Smart Cities: Project Manager as Privacy Officer
Categories:
smart cities,
smart city,
data privacy,
privacy,
privacy concerns,
project,
project management
Categories: smart cities, smart city, data privacy, privacy, privacy concerns, project, project management
|
Note: this is a guest post from Smart Cities expert, Dr. Beverly Pasian. Learn more about her at the bottom of the post. I'm honored to have her expertise in this series on Smart Cities and Project Management! The pandemic was the excuse, not the reason. In May 2020, Sidewalk Lab’s CEO Dan Doctoroff pointed to the economic impact of the pandemic as making the financial viability of the Toronto smart city project uncertain. While undoubtedly a factor, the downfall of the unprecedented urban experiment began two years earlier with the resignation of key advisors. Notable among them was privacy expert Dr Ann Cavoukian who, concerned that the imagined ‘city of privacy’ was turning into a ‘city of surveillance,’ was unconvinced with Google’s commitment to protect personal information. In doing so, she revealed a new role within the spectrum of project management professionals—the project-manager-as-privacy-officer. Within this revelation one can further see good and bad news. The bad news? Privacy is given almost no specific mention in any of the major project management standards. The good news? It can be interpreted in all of them. Direction is available for project management professionals seeking to enrich their careers. Imaginings are offered below, influenced by PMI’s project management principles, and easily applied to IPMA’s people, practice, and perspective competences. Be a diligent, respectful, and a caring steward of data As a project manager, you will be entrusted with personal and proprietary data possibly at all stages of the project. Upholding ethics and values will be natural extensions of this work. Data stewardship comprises responsibilities both within and outside the organization and should be reflected in your integrity, care and trustworthiness. More specifically, measures must be taken to ensure compliance with policies and accords such as the General Data Protection Regulation and the California Consumer Privacy Act (CCPA). Demonstrate privacy leadership Privacy and data can be secured in a project when key roles are staffed, notably those of the privacy manager, individual privacy officers and a data protection officer. Combined, they represent the privacy organization and are responsible for the interpretation of privacy policy(ies) and compliance across the project or program. The project governance structure would be a natural place to create this leadership. Respect the rights of all stakeholders as data subjects Within a privacy discussion, a stakeholder is a data subject – someone whose personal data is contained within or otherwise affected by the project. They can be positively or negatively affected by the project when, for example, their data is (securely) used for stakeholder feedback. On the other hand, compromising or breaching personal data can dramatically curtail or stop project activities. Effectively engaging a stakeholder involves the provision of reliable information / policies detailing how their personal data is managed (including in the event of a data breech). This will directly help foster a culture of trust.
Champion the true value of privacy (it’s not the data) At its core, the value of privacy is in the feelings and esteem of a project team member, not the data. The unexpected / unwanted sharing of personal information is, at best, an embarassing distraction but, at worst, a criminal act violating someone’s boundaries. At any point along this spectrum, it can be a significant departure from the project’s work. Much as a business case is a starting point for project value, a privacy policy can be for a project organization. Starting with one or more official sources, a contextual interpretation demonstrates clear leadership and advocacy for the unspoken needs of team members. The potential value—based on good will if nothing else—is enormous. Recognize, evaluate and respond to data breaches Project teams must realize the holistic view of the project as a system with privacy and data security embedded therein. The team needs to understand that a single change (for example, a breach of data) can cascade across the project and a response mechanism is essential to maintaining the system. Privacy professionals see breaches as more than risks. Their essential nature—the unwanted sharing of personal data—is largely the same regardless of circumstance. So is the response: (1) stop the breach and (2) prevent its recurrence. Create a collaborative team environment Paradoxically, a collaborative team culture can maximize opportunities for respecting privacy and data security. The transparent exchange of ideas and practices can result in data management agreements, organizational structures (i.e, the identification of a privacy steward) and processes (e.g., data protection impact assessments). Sharing experiences as ‘cases’ for other’s enlightenment is invaluable. Build quality into information management Quality is the ability of an organization to fulfill the stakeholders’ implicit and explicit needs. The same can be said for privacy and data protection. Compliance criteria (such as laws or regulations) specify ways to assess if quality has been achieved. Navigate complexity of personal, project and organizational data Data comes in many forms and from various sources and a project manager can create effective divisions: personal, project and organization. Complexity can (increasingly) emerge from their (mis)use in projects, programs or portfolios. Setting clear privacy and data security principles and breach responses can help. Widespread knowledge and acceptance of this information is essential, along with the careful distinction of responsibilities between the privacy manager and data protection officer. While related, these are separate roles with their own functions and relationships to the project manager. Embrace adaptability A project manager must also respond to changing data conditions. Is the data fit for the purpose(s) of the project? Is a source continually reliable? Do the IT functions and infrastructure support the (changing) data conditions? Is the project organization working in accordance with privacy laws, regulations and policies? Conducting regular privacy and data protection audits, serving as a sounding board for continuous learning and improvement, and deepening your own skills and knowledge will all contribute. Blog posts are inherently limited, and this one is no different. The thoughts above provide insight (not instruction) on a critical new dimension to a project manager’s role. For the broader perspective for both this post and those upcoming in this smart city series, I’ll return to Toronto. When officially launched in 2017, Alphabet (Sidewalk Lab’s parent company) emphasized the vital importance of improving quality of life in making its city-focused technology decisions. The Toronto project was not a ‘random activity’ but the result of more than a decade’s deliberations. As a native Torontonian, I was grateful at the time to hear this thoughtfulness. And as a researcher of quality-of-life in smart cities, even happier to hear this view from a project sponsor (Alphabet Chair Eric Schmidt). It was only a year later when project leadership started to deteriorate and project failure could be seen (in hindsight anyway) as inevitable. Anonymization protocols were not secure enough for Dr. Cavoukian. Former Blackberry CEO Jim Balsillie thought the project an experiment in ‘surveillance capitalism’ (one of the more frightening phrases I’ve heard in smart city discussions). Other privacy advocates contributed to these very public fallouts. Could quality-of-life in the Toronto/Sidewalk Lab model be achieved? Apparently not. But did it show that project team members could advocate a new type of civic (not just social) responsibility? Yes. Did these project professionals do so by clarifying privacy as an abstraction into something of immediate and tangible importance to a citizen’s daily life? Absolutely yes. In developing as professionals, project managers can look favorably on the Toronto experiment. Privacy and data security were revealed as key, new dimensions of their job. Perhaps most importantly, project managers can also look at it as a clear example of their other role… that of affected citizen.
Beverly Pasian’s career is one of a project management practitioner and researcher. For more than 30 years she has managed, taught and conducted research in the public sector around the world. She has dozens of courses, papers and presentations to her credit along with master’s degrees (in education and business), a Doctorate in Project Management (2011) and a Doctorate in Business Administration (2023). Expert and leadership participation in the IEEE and IPMA are ongoing. One of the best decisions of her professional life was to pivot her focus from project management maturity to smart cities. Investigating the role of projects in maximizing quality of life in smart cities is the most responsible step she wants to take as a researcher…with the ultimate goal of working directly with companies and cities to do the same. December, 2023 Future posts will revisit the question…how do projects contribute to quality-of-life in smart cities? Stay tuned. |





Dr. Beverly Pasian