When IBM announced last week that it will not use genetic information in employment decisions, acclaim followed. IBM was lauded by privacy advocates, ethicists and its own employees. IBM chief privacy officer Harriet Pearson, who led the effort, got to peek at several e-mails from a few of IBM's 300,000 employees to CEO Sam Palmisano that recounted, she said, excruciatingly personal examples of why such a policy was a Good. Something about the announcement made it feel like a landmark.
That's not an accident. Pearson said in a podcast interview with CSO magazine that genetic data and its privacy implications are just starting to resonate with the public and that was one of the motivating factors for her to develop a policy. "We always scan the environment," she says. "We thought the time was right in terms of where the market is moving and where science is moving."
The key word there is market. So many privacy policies are post-incident, market-outrage driven (think HIPAA). This one was proactive, market driven. Pearson had recognized through one of IBM's own markets, the genetics industry, that the potential for genomics was matched only by a potential for privacy nightmares. "We have industry expertise that we brought to bear," she says.
But also, a few minor nightmares had already come to light, like the $2.2 million settlement between the Burlington Northern and Santa Fe Railway Company and the US Equal Opportunity Commission. According to a New York Times story, BN had attempted to use blood samples without employee consent to get genetic data to prove employee injuries were not caused by work by but rare genetic conditions. The railway denied wrongdoing but agreed not to use genetic tests in the future.
Pearson had also heard a smattering-certainly not a chorus-of concerns voiced through IBM's work on the National Genographic Project with National Geographic. So, the time was right for Pearson to develop a policy and she looked around. What she found was a terribly uneven policy landscape. For example, there is no national law on the use of personal genetic data (one law is in the works), but 30 states have some form of local regulation. Those local laws vary widely. Internationally, some countries have policies while others don't-perhaps not because those without don't care but rather because genetic privacy is assumed. Anyway, it's not clear.
So she decided to simply go ahead and develop what seemed like a smart policy for IBM, and IBM only. "This is policy as it applies to ourselves," Pearson says, showing a marked ambivalence to whether other companies follow her lead, and "we're not involved in lobbying or legislation."
So what was this groundbreaking, landmark policy? Essentially, the sum total of what Pearson did was to take IBM's existing equal opportunity and diversity policies, which say the company won't discriminate based on age, gender, religious preference and so forth, and add the word genetics to it.
We mention this not to belittle the effort. It was an important and prescient decision on Pearson's and IBM's part to establish such a policy even before federal law exists. Rather, we mention it to show how, sometimes, doing the right thing is deceptively easy. How profound change can come with a single word.
So far, the response has been overwhelmingly positive. Academics have praised Pearson and IBM. The Genetic Alliance, a genetic non-discrimination and privacy lobbying group, supported the announcement. Pearson says other CPOs have shown "curiosity." Overall, she is "very gratified" by the response.
"What you are and can't change about yourself, no one should be able to use against you," Pearson says. "Genetics is in some ways the most personal thing about us."
So often with privacy, the only available reporting comes from the wreckage of a privacy-invasive incident or the spectre of a new technology that will flout privacy for someone else's gain.
In this sense, Harriet Pearson's story is the rarest of breeds: Good news about privacy.