by Abbie Lundberg

The CIO Role in Data Stewardship and Privacy

Jul 01, 20023 mins

For the past decade, chief information officers have devoted a great deal of time and attention to the technology part of IT. But as I’ve said in recent columns, the next decade will see a major shift to the information part of the equation. With the tools in place, companies are getting down to the business of mining, leveraging and making money from all that data they’ve been collecting.

The technologists have had their day; now it’s the marketers’ turn. And CIOs everywhere are grappling with the question of their own role in data stewardship.

Of course, before that question gets answered, a more fundamental issue must be addressed: Who actually owns all this information?

“Somehow, technology has led to this rogue theory that acquiring data about people gives you the right to own that data,” says Chris Hoofnagle of the Electronic Privacy Information Center (EPIC), in “Take the Pledge,” beginning on Page 56. “But there’s no theory of property that says that’s OK.”

Privacy law will inevitably, if not immediately, come down on the side of individuals’ right to their own data. For now, however, CIOs are on their own when it comes to figuring out what to do.

The ongoing Andersen/Enron case has brought the issue of corporate data retention and deletion to center stage. Recent revelations about the FBI’s use of e-mail monitoring to investigate Osama bin Laden’s terrorist network raise further questions.

According to an internal FBI memorandum made public in late May, in addition to gathering e-mail from legitimate suspects, the system “also picked up the e-mails of noncovered” individuals. “The FBI technical person was apparently so upset [that the system picked up e-mails it wasn’t supposed to] that he destroyed all the e-mail,” including those related to the investigation. (View the memo at

Data stewardship doesn’t stop at document deletion. If a pending privacy bill (S. 2201) gets passed into law, U.S. companies will be required to give customers access to personal information they have collected. Europe already requires such access. It will certainly fall on the CIO’s shoulders to figure out how to comply with this mandate without incurring significant new costs.

CIOs can’t and shouldn’t wait for the law to catch up with the state of the art. You must start the dialogue now regarding what is right, and then deploy the appropriate tools, policies and data management practices to support that stance.