Safeguarding the world's new currency; privacy requires a willingness and ability to take a different perspective on how data is and should be used. (Cover Story).
* Discusses the global business issue of privacy
* Provides seven basic steps for responding to privacy issues
* Explains current international privacy-related laws and regulations
Privacy is perhaps one of the most important issues businesses face today. Personally identifiable information has become the world's new currency. It helps companies identify new business opportunities and target new products to specific customers. It helps them operate more efficiently and test new markets.
In today's global economy, powerful computers and vast databases have become mega partners to many companies, allowing them to track and store massive amounts of information in ways undreamed of only a few years ago. Personal information is available with just a click of a button, almost instantaneously.
And in the aftermath of the tragic events that occurred in the United States on September 11, 2001, a new privacy landscape has emerged that will dramatically impact businesses of all types and sizes. The balance of privacy and security--the right to know or not know vs. the right to be safe--is likely to take on a new role of mass proportion and greater public focus.
The Bottom Line
Privacy is a bottom-line business issue. The ability to address consumers' and employees' privacy rights has become a critical factor for success in today's marketplace.
Privacy involves more than the Internet, however. It also encompasses how personal information is used, marketed, and distributed in the "brick and mortar" everyday world.
Privacy does not mean that an unscalable wall should be placed between consumers, employees, and businesses. Businesses want to know their customers. Reliable and accurate data is essential to maintaining a competitive edge and keeping customers happy. Customers, however, must be able to trust how their personal information is used.
To effectively manage the personal information of both customers and employees, companies must gain a new understanding of information flows and associated tools.
Privacy, like security, is a process. It requires a comprehensive look at the ways data moves within an organization. More importantly, it involves a willingness and ability to take a different perspective on how data is and should be used.
Each individual views privacy from his/her own unique perspective. Therefore, it has been difficult for legal scholars and privacy advocates to agree upon a single, simple definition. Dealing with the details of an individual's life is intensely personal, probably more so than anything else.
For businesses, privacy presents both a challenge and an opportunity. How can a business obtain and store the information necessary to customize its services and products without bringing on the distrust of its customers and employees? And, how can it guarantee safety to its customers, while at the same time reserving individuals' rights to privacy?
These are tough questions for today's businesses. How they respond to this dilemma is one of the fundamental challenges of the Information Age--and will shape the marketplace for years to come. The current scenario, however, also offers an opportunity for businesses--the chance to take a proactive approach to privacy issues, garnering goodwill from both customers and employees and positively differentiating themselves from the competition.
For years, businesses and governments viewed personal information as poker chips: the more they had, the better. Information was correctly perceived as a valuable commodity that could be used or sold for profit.
But times have changed. Businesses and governments now face a serious problem: Consumers are aware of how their personal information is being used, and many don't like it.
The explosion of the Internet has accelerated the importance of this issue. The Internet has not only increased businesses' access to personal information, it has made consumers more aware of how that information is used.
Numerous surveys indicate that consumers are concerned about privacy, especially online:
* 90 percent of registered voters said they find it more difficult to keep personal information confidential today. (Source: Fox News/ Opinion Dynamics Poll. 7-8 June 2000.)
* 82 percent of Internet users surveyed said they are concerned about the privacy of personal information they give out on the Internet, as well as the privacy of what they do on the Internet. Of these, 53 percent are "very concerned," and 29 percent are "somewhat concerned." (Source: Gallup Poll. The Gallup Organization-Princeton, www.gallup.com. September 2000.)
* Ninety-two percent of respondents from Internet-active households stated that they do not trust online companies to keep their personal information confidential. (Source: "Survey Shows Few Trust Promises on Online Privacy." The New York Times. 17 April 2000.)
* By 2002, the Internet industry faces potential losses of up to $18 billion per year, due solely to privacy concerns. (Source: Sandeep, Junnarker. "Report: Half of Net Users Mistrust Sites." CNET News.com. 17 August 1999. Citing results of study: "Overview, Proactive Online Privacy: Scripting an Informed Dialogue to Allay Consumers' Fears," by Jupiter Communications Inc.)
Fair information practices are not confined to e-commerce. Employees also are concerned about their employers' collection and use of personal data. And, there is widespread anxiety about the privacy of medical records, financial records, and information on children.
On any given day, headlines of major publications decry the loss of privacy and criticize businesses for the improper use of personal information. The U.S. Congress has responded to the public outcry by scheduling hearings on privacy. Legislation is being considered that would prohibit the sale of customers' personal data during a bankruptcy proceeding. Other proposed legislation would prohibit the use of Social Security numbers. To date, hundreds of bills are pending in Congress addressing a variety of privacy concerns.
