Data mining: a slippery slope. (Legal).Collectively, the world's information set grows by leaps and bounds every year. This phenomenon is driven by technology -- we are now able to capture and store information in quantities and ways never before possible -- but it is also driven by usage. Technology aside, information is now analyzed and used in ways that were not thought of even a few years ago. The purposes for this new research and mining of our data set -- medical, epidemiological, demographic, marketing and others -- allow us to draw conclusions not otherwise possible or to focus marketing or other activities to groups we would otherwise know little about. The ability to sell such information to third parties, rather than merely use it ourselves, offers another lucrative possibility. The resale of public domain information illustrates this phenomenon. For several years, there has been a thriving industry in acquiring and reselling drivers' license information and property tax records in bulk, which are obtained by private organizations from government agencies under open records laws. In an era when much personal information is captured electronically, private organizations now find that sale of privately gathered information is similarly possible. The amount and type of information is growing. Internet users Internet user n → internauta m/f Internet user Internet n → internaute m/f record, albeit unintentionally, a variety of data about themselves every time they log on, such as who they talk to, where they shop, and what their interests are. Whenever they fill out registration forms required to negotiate on the Internet, they add to the pile. Many such forms contain overt survey questions that are designed to fill in gaps about personal information rather than aid registration. The information potentially available on any person may include garden-variety data, such as name, address, and telephone number. However, much higher value information, normally considered private by its owner, may also be available, including income and financial information, medical diagnosis or treatment information, property ownership, and credit card numbers. Unfortunately for the parties collecting it, the desire to use and re-use personal information for purposes unintended by the person it concerns often runs afoul of a·foul of prep. 1. In or into collision, entanglement, or conflict with. 2. Up against; in trouble with: ran afoul of the law. the person's desires and expectations. A June 28 Gallup poll Gallup Poll Noun a sampling of the views of a representative cross section of the population, usually used to forecast voting [after G H Gallup, statistician] Gallup poll n → found that two-thirds of American respondents think the government should pass more privacy laws to control use of personal information given out over the Internet. Legally, the question regarding privacy of personal information is an area of considerable confusion and complication. The average person assumes that he or she has a general right of privacy. This is not so -- in the United States United States, officially United States of America, republic (2005 est. pop. 295,734,000), 3,539,227 sq mi (9,166,598 sq km), North America. The United States is the world's third largest country in population and the fourth largest country in area. , there is no general right of privacy. The constitution is silent on the matter, and the courts have never found a general right of privacy. Therefore, a legal right of privacy, when it exists, is a statutory creature, dependent on a legislature responding to some particular issue. The result is that, in the United States, privacy law is a hodgepodge hodge·podge n. A mixture of dissimilar ingredients; a jumble. [Alteration of Middle English hochepot, from Old French, stew; see hotchpot. of narrowly drawn rights concerning very particularized par·tic·u·lar·ize v. par·tic·u·lar·ized, par·tic·u·lar·iz·ing, par·tic·u·lar·iz·es v.tr. 1. To mention, describe, or treat individually; itemize or specify. 2. information. Worse, the pieces of information that are protected may vary from state to state. Thus, for example, it is illegal in some states for a library to release information about the book-borrowing habits of its patrons to a third party. Federal law forbids video rental stores from releasing information about their patrons' video rental habits. More seriously, there are hundreds of state and federal laws concerning personal medical information. Most are quite narrowly drawn; a statute may address a single medical condition, a single class of health care provider or a single class of patient. If it is a state law, it only protects information about the residents of a single state. Organizations in possession of such information that wish to mine it for purposes other than those for which it was provided face a maze of laws and jurisdictions. One area that has garnered much attention is Internet privacy Internet privacy consists of privacy over the media of the Internet: the ability to control what information one reveals about oneself over the Internet, and to control who can access that information. . Organizations with an Internet presence collect various information from customers, Web page visitors and others, in formats that make it very attractive for data mining. This has, however, resulted in a backlash as consumers and public advocacy groups attempt to force legal restrictions on use. The United States Congress has held hearings on the question of Internet information privacy, including a July hearing with Marc Rotenberg Marc Rotenberg is a law professor and the Executive Director of the Electronic Privacy Information Center (EPIC). He teaches at Georgetown University Law Center. He has won a number of awards, including the EFF Pioneer Award in 1997, the Norbert Wiener Award for Social and of the Electronic Privacy Information Center Electronic Privacy Information Center or EPIC is a public interest research group in Washington D.C.. It was established in 1994 to focus public attention on emerging civil liberties issues and to protect privacy, the First Amendment, and constitutional values in the , and the result has been the promise of more federal action. Unauthorized use of personal information is a hot-button issue