You might be asking, what principles can I use to make sure I’m acting in good faith with respect to the personally identifying data of my employees, customers, and partners? The Canadian Personal Information Protections and Electronic Documents Act contain 10 principles that, if modified slightly, can serve as a guide:
Accountability
Your organization is responsible for the personal information under its control and must designate someone who is accountable for complying with these principles.
Identifying purposes
Any project must specify why it is collecting personal information at or before the time it does so.
Consent
The subject’s consent is required for the collection, use, or disclosure of personal information. Exceptions should be documented.
Limiting collection
Projects may collect only the personal information that’s necessary for the purpose they’ve identified, and must collect it by fair and lawful means.
Limiting use, disclosure, and retention
Unless a project has the consent of the subject, or is legally required to do otherwise, projects may use or disclose personal information only for the purposes for which they collected it, and they may retain it only as long as necessary for those purposes.
Accuracy
The subject’s personal information must be accurate, complete, and up to date.
Safeguards
Security safeguards must be employed to protect personal information.
Openness
The project must make its personal information policies and practices known to people from whom they collect information.
Individual access
Subjects must be able to access personal information about them, and be able to challenge the accuracy and completeness of it. Exceptions should be documented.
Challenging compliance
Subjects must be able to present a challenge about the project’s compliance with the privacy policy to the person that the organization has designated as accountable.
Even though these principles are not the law in the U.S., or even for most industries in Canada, they provide good guidance for how an organization can protect personally identifying information and be fair about the information they collect. If your organization ignores any of these principles, you should ensure that it does so by choice rather than accident and that the risks are thoroughly explored.
Privacy Pragmatism
The debate over RFID illustrates the great irony of privacy. As someone who’s been involved in online commerce and services for over a decade, I’ve found that while everyone cares about privacy in the abstract, they’re usually willing to trade their personal data for the most trivial of benefits. A cynic would say that this is because people don’t really understand digital identity and how their privacy can be eroded, but I think that most people make rational choices. People willingly choose to share personal data if there is a payoff that they understand.
Here’s an example: if you’ve been to a grocery store, you’re familiar with their “preferred customer” cards. The premise is simple: scan the card, get a discount. Groceries stores do this, of course, so that they can tie customer identities to purchasing habitsvery valuable data for a company looking to drive sales and establish loyalty. Even the most hardened privacy warriors are likely to succumb to a large rebate offer on a TV or a computer and send in the rebate form in order to capture the savings.
While the U.S. has its share of privacy advocates, it has been slow to adopt many of the privacy safeguards that have found a home in Europe and elsewhere (the next section will explore the exceptions). The hesitancy has been partly based on free speech concerns, but often, it is because U.S. legislatures are loath to take action that will have negative impact on business development. Again, the cynic would say that business has bought off the legislative process, but from my experience, both in the private and public sectors, the reason has more to do with legislative concern about regulatory burdens making U.S. industry less competitive.
Even with the pragmatic attitudes of consumers and the business-friendly climate promoted by many legislatures, your organization should be very careful in handling the personal data of employees and customers and the private information of partners and suppliers. While it’s true that customers are usually willing to trade identity information for some benefit, they react with anger when they feel like they’ve had their identity data “stolen.” Likewise, legislatures sometimes react with ill-conceived legislation when pressed by anecdotes regarding identity theft, fraud, and misbehaving companies.
Privacy Audits
Chief Privacy Officers and others concerned with privacy in an organization worry about what they don’t know. It’s not the data you know about that will get you in trouble. Having these data maps is the first step to being able to perform privacy audits . Here are some of the privacy-related questions you might ask about the identity data in your organization:
- What kinds of identity data are you collecting?
- How is this identity data collected?
- Why was the identity data collected?
- Were special conditions on its use established at any time?
- Who is the data owner?
- Who is the custodian?
- Who uses the data, why, and how do they usually access it (i.e., remotely, via the Web, from home)?
- Where is it stored?
- Is any of the data stored on devices that are routinely transported off-site such as a laptop or PDA?
- Are there backups? If so, you need to answer these same questions about the backups.
- Are there access logs for the data?
- Where are the logs stored?
- Are the logs protected?
- What other security measures (firewalls, intrusion detection systems, and so on) are used to protect the data?
Conducting privacy audits and collecting all of this information may seem like a lot of work, but ask yourself what it means if you don’t know the answers to these questions. There’s good news and bad news. The good news is that data maps are useful for more than just privacy, so you can balance the cost and effort with other benefits. The bad news is that it’s hard to get anyone very excited about data. Applications are the stars of the IT world.
Privacy Policy Capitalism
When we view the exchange of identity information through the lens of a transaction where the customer perceives some benefit and thus parts with bits of identifying information in consideration for that benefit, privacy policies take on a new feel. Many companies view their privacy policy as something they have to do to keep their customers from being angry with them, because their industry demands it, or because someone convinced the CEO or CIO that she’d be liable if the company didn’t have one. All of these may be true statements, but they’re only ancillary to the real reason for a privacy policy: your privacy policy represents the terms of service you’re offering for whatever benefit the customer perceives.
For example, say you’re an online merchant. You collect identity information from your customers at various stages of the transactions, and the customer receives some benefit. At the most basic level, whenever a customer visits, you install a cookie on his browser so that your shopping cart works. Cookies are a way of maintaining program state across HTTP, an otherwise stateless protocol. In addition to making the shopping cart work, you realize that you can use the cookie to recognize the customer the next time he returns and even to track his shopping habits. When the customer buys something, you collect personal information, such as his name, address, and credit card number, and can link that to the cookie as you create a customer profile.
What should this online merchant’s privacy policy say? First, tell the truth. Tell customers what data you collect, why you collect it, and what you do with it. Be specific. In this example, the merchant might say, in part:
- We use cookies. Our shopping cart will not work without them.
- When you make a purchase, your personal information is stored in our system only if you give us permission by clicking the “Save my information” box on the checkout form. When you do this, we can serve you better by automatically filling out some forms for you when you shop.
- We use cookies to track the shopping habits of our customers. This data is used to make our search tool better and to help us offer a better product selection. The shopping habits of our customers may be released to partners and suppliers in aggregate, but your individual shopping habits will be released to a third party only with your specific permission, obtained in advance.
- Advertisements appearing on our system may make use of third-party ad response tracking systems that use cookies to track ad click-through and to target those ads to specific customers.
A real privacy policy would be longer, and your lawyers will probably want to fill it with lots of other information. While it’s a good idea to involve lawyers in the process, since it’s ultimately a term sheet between you and your customers, make sure that the privacy policy is readable and understandable by your customers, or it won’t do what you need it to do: inform them in clear language the terms of the bargain that you’re proposing.
If you approach your privacy policy as a term sheet, with a clear understanding of what each side is giving and getting in the relationship, you and your customers will be happier with the result.