Privacy issues also are being addressed in courtrooms. In New York, Michigan, California, and Minnesota, government officials have pursued companies for breaching their stated privacy policies. In Texas and other states, litigation seeking billions of dollars has been filed against companies in damages for misuse of personal information.
Globally, businesses also face an increased level of scrutiny and financial risks related to their use of personal information. The exchange of data between companies in different countries is massive, even though controlled to some degree.
Escalation in the collection and use of personal information by businesses has resulted in a proliferation of data use laws and regulations both in the United States and around the world.
In Europe, privacy is a fundamental human right. The European Parliament passed the Data Protection Directive in 1995. This comprehensive legislation was designed, in part, to accord governmental enforcement of personal privacy rights.
Other governments have responded with similar and, in some cases, even more drastic privacy regulations. Canada's federal privacy law, which became effective January 1, 2002, extends privacy protection to all personal data regardless of when the data was collected. Companies doing business in Canada must now review how they handle personal data already collected. Other governments passing significant privacy legislation include Singapore, Australia, Hong Kong, and Argentina.
In the United States, the controversy over the collection and use of personal information has evolved more slowly, but with no less passion. Perhaps because Americans are more accustomed to having businesses use and gather personal information, initial privacy concerns focused on the security and transmission of data rather than on the use of the data.
There are hundreds of new laws introduced each year in the United States to regulate and severely limit the collection and use of personally identifiable information. Under many of the new privacy laws, potential risks for business include the loss of data flow, costly litigation, criminal prosecution, injunctions, director and officer liability, damage to business reputation, loss of consumer confidence, and toss of market value. However, businesses must now identify, assess, and achieve compliance with these laws and regulations.
Privacy is not just about legislation and compliance. Privacy in today's fast-paced world is becoming "non-negotiable" for consumers. It is as important as the quality of merchandise, the quality of customer service, and the ability to call a toll-free number.
Companies that move quickly and voluntarily to address these privacy concerns will gain in both market share and customer loyalty. Businesses that ignore them, or fight reasonable guidelines concerning the use of personal information, will likely struggle in the marketplace and never realize the frill potential of e-commerce.
Increasingly, consumers want assurance that their personal information will be protected and won't be sold or passed on to third parties without their consent. Some consumers even believe they should be compensated for sharing their personal information. As a result, companies can no longer assume they can acquire this type of information without related costs.
Companies that question how much personal information they should collect about a consumer should err on the side of collecting less. The paradigm historically has been for a business to collect all the data it can and then keep it. However, today's views suggest that companies may actually receive more business by asking for less personally identifiable information.
What to Do?
Companies that take the issue of privacy seriously will be rewarded with consumer goodwill and trust, providing all advantage over competitors that do not act accordingly.
Although details may vary across companies and industries, following are seven basic steps that will help most companies proactively respond to privacy issues:
1. Designate a Chief Privacy Officer
In a large company, the CPO typically is an executive-level individual who reports directly to the president of the board of directors. A smaller company may designate its corporate counsel or marketing director as its CPO. Regardless of the CPO's position within the company, this individual retains final responsibility for privacy-related issues. (Editor's Note: Also see article by Pemberton, page 65)
2. Obtain Internal and External Input
Good privacy practices require input from the entire company and the marketplace. Rather than impose a policy dictated by upper management, successful companies typically establish an internal privacy committee to gather suggestions and ideas from all employees. Participants in this privacy committee might include representatives from such departments as human resources, marketing, legal, records management, and information technology.
Because privacy is a specialized field, even the largest companies may not possess all the internal expertise and manpower needed to successfully address privacy issues. External input from outside legal counsel, trade associations, and/or consulting firms also can play an important role in collecting information.
3. Conduct a Data Flow Assessment
Once a company has established privacy leadership and input channels, it should conduct a data flow assessment. A thorough understanding of the company's current data management processes is critical to improving privacy performance.
A data flow assessment discovers and documents the
* types of information a company collects
* methods used to collect information
* ways a company uses information it receives
A data flow assessment also should include forecasts regarding future data needs and uses. A good assessment includes accurate information on both current and future practices.
4. Provide Data Safeguards
Some data is more sensitive than other data; therefore, it requires tighter security measures. Companies should establish flexible security strategies that provide different levels of protection, depending on data sensitivity.
Businesses also should be aware that some countries classify data differently and require greater security than does the United States. For example, Article 8 of the European Union's Directive on Data Protection prohibits data processing that reveals "racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership and ... data concerning health or sex life."
5. Track Data Collection
Once a company has installed appropriate privacy policies and practices, it should document its data collection methods and the reasons those methods were selected. Such information can be helpful in resolving possible disputes that may arise by providing proof that data was collected legally and with the consent of participating individuals.
