This blog reflects the views of policy staff and does not necessarily reflect the views of the IAF corporate and policy boards. The Biden-Harris Administration issued an expansive and ambitious Executive Order on Safe, Secure and Trustworthy Artificial Intelligence (EO). The order articulates boundaries and expectations for U.S. Government Agencies – and for much of the private sector (directly or indirectly) – regarding the responsible development and use of Artificial Intelligence (AI). The IAF commends the EO’s emphasis on risk assessment and risk mitigation. Those foundational concepts underpin IAF’s decade-long work to promote fair and responsible uses of data. We further applaud the Administration’s efforts to assert global leadership and raise the bar for ethical-AI practices internationally. The order is a long and complex document, one that will help guide other governments around the world (as well as those of U.S. States) now drafting rules and passing laws to regulate AI. While AI remains a burgeoning field of innovation, laws and regulations often come with unintended consequences. It is worth noting that the definition of AI in the EO is very broad. The definition is not limited to systems that have the capacity to “learn” or adapt to novel scenarios without following explicit instructions. The EO really covers “automated processing”: making decisions without human involvement or with limited human involvement. The EO calls for a government-wide, coordinated effort that involves dozens of initiatives and work streams to promote baseline standards for responsible AI. It also compels consistent mechanisms to assess and mitigate AI-related risk. The EO includes: enhanced security standards; red-team testing and reporting protocols; expectations around protecting Americans’ privacy, equity and safety (specifically for consumers, patients and students); and steps to prevent discrimination and biased outcomes. While promoting innovation, the EO also calls for the passage of enhanced data privacy legislation. To advance American leadership abroad, the order directs many government actions for adjusting federal procurement or bolstering national security. Notably, the EO invokes the Defense Production Act of 1950 to mobilize government agency action. That EO gives the President broad authority for compelling U.S. companies to support efforts related to national defense. Going forward, national security interests must be considered within AI risk assessments. The IAF has promoted risk-based approaches to data use in advanced analytics and AI for years. The new, forward-looking EO aligns with our long-established view: policy makers and industry leaders must develop frameworks for creating responsible innovation. Measures within the EO seek to maximize data-driven benefits from AI while minimizing harm. Industry has been put on notice. Risk assessments must precede the release of products or services that deploy AI. In light of the EO, organizations will want to develop or evolve many governance processes and systems. The new reality confirms the IAF’s findings from our analysis of recently enacted Privacy laws and rules. For example, organizations are now familiar with required privacy impact assessments, but, in the realm of AI, assessments will have to evolve and incorporate a much broader set of risks, a much broader range of stakeholders. How much impact will the EO actually have? The order acknowledges that Congress needs to enact AI legislation. Meanwhile, the EO takes a measured, “down the middle” approach to mitigating the risks of AI, while allowing potential innovations to bear fruit. The details on how to conduct an assessment will be addressed by NIST and other agencies through a transparent process that incorporates stakeholder input. Because it is an order and not a law, the EO lacks a discussion of how to govern generative AI and machine learning. Perhaps government agencies will, in future, explain AI governance expectations. What is a foreseeable next step? Likely, the incorporation of new standards (developed because of the EO) into public procurement requirements. The results may end up reflecting the already strict requirements of FISMA. The EO demonstrates that the IAF that should remain actively engaged, going forward, by advancing our work on multi-stakeholder risk assessments. For further reading, see these IAF resources: Artificial Intelligence, Ethics and Enhanced Data Stewardship Advanced Data Analytic Processing Risks Raised by Data Uses in Algorithms Multistakeholder Data Protection Risk Assessment IAF responds to the Executive Order on Safe, Secure and Trustworthy AI November 1, 2023 The IAF Team Articles and News Publications Media

