10 credit hours of continuing privacy education (CPE) each year in order to uphold their
certification.
For the most part, any privacy- or security-related event or program is eligible for IAPP continuing
education credit—pending approvals. IAPP-certified members who attend IAPP events will be awarded
CPE credit for that event. This includes IAPP conferences, KnowledgeNet meetings, IAPP Web
conferences, and Privacy Tracker audio conferences.
To request CPE credit for any program not hosted or sponsored by the IAPP, a candidate must
complete a CPE Credit Application Form and submit appropriate supporting documentation. The
programs that are considered for CPE credits include Information Security events and programs such
as those provided by ISSA, (ISC)2, ISACA, RSA Conference, and other leading information security
organizations; privacy seminars or courses not hosted by IAPP; and privacy-related speaking, writing,
or teaching engagements.
IAPP Certification Business Model
The initial IAPP certifications and the hiring of a full-time Certification Director were made possible
through the underwriting support of large corporate sponsors. An advisory board was formed to create
the requirements for the first round of content modules and exams. The content for the exams were
built from scratch.
13
Exam fees, training revenues, and certification publication fees contribute approximately 20% to the
overall annual revenue stream of the IAPP. Fees are collected for the foundation and certification
exams, along with reduced fees for re-taking the exams. Training fees are assessed for both the live
and DVD versions of the certification education.
Future Enhancements to the IAPP Certification Program
In the future, the IAPP is looking at offering certifications to those who have a need for role based
privacy knowledge and may find significant value in achieving a certification level. These candidates
include individuals such as HR managers, Financial Services professionals and Marketing
professionals. These are job functions which require knowledge of privacy to do their job. The IAPP is
assessing how certification can play a role in making these candidates successful. New certifications
may need to be developed to address this.
When understanding the knowledge requirements throughout a large organization, there are multiple
levels of privacy knowledge that are required. For example, a large corporation may have a need for
up to 20 to 200 CIPP professionals, 2,000 role based professionals requiring additional U.S. and
international certifications, and/or Foundation-only training, and 20,000 employees who require an
awareness of the issues around privacy.
The IAPP is looking to create a 20 minute online video as a solution to this information requirement at
the awareness level. This is a part of the IAPP’s ongoing effort to determine what needs to be done to
further support the industry and those individuals in the privacy role.
The existing CPOs can influence or even mandate, depending upon their level within the organization,
the certifications or awareness training implemented throughout the rest of the organization. They are
the critical champions to gain privacy effectiveness in an organization. The IAPP provides the tools for
them to accomplish this.
The IAPP is also looking to expand its approved trainer program and enhance its self-paced training
modules. It plans to move from the use of DVDs of recorded live training workshops to a more
professionally developed interactive, online training.
Key to Success
The IAPP maintains control of the development of exams and the administration of the testing and
training to ensure that quality and consistency are met. The goal of a certification program is to
establish an objective measure of who is a knowledgeable person within a given field. It is a
designation earned by a person to assure qualification to perform a job or task. One key determination
of the success of any certification program is based on whether it becomes a requirement for hiring a
professional into a particular position.
The IAPP maintains its own Job Board and monitors the job placements of privacy jobs on other
general public job boards such as Monster.com. The IAPP certifications have become a growing part
of the requirements or preferences set by a company or government agency in the hiring process. This
was particularly true in the government arena and helped to drive the effort to create a governmentspecific certification (CIPP/G). This will continue to be a major focus for the IAPP moving forward.
14
Conclusions
The field of accessibility is at a similar point as the privacy industry was in the years 2000-2003. The
fragmented nature of the approach to accessibility creates an environment that provides minimal focus
and direction. Input from individuals already working on accessibility issues has raised concerns that
individuals representing themselves as ―accessibility experts‖ may not be as knowledgeable as they
should be. And those who have developed a high level of expertise deserve recognition for that
accomplishment.