Noun 1. hot-button issue - an issue that elicits strong emotional reactions gut issue issue - an important question that is in dispute and must be settled; "the issue could be settled by requiring public education for everyone"; "politicians never discuss with most people, particularly when the data is as sensitive as credit or medical information. Re-use may be a public relations public relations, activities and policies used to create public interest in a person, idea, product, institution, or business establishment. By its nature, public relations is devoted to serving particular interests by presenting them to the public in the most fiasco, even when it is legal. When it is not, potential risks could be quite high. The trend over recent years has been the steady enactment of more and more comprehensive privacy law in all areas, not just the Internet. For example, the United States federal government has promulgated prom·ul·gate tr.v. prom·ul·gat·ed, prom·ul·gat·ing, prom·ul·gates 1. To make known (a decree, for example) by public declaration; announce officially. See Synonyms at announce. 2. new regulations under the Health Insurance Portability and Accountability Act The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996. According to the Centers for Medicare and Medicaid Services (CMS) website, Title I of HIPAA protects health insurance coverage for workers and their families when (HIPAA (Health Insurance Portability & Accountability Act of 1996, Public Law 104-191) Also known as the "Kennedy-Kassebaum Act," this U.S. law protects employees' health insurance coverage when they change or lose their jobs (Title I) and provides standards for patient health, ) prohibiting virtually all unauthorized use of personally identifiable medical information by parties who have access to it within the health care and insurance processing industries. Other jurisdictions, notably Canada and the European Union European Union (EU), name given since the ratification (Nov., 1993) of the Treaty of European Union, or Maastricht Treaty, to the European Community , have passed similarly restrictive legislation. Penalty schemes accentuate ac·cen·tu·ate tr.v. ac·cen·tu·at·ed, ac·cen·tu·at·ing, ac·cen·tu·ates 1. To stress or emphasize; intensify: the risks. Some medical information privacy laws Information privacy laws cover the protection of information on private individuals from intentional or unintentional disclosure of misuse. The European Directive on Protection of Personal Data, released on July 25, 1995 was an attempt to unify the laws on data protection within are written so that a violation occurs every time a single record is used in an unauthorized way for a single day. In such a case, even a very small fine for an individual violation could result in a large fine if thousands of records are misused for a period of weeks or months. A single misuse might violate several laws, thereby risking several penalties. In some cases, notably HIPAA regulations, violation could result in a felony conviction with its attendant risk of jail time. Obscure privacy laws are only part of the complexity, however. Internet-based companies, and companies with a heavy Internet presence, collect personal information, which is subject to an organization-created privacy policy, usually published on the Web site. Regardless of whether information is subject to a legal restriction on its use or not, publication of a privacy policy may well create its own legal obligations. Breach of it through using the information in ways contrary to the stated policy exposes the organization to possible lawsuits by disgruntled dis·grun·tle tr.v. dis·grun·tled, dis·grun·tling, dis·grun·tles To make discontented. [dis- + gruntle, to grumble (from Middle English gruntelen; see consumers or public advocacy groups. For commercial organizations, the attendant bad publicity may be equally damaging. Consider the example of E-Tours. The company offered subscribers customized Web browsing based on personal interests supplied at registration. Information gathered included profession, housing status, and income, all collected to carefully tailor Web content to the subscriber. E-Tours had a privacy policy that explicitly stated that collected information would not be made available to third parties. In need of capital, E-Tours sold some of its assets to Ask Jeeves Noun 1. Ask Jeeves - a widely used search engine accepting plain English questions or phrases or terms trademark - a formally registered symbol identifying the manufacturer or distributor of a product Inc., an Internet search engine. One asset deemed sufficiently valuable that its purchase warranted a recent press release from Ask Jeeves was the customer demographic database. The database's sale to a third party was, in the view of many, both contrary to E-Tours' own privacy policy and symptomatic of the Internet privacy issue. Responses were quick to follow, and two days later, the Electronic Privacy Information Center, a public advocacy group, filed a complaint with the Federal Trade Commission, alleging that the sale of the database contrary to E-Tours' own privacy policy was an unfair and deceptive trade practice, and is seeking to enjoin To direct, require, command, or admonish. Enjoin connotes a degree of urgency, as when a court enjoins one party in a lawsuit by ordering the person to do, or refrain from doing, something to prevent permanent loss to the other party or parties. the sale. In many ways, this transaction is a microcosm mi·cro·cosm n. A small, representative system having analogies to a larger system in constitution, configuration, or development: "He sees the auto industry as a microcosm of the U.S. of the information age. Data has become the central asset of many organizations, an asset viewed as saleable sale·a·ble adj. Variant of salable. saleable or US salable Adjective fit for selling or capable of being sold saleability or US in the same way as any other physical asset. That's good -- information has always been an important asset, it is merely the recognition that has been lagging -- but it is also problematic. Many other parties have what they view as an ownership interest in pieces of the asset and are willing to defend their interest. Nor can the whole problem be avoided by simply having a