Emeritus Chief Policy Innovation Officer and IAF Founder Martin Abrams Emeritus Chief Policy Innovation Officer and IAF Founder Martin Abrams is Emeritus Chief Policy Innovation Officer and founder of The Information Accountability Foundation, a non-profit whose charitable purposes are research and education. Abrams has over 40 years of experience as an information and consumer policy innovator. Abrams believes data should serve people. He is currently exploring multi-dimensional proportionality as means to drive trusted innovation, the nature of risk in risk based regulatory structures, and how to incorporate to full range of human interests into data protection, including data protection law fit for the next decade. Abrams led the Global Accountability Project, which has refined the accountability principle that is part of various data protection laws and guidance documents. The IAF is the incorporation of that dialogue. All the IAF’s work is an extension of accountability concepts, including the creation of a data taxonomy that was used in setting the bright line rules by the EU policy makers. His work on accountability has impacted privacy laws in most regions. Multi-stakeholder collaboration has been a key for Abrams in developing practical solutions to dilemmas in information policy. He has been a key player in developing such data protection key concepts as accountability, a two-phase approach to advanced analytics, and ethical assessments. Abrams’ activities are global with projects, dialogs, and seminars in Europe, the Americas, Africa, and the Pacific regions. Abrams has also provided leadership in other policy areas. He worked on multilayered privacy notices, which changed the way policymakers and organizations thought about privacy transparency. He has been involved in the development of the APEC Cross Border Privacy Rules and has also been involved with the OECD Working Party on Information Security and Privacy. He is an advisor to numerous benchmark corporate privacy programs. Before founding the IAF, Abrams was the co-founder and President of the Centre for Information Policy Leadership at Hunton & Andrews LLP, which he led for 13 years. Prior to that, he was Vice President of Information Policy at Experian and Director of Information Policy at TRW Information Systems where he designed one of the early privacy impact assessment tools. He also chaired their Consumer Advisory Council. Abrams began his consumer policy work at the Federal Reserve Bank of Cleveland where he was Assistant Vice President and Community Affairs Officer. At the Federal Reserve Bank, he drove collaboration by helping banks and the communities they serve find common ground. Martin Abrams Emeritus Chief Policy Innovation Officer and IAF Founder Martin Abrams is Emeritus Chief Policy Innovation Officer and founder of The Information Accountability Foundation, a non-profit whose charitable purposes are research and education. Abrams has over 40 years of experience as an information and consumer policy innovator. Abrams believes data should serve people. He is currently exploring multi-dimensional proportionality as means to drive trusted innovation, the nature of risk in risk based regulatory structures, and how to incorporate to full range of human interests into data protection, including data protection law fit for the next decade. Abrams led the Global Accountability Project, which has refined the accountability principle that is part of various data protection laws and guidance documents. The IAF is the incorporation of that dialogue. All the IAF’s work is an extension of accountability concepts, including the creation of a data taxonomy that was used in setting the bright line rules by the EU policy makers. His work on accountability has impacted privacy laws in most regions. Multi-stakeholder collaboration has been a key for Abrams in developing practical solutions to dilemmas in information policy. He has been a key player in developing such data protection key concepts as accountability, a two-phase approach to advanced analytics, and ethical assessments. Abrams’ activities are global with projects, dialogs, and seminars in Europe, the Americas, Africa, and the Pacific regions. Abrams has also provided leadership in other policy areas. He worked on multilayered privacy notices, which changed the way policymakers and organizations thought about privacy transparency. He has been involved in the development of the APEC Cross Border Privacy Rules and has also been involved with the OECD Working Party on Information Security and Privacy. He is an advisor to numerous benchmark corporate privacy programs. Before founding the IAF, Abrams was the co-founder and President of the Centre for Information Policy Leadership at Hunton & Andrews LLP, which he led for 13 years. Prior to that, he was Vice President of Information Policy at Experian and Director of Information Policy at TRW Information Systems where he designed one of the early privacy impact assessment tools. He also chaired their Consumer Advisory Council. Abrams began his consumer policy work at the Federal Reserve Bank of Cleveland where he was Assistant Vice President and Community Affairs Officer. At the Federal Reserve Bank, he drove collaboration by helping banks and the communities they serve find common ground.