There are numerous publicly available, standards-aligned tutorials on Web accessibility. However, the
experts do not always agree, which can lead to frustration and a Developer’s belief that standards
cannot realistically be met. Accessibility standards for other types of information and communications
technology (ICT) beyond the Web are harder to find and even less likely to align. Much of what is
readily available is out of date and, in some cases, contradictory. There is no ―final authority‖ on what
constitutes standards compliance. While the W3C/WAI is globally recognized as the leader in defining
Web accessibility, there remains some confusion as standards evolve and guidelines are not always
perceived as keeping pace with technology changes.
Most certifications are earned from a professional society. A multi-level certification program, the
education to support it, and an association to ensure it maintains currency and relevancy would offer
needed structure and focus for the accessibility industry. The certification process would create
accessibility industry professional standards and create a credential to aid in hiring decisions.
The accessibility industry could benefit by taking an approach similar to the IAPP model: create multiple
study programs and exams to train and test individuals on the necessary subject areas, and offer
multiple certifications, as appropriate, to meet the needs of the industry. An Accessibility Fundamentals
exam should be created to test for basic accessibility knowledge and result in a basic accessibility
certification. This exam would test knowledge of laws and regulations, as well as common accessibility
requirements and necessary business and engineering practices. The exam would be appropriate for
generalists in the field of accessibility and act as the basis for more specific and advanced
certifications. Additional exams and certifications should be created for designers and engineers that
test for more technical expertise and knowledge of specific strategies for designing, developing, testing,
and deploying accessible products and services. It may be preferable to create separate exams and
certifications for one or more of these roles. Similar to privacy, there may also prove to be value in
creating an exam and certification for individuals employed by or doing work for government agencies –
to ensure knowledge of procurement requirements, testing methodologies, and concerns related to
deploying assistive technologies in the workplace.
These exams should test to the multiplicity of standards when needed and not try to solve unanswered
questions or ―take a position‖ through the certification. This will build a larger pool of skilled
accessibility professionals. It can also work to drive the integration of accessibility training into other
general IT development training programs and post-secondary educational programs. With
accessibility needing to be a component in every part of the development process, creating new
developers who understand those fundamentals coming out of the university system will ultimately
result in a significantly larger worldwide population of knowledgeable individuals. University programs
respond to demand from the job market. As more positions require or show preference for hiring
individuals with an accessibility credential, colleges and universities will respond.
In the privacy industry, the federal government realized the value of the certification program and
worked with the IAPP to develop a government specific certification. Having a similar type of
accessibility certification could allow the federal government to establish a government-wide policy that
would require each federal agency and all federal contracting companies to have some number of
accessibility certified individuals. This could significantly expedite creating an accessible federal
15
workplace environment and advance the hiring, retention, and advancement of persons with disabilities
in government positions.
The accessibility industry needs professionals who can work across the enterprise and work with the
different product, application, or service development teams to guide them to ensure accessibility is
being applied properly from the start.
It may be wise to start with the initial requirements for a segment of the accessibility population, such as
Web developers, and then expand to hardware, software, and other areas. Over time, certifications
may need to be established for role based knowledge requirements, just as the IAPP evolved. For the
accessibility industry, this could include Procurement Officers, HR Managers, etc.
The IAPP creates, maintains, and conducts the educational workshops or materials available for the
certification. It has recently expanded to meet demand by training an approved set of outside trainers
which they then schedule. This is an area that the accessibility industry may want to investigate further
to determine if the industry would be better served by authorizing existing training
providers/organizations to deliver an approved certification curriculum. The most important goal is to
ensure that someone who takes an approved certification course in preparation of the certification
exam receives the quality and content they need.
With the state of the accessibility industry today, the professional society and certification should be
developed concurrently. Certification will impact consistency in the industry and lead to more
accessible technology. The professional society is needed to drive and support that certification goal
and to provide a place for the global dialogue on certification and other critical issues.
16
Case Study – Creating a Central Repository of Information to Support the
Accessibility Professional
International Association of Privacy Professionals Knowledge Base History
The International Association of Privacy Professionals (IAPP), as part of its ongoing mission to define,
support, and improve the privacy profession globally, develops and delivers a comprehensive set of
informational materials through its website and via its online and printed publications.
The IAPP website provides information about the association, its events, and its certification programs.
It also offers online versions of IAPP publications, a Knowledge Center, and an Online Store for the
purchase of publications, audio/Web conferences, and supporting materials for certification.
