Friday, 1 February 2013

Displacing dodgy data protection training

How do you know whether someone has an appropriate level of experience in data protection?
This question is becoming quite important, as a variety of organisations are currently offering various types of certification of data protection proficiency. 

But are these certificates actually worth much? What assurance do they give that the bearer of the certificate is any good at applying legal principles in a manner that is acceptable to an employer or to a regulator? Which is the best one?

Given the increased level of public interest in data protection, I expect that it won’t be too long before the spotlight falls on the training organisations that currently operate in the UK. Does each organisation really offer the trainee an adequate level of knowledge, and is the certificate that is subsequently acquired of much practical use to a British data protection officer? 
Yes, employers like people who are qualified. But qualified in what respect? If they are not careful, employers will just rely on the publicity that is churned out by the certification providers. But publicity about how good their own certification is cannot really be taken as a sufficiently objective measure. 

What qualifications really are appropriate? Those issued by the British Computer Society/ISEB? PDP? Act Now? or the IAAP?

Here, there might be a role for National Occupational Standards. These are standards which describe what an individual needs to do, know and understand in order to carry out a particular job role or function.  As the NOS website helpfully points out, they are:
"National because they can be used in every part of the UK where the functions are carried out;

Occupational because they describe the performance required of an individual when carrying out functions in the workplace, i.e. in their occupation (as a plumber, police officer, production engineer, etc); and

Standards because they are statements of effective performance which have been agreed by a representative sample of employers and other key stakeholders and approved by the UK NOS Standards Panel.”

Trainers in the policing and law enforcement area have recently created a standard with the snappy title of “SFJ ZA11 Ensure organisational compliance with Data Protection legislation”.

Perhaps what we need is for more industries to create suitable standards, and then for an independent regulator to assert whether the certificates offered by the major training providers adequately meets these standards. 

Otherwise, we might see training organizations taking advantage of the growing fears that organizations have when they realise that they need to get data protection right, by delivering inadequate training to students.

If ever there were a need for regulation to protect the public against dodgy standards, then perhaps there is a case for the data protection training market to be more formally regulated.