Osler, Hoskin & Harcourt Osler, Hoskin & Harcourt

Contact Us The IAF is primarily funded by corporate contributions by companies that fully believe that data should only be processed by organizations that act in a responsible and answerable manner. Companies interested in supporting or participating please contact us using the form below. The IAF is also funded by data protection agencies and government agencies that join us in exploring a particular research topic, leading to modernized information policy approaches. If you represent a government agency and are interested in discussing a project, please reach out using the form below. All of our projects include multi-stakeholder input, so please join our community. If your organization, including academic or advocacy organizations, have an interest in our projects or learning more, the best way to know us is to be notified when we publish a blog or project report. To get notified of updates, please sign up using this form Contact us First name Last name Email* Message* Submit

Origins of Accountability: Ethical Data Stewardship Accountability Elements January 2019 Home / Publications / Download PDF

IAF Comments on Notions of Legitimate Interests Filed with the Article 29 Working Party June 2014 Home / Publications / Download PDF

2023 Quarterly Spotlight- Q1 April 2023 Home / Publications / Download PDF

Elizabeth Denham CBE In 2024, privacy and data-protection professionals across the globe are grappling with unprecedented advancements in technology. Add to that rapidly evolving risk and an onslaught of new regulations, which are sometimes misaligned. At the same time, we face increasing demands from the C-Suite to help leaders navigate a host of new digital-age challenges. It’s a lot or too much, depending on the day. And yet, there has never been a better or more interesting time to be in our profession. We sit at the intersection of technology, policy, and law. That unique vantage point lets us skillfully shape responsible business practices and, moreover, the policies and regulations that will guide innovation going forward. As the Chief Strategist of the Information Accountability Foundation, I believe we have a major opportunity that is also a weighty responsibility. Working together, we can ensure that the ability to innovate with data is not unduly stifled by well-intentioned but misguided policies or by industry failures that undermine trust and confidence in companies and technologies. I see that work as an exciting prospect. Assessments Must Expand One thing is clear: we can no longer focus exclusively on traditional privacy issues that may arise from the processing of personal data. Our assessments and investigations must expand as we described in our 2022 report on a Principled Approach to Rights and Interests Balancing https://informationaccountability.org/2022/12/a-principled-approach-to-data-protection-riskbalancing/ We must learn to evaluate a broader set of impacts, both positive and negative, to all relevant stakeholders. That includes groups of people. Think communities, societies, nations and other interests people have. Even our planet. If we are to succeed – and we will succeed – we must first forge a collective focus on evolving our roles beyond the pre-set functions of days gone by. Only when we address current challenges and bolster the governance needed will we effectively manage data in our contemporary world. Our profession needs nothing short of a modern-day Renaissance to maintain our relevance and lead global organizations through the current environment. Since joining the IAF last year, I have felt inspired by our members and uplifted by our community. The main message, heard loud and clear, is that privacy leaders are now working beyond the traditional borders of data protection. This necessary mission creep has come from increased demands for supporting data-driven companies in a highly competitive world. Today, data-governance professionals face never-before-seen levels of policy and ethical expectations. The Clamour to Meet AI Requirements When it comes to the power and risk of algorithmic tools, the future has arrived early. Predictions have fallen short. Advanced AI and machine learning capabilities expected in five years’ time are already here and thriving. Scrambling to keep up with technology, legislators have produced new laws and guidelines: the EU AI Act, an Executive Order in the US, Canada’s AIDA, new US state laws, on-line safety regulations, and coming-soon codes and conventions. These measures reflect the public’s increased level of awareness and expectation that governments will manage the public and private sectors’ newly minted, tech-enabled capabilities. Similarly, advocates, analysts, and regulators require new parameters, renewed skills for our work, and a recommitment to ambition. Privacy Leaders’ Renaissance Privacy leaders need a veritable Renaissance in how we think about roles within our organizations and what activities regulatory bodies should oversee. We must evolve out of siloed policy thinking and narrowly specialized skills sets. A massive undertaking, undoubtedly. But it’s been done before. If we managed to revive Leonardo da Vinci in our current moment, he may have found our world—poised on the brink of massive change—oddly familiar. We live in fascinating