While the IAPP provides links to other resources, the organization is itself the creator or consolidator of
much of the information it makes available. A key goal of the IAPP is to provide the privacy
professional with the most current information on a timely basis. It accomplishes this through its
website which highlights the latest global news including legislative announcements and through a daily
online publication called The Daily Dashboard. (The Daily Dashboard will be discussed in further detail
later in this report.)
The importance of timely information as part of the IAPP’s mission is clear. This was one of the first
activities that the IAPP embraced when it was founded in 2000. Along with the creation of a conference
as another venue for delivering information and fostering lively discussion around the privacy issues, a
monthly printed publication was established. This eventually evolved into the online and e-newsletter
formats that exist today. The Daily Dashboard was the first online publication and was launched in
2004.
International Association of Privacy Professionals Web Based and Publication
Programs
Publications
The Daily Dashboard is a daily e-newsletter which summarizes the day’s top privacy stories with links
to the full articles. It is available to IAPP members and non-members at no charge. It has been
identified as one of the most valuable services provided by the IAPP given the dynamic nature of the
privacy industry. The Daily Dashboard offers a daily synthesis of international privacy news. Weekly
versions are also available to provide regional coverage. The IAPP now has three Dashboard Digests
which provide a regional focus for Canada, Europe, and Australia/New Zealand.
The Daily Dashboard not only consolidates the news in one convenient place for its subscribers, but it
summarizes the information and adds commentary from experts in a way that brings added value to its
readers. The Daily Dashboard is available to both members and non-members. It offers an excellent
way for someone to get engaged with the organization and with the industry.
Inside 1 to1: Privacy is a monthly e-newsletter that offers the latest insights on the role of privacy and
trust in customer relationship management. This is available to both members and non-members.
17
The Privacy Advisor is a monthly member e-newsletter including feature articles, white papers,
studies and surveys, and information resources. It offers news and analysis of privacy issues worldwide
from leading experts.
The Privacy Tracker is a members-only subscription service. It provides the latest legislative
developments, weekly recaps of state and federal privacy bills, monthly calls with privacy legal experts,
a Web portal of timely articles, reports, and more.
The IAPP also publishes a number of printed guides and textbooks.
Knowledge Center
The IAPP Knowledge Center provides hundreds of privacy resources in one central repository. This
offers the privacy professional one convenient location to access the information they need to prepare
for CIPP certification or investigate information on the ever-changing privacy landscape. The
Knowledge Center provides articles, research studies, job postings, toolkits, links, and presentations
that provide the latest news and industry findings.
Privacy Links and Blogs
The IAPP provides a broad range of links to non-IAPP sites and resources. They include general
privacy links, resources for vertical topics on Financial, Healthcare/Pharma, Security, and others. They
provide industry statistics and links to related government sites for federal and state information, tools,
and legislative documents. They also provide a connection to 30 privacy blogs which the IAPP
considers to be related to privacy but does not endorse.
IAPP Business Model
As described earlier, the IAPP website and online publications provide an extensive array of information
and resources for the privacy professional. The content made available through the IAPP online
presence is controlled by the IAPP Publications Department. It provides review and management
necessary to ensure that the content and resources listed are of value to the privacy professional. Its
primary strategy is to host any content created outside of the IAPP instead of linking to it. This allows
the IAPP to add perspective to the information and help the privacy professional sift through all the
information that is available. All content on the site is keyword searchable.
The Publications Department consists of approximately seven individuals including staff writers who
generate the content or consolidate and review content provided by others. The IAPP has established
a number of partnerships and relationships that proactively provide content to them or offer insight to
their articles.
The IAPP staff provides the vetting of the material which is used in the online publications and on the
website. The Privacy Advisor publication also uses an Advisory Board of 15 to 16 people to provide
content direction for this flagship publication.
As the IAPP moves forward, it is investigating how to allow access to non-vetted documents through a
possible peer rating or ranking system.
18
Conclusions
As mentioned earlier, when it comes to the accessibility field there presently is a lack of reliable
resources and training for the development community and a lack of understanding of what needs to be
done. Having a professional society which would serve as a critical and trusted supplier of accessibility
information and the creation of a related accessibility Web portal would likely go a long way toward
fulfilling this void.