privacy policy that the user accepts by clicking `yes' on the ubiquitous privacy policy acceptance screen, agreeing to the re-sale of his or her personal information. While this may actually provide legal cover (and in some cases, such as HIPAA, that legal cover is questionable indeed), it is bound to be a disaster. The validity of the legal cover is likely to be severely -- and publicly -- tested in court, hardly a desirable outcome. Mainstream technology writers have become highly critical of what they view as uncontrolled collection and use of personal information. Stuart Alsop, writing in the July 23 issue of Fortune magazine, levels an increasingly common complaint: the ubiquitous online software registration process is merely a pretext PRETEXT. The reasons assigned to justify an act, which have only the appearance of truth, and which are without foundation; or which if true are not the true reasons for such act. Vattel, liv. 3, c. 3, 32. for the collection, and potentially improper use, of personal information about software buyers. A criticism in Fortune magazine is likely to be widely read and influential. One scenario or another prevails for a wide assortment of records. For colleges and universities, the privacy of student records is at issue; for health care operations, it is medical records; for financial institutions, it is personal financial records, and so on through the long list of industries that collect personal information about the people they serve. In each of these areas, there is a strong incentive to make information available internally by posting it on an intranet, to make it publicly available by posting it on the Internet, or to mine it in some fashion. Inevitably, there have been numerous technical, strategic, and tactical mistakes, for example: * Private information is inadvertently posted on public Web sites, available to anyone * Organizations use personal information in a way that the public views as improper * Organizations use information collected from the public or customers in ways contrary to law or stated company policies Given the volume of information now under management, the complex computer technologies used to manage it, and the complicated legal and social issues surrounding it, they are to be expected -- indeed are probably unavoidable. Nevertheless, each such mistake raises public awareness of the issue and raises the pressure to enact legislation to guard against such mistakes in the future. So what can an organization do to avoid finding itself on the wrong end of a lawsuit or newspaper expose about information privacy? First, consider expectations. Whether legally justified or not, people have expectations about what they view as proper and improper use of their personal data. Failing to meet those expectations will result in dissatisfaction and, ultimately, complaints, lawsuits, and new laws New Laws: see Las Casas, Bartolomé de. . Second, develop a privacy policy that clearly and immediately states what you intend to do with the information and what you will not do with it. Privacy policies found on Web sites and legal documents tend to be densely written, long documents. When online, the initial screen only shows a fraction of the entire document, and the user must scroll down to read the rest. In reality, few do before clicking their acceptance. It may seem like a clever legal trick to bury a blanket re-use authorization by the user in the last paragraph of such a document and to get their inadvertent authorization because they fail to read the whole thing. If, or more likely when, customers find what has been done, they will not be amused a·muse tr.v. a·mused, a·mus·ing, a·mus·es 1. To occupy in an agreeable, pleasing, or entertaining fashion. 2. . One or more of the repercussions repercussions npl → répercussions fpl repercussions npl → Auswirkungen pl previously discussed is likely. Third, follow internal policies honestly and without splitting legal hairs. Nothing will irritate consumers more than thinking someone has resorted to arcane ar·cane adj. Known or understood by only a few: arcane economic theories. See Synonyms at mysterious. [Latin arc legal machinations in order to outfox out·fox tr.v. out·foxed, out·fox·ing, out·fox·es To surpass (another) in cleverness or cunning; outsmart. outfox Verb them. Fourth, if information is being handled that is the subject of legal regulation -- including personal medical and financial information -- make very sure that there is an understanding of the laws governing it in every jurisdiction in which it is collected. The courts of any state or country can reach out a considerable distance to touch someone if that person has any sort of active presence within their borders. Do not assume that someone is immune from the legal process of any jurisdiction, merely because that person has no legal presence there. Finally, stay tuned and stay current. This is an area that is in tremendous flux. Attitudes, laws, and policies are changing rapidly, and a response that is adequate today may not be adequate next year. The stakes are too high to let things slip. John C. Montana John C. Montana (born Giancesare Montelli) (c. 1894-March 18, 1964) was a New York mobster involved in labor racketeering, political fixer and leader of the Buffalo-based Magaddino crime family. , J.D., is an Attorney and Records Management Consultant based in Landenburg, Pennsylvania. He may be reached at johnmontana@qwestinternet.net REFERENCES Alsop, Stuart. "The Monopoly Has Just Begun," Fortune. July 23, 2001. Ask Jeeves Inc. press release, listing, among other assets other assets Assets of relatively small value. For financial reporting purposes, firms frequently combine small assets into a single category rather than listing each item separately. , "A Registration System that Leverages Rich Demographic Information to Deliver Highly Specific Content." May 22, 2001. Letter of the Electronic Information Privacy Center to the Federal Trade Commission. www.epic.org/privacy/Internet/etour.html. May 25, 2001. Testimony of Marc Rotenberg, Executive Director of the Electronic Privacy Information Center, before the Committee on Commerce, Science and Transportation of the United States Senate. July 11, 2001. |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion