CIPP/C? CRTC? IAPP? OPC? What the…? (20.12.2015)
If you read any of my posts on privacy (which I view as being strongly related to bioethics for the protection of patients’ personal health or medical information) you’ll probably see some strange acronyms including ANSI, CIPP (usually as CB, CIPP/C), CRTC, IAPP, ISO, PIPEDA, OPC, and PA (or “The Act”). This post should explain what all these acronyms stand for, but it’ll make more sense if I don’t describe them in alphabetical order!
IAPP = International Association of Privacy Professionals: In its own words, it’s “the world’s largest and most comprehensive global information privacy community and resource”.
CIPP = Certified Information Privacy Professional: This designation, granted by the IAPP, “has been recognized as the world’s preeminent credential in the business of privacy. Since its introduction in 2004, the CIPP has elevated the careers of thousands of professionals working in privacy and data protection across the globe”. The IAPP offers other certifications, but I’ll focus on the CIPP here as it’s the most common.
In 2015 the CIPP designation was accredited against the International Organization for Standardization’s (ISO) 17024 classification, under the American National Standards Institute (ANSI). The CIPP certification can currently be obtained for any (or all) of the 5 following areas or specializations:
– CIPP/A for Asia
– CIPP/C for Canada (my jurisdiction)
– CIPP/E for Europe
– CIPP/G for US – Government
– CIPP/US for US – Private sector
To obtain this credential, an individual must demonstrate “a foundational understanding of broad global concepts of privacy and data protection law and practice, including: jurisdictional laws, regulations and enforcement models; essential privacy concepts and principals; legal requirements for handling and transferring data and more”. In my case, this meant studying and training for two different certification exams, to obtain one single certification.
Before writing the CIPP/C exam, I first had to pass an exam (with a mark of about 75%, although the passing grade varies from one version to another as these exams are regularly updated) on the “Fundamentals of Information Privacy”.
This entailed reading a rather dry and legalistically-written book outlining; the philosophical and theoretical underpinnings of the basic concepts of privacy, how they differ from country to country (or jurisdiction to jurisdiction, as different provinces and states may have substantially different privacy laws), the specific requirements of privacy laws in each country, and the specific requirements of information protection in terms of ever-adapting information technologies.
There were a number of other documents to read, and I also completed an on-line training module and wrote a couple of practice exams; the IAPP recommends about 30 hours of studying and training to be able to pass each of their exams.
Once I’d passed that first exam, I could then write the CIPP/C exam, focussed on the patchwork of Canadian federal and provincial laws that provide privacy protections in Canada. Another 30-plus hours of studying and training, another – similarly exciting – textbook and multiple other documents to read…
Even most Canadians don’t realize that we have such a large number of different privacy laws within this country. Canada has two federal laws for basic privacy protection, and another law governing electronic communications; the Personal Information Protection and Electronic Documents Act (PIPEDA) covering the private sector, the Privacy Act (PA; usually referred to as “The ACT” within privacy circles) for personal information within the federal government’s agencies and departments, and Canada’s Anti-Spam Legislation (CASL).
CASL is jointly enforced by three different governmental bodies; the Canadian Radio-television and Telecommunications Commission (CRTC) which can issue fines for violations; the Competition Bureau (CB or CCB for Canadian Competition Bureau) for criminal sanctions under the Competition Act (CA); and the federal Office of the Privacy Commissioner (OPC), which was granted new powers to address CASL issues when PIPEDA was amended on January 1st of this year (2015).
Within Canada we have multiple additional sets of privacy laws (and governmental privacy offices or officers), as each province or territory can enact their own legislation – which will then override the federal law in that particular province. Many provinces have then issued additional privacy legislation for health information, and other provincial laws may also impact privacy protection – as does the Civil Code of Québec.
As an example, the Province of Ontario has two laws covering just the public sector (the Freedom of Information and Protection of Privacy Act (FIPPA), and the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA)), as well as the Personal Health Information Protection Act (PHIPA).
As you may have guessed by now, I passed both exams; and I’m happy to say that I passed each of them on my first attempt. I’ve since heard that many people don’t pass the IAPP exams the first time around, but I had an advantage; a fair amount of my work in bioethics had involved privacy considerations, so I was already very familiar with the underpinning concepts and theories at play.
In clinical or medical research ethics, for example, a large amount of personal health information is collected about each research participant – sometimes including genetic information – during a clinical trial. There must be provisions to protect this data as part of the study protocol (the document outlining the rules for a specific research project).
Research participants are usually advised in advance of the collection of this data as well as the measures taken for its protection (often in an informed consent document/form, an ICD or ICF, or another type of explanatory document) before they join the research project.
I obtained my CIPP/C designation a few months ago, on June 9th (2015). But the studying and training requirements of the CIPP/C had just begun! Similarly to the continuing education requirements for many professionals to maintain their certifications, professional designations, and rights to practice in their fields – accountants, lawyers, physicians, and countless others – privacy professionals with any of the certifications I’ve listed must complete (at least!) a set amount of privacy training in any given period.
This requires on-going training is set, as with most professions, as a certain minimum number of hours of ‘continuing privacy education’ (CPE); even the term and acronym are similar to ‘continuing medical education’ hours (CMEs) for physicians, and ‘continuing legal education’ (CLE) for lawyers. Each accrediting body (the organization that grants and renews the certifications, professional designations, and/or rights to practice of a given profession) sets their own training requirements and guidelines on what type of training of activity can (or can’t) be counted as CLEs, CMEs, CPEs, etc.
The IAPP’s guidelines on CPEs are fairly extensive and comprehensive, requiring a minimum of 20 CPEs per certification period. Activities can be credited that aren’t training per se, but that would be expected to require an individual to broaden and strengthen their knowledge base in the field of privacy. For example, a CIPP who manages other employees (all working full-time in privacy protection roles) can claim 1 CPE for each accreditation period.
In addition to training courses, CPEs can also be claimed for attending privacy conferences and workshops. For CIPPs also working in other fields (many are also lawyers), we can claim CPEs for privacy protections sessions at conferences and workshops in other fields (although ‘double-dipping’, or claiming both CLEs and CPEs is frowned upon).
My primary field is bioethics, so if I attend any 1 hours+ sessions on privacy at the annual conference of the Canadian Bioethics Society (CBS) I’ll be able to claim 1 CPE each for those. These days there are likely to be sessions on patient privacy issues with genetic testing, as Canada doesn’t yet have any protection of genetic information; that data isn’t considered to be health information, for some reason, so isn’t covered by health privacy laws.
Most (all?) of us in bioethics are hopefully that the Canadian government will enact legislation soon to correct that gap, but for now it’s an important topic of discussion and study within the fields of both bioethics and privacy.
For more information, visit the IAPP website (all information quoted in this post is from the IAPP website):