Many of these obstacles faced by the accessibility professional result from the absence of any
centralized repository of knowledge as it relates to accessibility development. Having an improved
source for accessibility information would benefit more than just the development community. For
example, publishers of textbooks, as they migrate to digital platforms, find accessibility issues gaining
increased importance – issues largely outside their traditional expertise. They are stymied by current
barriers and are seeking better information sources on accessibility. Addressing these issues faced by
the publishers is critical to preparing students with disabilities to enter the workplace.
A Web portal for accessibility would also serve as a centralized resource where Developers, Quality
Assurance personnel, and Management could go to find education, information, and technical direction
related to accessibility. Information included should, at a minimum, relate to business drivers,
training/certification, development tools/guidelines, and testing tools/guidelines. It should also provide a
community network.
While a vast collection of legacy content already exists pertaining to accessibility, it varies in quality and
accuracy. Any accessibility professional society created would need to serve not only as a central
repository for the best and most current existing information, but also as a creator of new content. A
combination of vetted information and community created information, with possible peer reviews or
ratings, is likely to be needed. It is important that the excellent work conducted previously by the World
Wide Web Consortium Web Accessibility Initiative (W3C/WAI), other similar organizations, and
information and communications technology (ICT) developers, not be overlooked or reinvented. It is
also critical that a roadmap be provided to guide the accessibility professional through this volume of
information.
Given the globalization of prominent businesses today, any accessibility professional society created
will need to partner with and coordinate content from other organizations and existing projects around
the world. These organizations could include W3C/WAI, the EU e-Accessibility Initiative, AEGIS, and
the U.S. Access Board among many others.
Just as professional societies such as the IAPP provide many publications and online information to
both members and non-members, this will also be key for advancing the accessibility industry. One
vital benefit that comes from a professional society providing a centralized informational role is the
benefit it can bring to those who are just beginning to learn about accessibility. Having a trusted
resource for information, created by an organization with quality content review, helps to ensure
persons starting their accessibility education find the right information and not become discouraged.
19
Final Conclusions and Recommendations
A professional society in the field of IT accessibility along with an associated professional certification
would increase the importance and value of accessibility skills with thought leaders and employers
globally. It would also enable employers to more readily identify individuals with essential skills in this
expanding field. The end result would be greater employment of people with skills related to
accessibility and a greater number of products that enable people with disabilities to fully participate in
the workplace – without delays or issues. It would also support the fulfillment of current and emerging
legal mandates for employers and government.
Just as privacy was increasingly becoming a topic of importance for organizations in the late 1990s,
accessibility is growing in priority for large and small organizations. Pressure is coming from
employees, customers, and legislative requirements. The champion for accessibility within an
organization may be within the HR Department, IT Department, Marketing Department or Product
Development. It is becoming widely recognized that accessibility must be built into every website,
piece of software, hardware, and service an organization provides – regardless of whether that
organization is in the private or public sector.
With this growing level of need comes the increased demand for bringing order to the confusion and
turmoil within the industry. In today’s accessibility environment, solutions are piecemeal or vendor
specific. To be successful, a greater volume of knowledgeable professionals are needed, and they
need to have resources available to help them deliver solutions in a timely fashion. Having a
professional society which provides accessibility certification and a central place for resources,
education, and networking could help advance the industry and the professionals within that industry by
providing needed structure, support, guidance, and information.
20
Related documents
IAPP presentation - International Association of Privacy Professionals
IAPP presentation - International Association of Privacy Professionals
“Contrasting the early 19th versus early 21st Centuries”
“Contrasting the early 19th versus early 21st Centuries”
Central Missouri Cardiovascular Associates P
Central Missouri Cardiovascular Associates P
Privacy Confidentiality Minor
Privacy Confidentiality Minor
Maintaining Privacy and Dignity in Care (Fiona Throp)
Maintaining Privacy and Dignity in Care (Fiona Throp)
Merenje koncentracije i trzisne moci privrednih
Merenje koncentracije i trzisne moci privrednih
New Patient Information Form
New Patient Information Form
Download
advertisement