times. And just as Europe’s Renaissance saw a break from the strict theological and societal structures of the Middle Ages (more than six-hundred years ago) we must once again embrace rebirth and rediscovery. We have an imperative not only to protect but to explore. To innovate. To be as curious and progress-oriented as the scientists and artists of Europe’s 14th and 15th centuries. Such epochal descriptions sound grandiose, sure. But this is exactly what philosophers, opinion leaders, and technologists are thinking and writing about today. How does advanced AI change the status quo? Does it transform what it means to be human, when AI links with other advanced technologies in biotech, materials development, and climate science? In our own profession, what do information and data specialists need to do within and beyond our organizations? How can we ensure we have the right skills, the capacity, and the capability to make our mandates meaningful? Can we think beyond protections for individual dignity and autonomy rights to societal and global impacts? Data Professionals Have Long Worked as Cultural Translators The IAF shares an optimistic view: that answers to such questions are coming clear. We believe that our profession can make the necessary and responsive adjustments, as long as we recognize the sea change in front of us. But we do need research-backed, consensus-led guidance for the kind of wholesale cultural, structural, and practical overhaul needed today. This renaissance has already begun at leading companies the IAF studied in our 2020 Report on The Movement Towards Demonstrable Accountability. What does the future of our profession require? For starters, we need to internalize the truism that you cannot separate data and privacy from culture and society. That is to say, we need to change along with technological transformations. We need to bring creative strategy and multidimensional skills to the table—or desktop, rather. It will be important to connect and work with those who develop new technologies, strategically manage data governance, address opportunities and risks with solutions, and understand the wider economy and society in which their technologies operate. We must read broadly about policy development to move beyond our own expertise. When we do that en masse, we will create a convergence of regulatory and compliance efforts. Organizations cannot afford to have their policy people working in a disjointed way. Infrastructure that Enables Cultural Change Second, we need to implement infrastructure that will enable cultural change. Commitment needs resources to be effective. We must rethink our contemporary situation in a comprehensive way, not in a silo or as specialists. Data-protection regulators who take on direct AI oversight will need to operate in both an agile and strategic way, so that they can work beyond the boundaries of individual agencies, sectors, and jurisdictions. The IAF can help members with the policy infrastructure needed to build out truly modern organizations. To ask the difficult questions. To uncover practical solutions. Our support enables policy leaders and change makers to be fearlessly forward thinking. In this day and age—which is now a version of “tomorrow”—we need to think well beyond the relatively limited offerings of privacy notices and SCCs. Negotiating privacy statements and formalizing web forms are important actions, certainly. But without the capacity to robustly assess and defend against AI systems, your organization will struggle to meet contemporary needs. They’re a swiftly moving target. Toward Sustainable Data Policies To create truly sustainable data policies, companies must make commensurate investments when they develop AI capabilities and when they renew their strategic policy and governance functions. If these investments fall out of balance, both efforts will fail. Checking boxes on the paperwork of privacy’s yesteryear just won’t cut it anymore. We must study the magnitude of change in the present and on the horizon, then take inspiration from it. The IAF can help our members re-create their roles within organizations, giving them the strategic clearance necessary to do contemporary policy and oversight work. We support advanced assessments and interrogations of AI solutions, which then gives companies the ability to process data in a strategic and sustainable way. IAF is also well-placed to lead cross-industry discussions on how to integrate these issues into current risk assessment practices. If this blog post has become something of a manifesto, my apologies. But I must speak stridently to properly convey the urgency of this acute moment in our profession’s long history. And we can continue to take inspiration from that history, too, while we look to the future. Data professionals have long worked as cultural translators. We interpret legal text to guide operational requirements. We have been diplomats of a sort: bridging the gaps between the page and the world, between raw numbers and real people. That position has made us highly mobile, flexible, and innovative in our approach. Those traits will be needed as long as there are technologies that evolve and people who will benefit from their responsible deployment. 2024: A Renaissance for the Privacy Profession January 2024 Home / Publications / Download PDF

Referential: Singapore Model AI Governance Framework Second Edition January 2020 Home / Publications / Download PDF

The IAF supports updating the NIST Privacy Framework and encourages consistency and alignment between the Privacy Framework and the Cybersecurity Framework as described in the key focus areas. Rather than treating the PF and CSF Frameworks as standalone, they should operate as complementary elements of a larger risk management and governance whole. IAF member companies often use NIST Frameworks not only for compliance, but as part of a larger governance strategy. It only makes practical sense to align the two Frameworks. The IAF offered support for the specific topic examples intended to align the Privacy Framework and Cybersecurity Frameworks – especially at the leadership and Governance levels. Over the last few years, the IAF has developed, in conjunction with business and in multi-stakeholder sessions, a normative assessment framework for demonstrating accountability and compliance with U.S. State Privacy Laws. The IAF sees NIST making notable advances that will enable strategic data governance, and we welcome the opportunity to leverage and align our work with the evolving NIST frameworks. IAF Sees NIST Making Notable Advances in Their NIST Privacy Framework v.1.1 Concept Paper August 8, 2024 Barb Lawler Articles and News Publications Media

IAF Response to S. NTIA Consumer Privacy RFC November 2018 Home / Publications / Download PDF

Referential: Singapore PDPA Competency and Proficiency Chart February 2021 Home / Publications / Download PDF

Big Data Ethics Initiative: Contextual Assessment Worksheet for Marketing (Part D) October 2015 Home / Publications / Download PDF

Assessments in an AI World Risk/Data Protection Assessment as Required by U.S. State Privacy Laws Assessments in an AI World Requirements for US State Privacy Laws August 2024 Home / Publications / Download PDF

U.S. State Assessment Provisions v. 1.0 June 2023 Home / Publications / Download PDF

Origins of Accountability: IAF Demonstrable Accountability Report January 2020 Home / Publications / Download PDF

Executive Strategist, Policy Innovation Peter Cullen Executive Strategist, Policy Innovation Peter Cullen is the Executive Strategist for Policy Innovation at The Information Accountability Foundation. He leads the Foundation’s project on the Effective Data Protection Governance Project , which examines public policy/governance mechanisms to achieve more effective data use and protection. Cullen has over two decades of expertise in corporate governance, privacy and risk management, as well as extensive background in building sound organizational practices. During that time, he has provided strategic leadership to organizations, helping them leverage information use to achieve business value and differentiation, as well as advance their reputation and image. Cullen also currently serves as the CEO of Global Information Governance Solutions, a boutique consulting firm providing strategic advisory services to organizations. His distinguished career includes work as General Manager for Trustworthy Computing and Chief Privacy Strategist at Microsoft Corp. There, he led the development and implementation of programs that bolstered the trustworthiness of Microsoft® products, services, processes, and systems worldwide. He also led practice areas of Risk, Policy and Compliance management. In 2003, Peter was honored with the International Association of Privacy Professionals’ (IAPP) Vanguard Award for Privacy Innovation for his contributions to the privacy profession. Peter holds an MBA with distinction from the Richard Ivey School of Business at the University of Western Ontario. Peter Cullen Executive Strategist, Policy Innovation Peter Cullen is the Executive Strategist for Policy Innovation at The Information Accountability Foundation. He leads the Foundation’s project on the Effective Data Protection Governance Project , which examines public policy/governance mechanisms to achieve more effective data use and protection. Cullen has over two decades of expertise in corporate governance, privacy and risk management, as well as extensive background in building sound organizational practices. During that time, he has provided strategic leadership to organizations, helping them leverage information use to achieve business value and differentiation, as well as advance their reputation and image. Cullen also currently serves as the CEO of Global Information Governance Solutions, a boutique consulting firm providing strategic advisory services to organizations. His distinguished career includes work as General Manager for Trustworthy Computing and Chief Privacy Strategist at Microsoft Corp. There, he led the development and implementation of programs that bolstered the trustworthiness of Microsoft® products, services, processes, and systems worldwide. He also led practice areas of Risk, Policy and Compliance management. In 2003, Peter was honored with the International Association of Privacy Professionals’ (IAPP) Vanguard Award for Privacy Innovation for his contributions to the privacy profession. Peter holds an MBA with distinction from the Richard Ivey School of Business at the University of Western Ontario.

Origins of Accountability: The Essential Elements of Accountability January 2019 Home / Publications / Download PDF

2023 Quarterly Spotlight- Q4 January 2024 Home / Publications / Download PDF

The Information Accountability Foundation (IAF) is thrilled to announce Elizabeth Denham CBE will become Chief Policy Strategist replacing IAF founding Executive Director and Chief Strategist, Marty Abrams, who will move to emeritus status later this year. Liz will join IAF President Barb Lawler to lead the organization starting on September 18, 2023, reporting directly to the IAF Board. The IAF is a non-profit independent think tank whose research and education mission focuses on accountability by design and AI governance, while enabling data to serve people and society. Liz, as Chief Policy Strategist, will drive the IAF’s strategy and areas of research aligned to the IAF mission, collaborate closely with the IAF strategists, and provide thought leadership for the organization, including the approach to key IAF engagements and events. She brings over 20 years of strategic policy and regulatory experience as the former UK Information Commissioner, Canadian Federal and Provincial Commissioner roles, and delivering global perspectives on data protection, accountability, digital regulation, and data ethics. Liz will continue working as an international adviser for Baker McKenzie’s global Data and Technology Practice, a Trustee for 5Rights Foundation, the Jersey Data Protection Authority (JDPA) and serving as an IAPP Board Member. “My work and values have always been about enhancing the reputation of digital technology and its contribution to improving our lives,” said Denham “Information technology fed by data drives modern life. It is more important than ever for data to serve people, both as individuals and society. I am delighted to join a think tank where this is the mission.” “Elizabeth Denham is a progressive, global thought-leader, and the IAF team and its board could not be more pleased to have her remarkable and substantive international policy leadership to the IAF,” said Barb Lawler, IAF President. “The IAF Executive Committee and Board are excited to welcome Liz to this critical leadership role. I have personally known Liz for almost 20 years, and she represents the absolute best of our field and is one of the most strategic, innovative thinkers out there. I am also pleased that Marty will remain in an emeritus status as the IAF continues to develop balanced, innovative solutions for our most complex data protection challenges,” said Scott Taylor, IAF Board Chair. Marty Abrams founded the IAF in 2013 as the natural outgrowth of the Global Accountability Dialog, which defined the accountability principle for the 21st century. During his 35-year plus years in privacy and data protection he contributed to key concepts such as global accountability, data stewardship and data ethics, which are singular and foundational to how the information policy community approaches accountable and effective data use and protection today. “I am delighted that Liz will be leading IAF strategy,” said Abrams. “She truly believes people need the space to define themselves, and still benefit from data powering advanced analytics. Her work on children’s privacy and international transfers is a demonstration of her vision.” Elizabeth Denham, Former ICO Commissioner, Joins Information Accountability Foundation as Chief Policy Strategist July 10, 2023 The IAF Team Articles and News Publications Media