6. Create a Means for Dispute Resolution
Creating a process for handling complaints and/or disputes is important. Companies should designate an individual--often the CPO--who can serve as a single point of contact for consumer questions and complaints. This individual should have the authority to research concerns and take appropriate actions.
To reduce the number of complaints against it, a company also might consider creating ways in which a consumer can examine his/her own data, correct inaccuracies, and delete unwanted information. Such action can help consumers resolve their own problems, save company time, and foster goodwill.
7. Ensure Adherence to Policies
Follow-through is vital to a company's privacy practices. Companies must be sure they adhere to their own policies. Numerous privacy lawsuits filed by the Federal Trade Commission and state attorneys general offices have been based on failure by companies to comply with their own stated privacy policies.
To ensure that policies are followed, a company must successfully communicate its policies to employees, as well as train its staff regarding privacy policies and practices--particularly employees who collect and have access to personal information.
If a company exchanges data with a third party, that party should contractually agree to adhere to the company's privacy standards. Often companies can remove third-party data transfer concerns by simply having customers provide personal information to the third party. For example, an online company might provide a link to a third party's Web site, where consumers can provide required information directly to the third party.
Once employee education and training, as well as third-party contracts are completed, the CPO--or other responsible individual--should establish internal checks and balances to ensure ongoing compliance with privacy process.
Turning Privacy Risks into Assets
Privacy is a "top-down" and "bottom-up" issue affecting all levels of business. Managing privacy involves a wide spectrum of individuals and processes: from the collection of personal information from consumers, to the data flow through a company, to the distribution of that information to outside vendors, to possible illegal access by others through the security system.
Businesses that realize that managing privacy properly may be one of the strongest confidence-builders they possess will seize this emerging opportunity and turn privacy risks into privacy assets. They will focus on privacy issues as an extraordinary marketing tool enabling them to establish and maintain trust with customers.
Compliance is reactive, but building confidence is proactive.
Most countries prohibit data transfers to countries that do not provide "equivalent protection." However, there are some differences between the laws of various countries; therefore, it is necessary to become familiar with a particular country's data protection laws prior to initiating data transfer to or from that country. This "equivalency" approach is reflected in the Council of Europe's "Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data."
The Council of Europe's Convention
The Council of Europe's Convention is a European treaty opened for signature in 1981 and agreed to by 19 countries, including all of those in the European Union. This Convention is by far the most important Europe-wide agreement regarding the handling of personal information. It requires all signatories to establish equivalent data protection and provide common data protection safeguards.
The Convention's most important element is the requirement for data quality, a set of concepts that encompasses most of what is called fair information practices.
Data quality requires that personal information be "obtained and processed fairly and lawfully, "that information be" stored for specified and legitimate purposes and not used in a way incompatible with those purposes," and that processing of data is limited to circumstances that are "adequate, relevant, and not excessive in relation to the purpose for which they are stored." Other principles provide individuals with the right to access and correct personal information, as well as remedies for violations of these rights.
The principle having the greatest impact on U.S.-European commerce is the one stating that the free flow of data between signatories cannot be impeded; however, data flow to non-signatories should not occur unless the non-signatory has an equivalent level of data protection.
The United States is not a signatory nation; therefore, it is considered to have a non-equivalent level of protection. Signatory nations are expected to have provisions that prohibit data transfers to countries that do not provide minimum standards of protection.
The EU Directive
The EU Directive on Data Protection significantly restricts European companies (and U.S. companies with European subsidiaries) from trans-border transfers of data to countries that do not have an "adequate level of protection" for personal information. Because the United States is considered to be among these, companies and some governments in the EU are restricted from transferring data to American trading partners.
The EU Directive became effective on October 25,1998, and applies to all processing of personal information by any person or organization, both private and governmental, that is governed by the directive. The Directive is "harmonizing"--meaning it requires each EU member to implement its own equivalent legislation. If a member fails to implement laws by a certain date or passes laws deemed incomplete or incorrect, its citizens and/or data protection commissioners can look to the Directive for compliance assistance.
The Directive epitomizes the fair information practices, but also provides a highly restricted category of information--including religion, trade-union membership, and sexuality--that is subject to even greater prohibitions on processing. Although the Directive prohibits transfer of data in the absence of adequate levels of protection, there are certain exceptions. These include, for example, when an individual has given unambiguous consent to the transfer, or when the company receiving the data has given contractual assurances of adequate protection.
The Convention and the EU Directive pose a direct challenge to American companies conducting business in Europe--because they severely limit the transfer of personal data out of EU countries to the United States. After months of negotiations, the EU and the United States created a set of "safe harbor" guidelines. These guidelines became operational on November 1,2000, and are administered through the U.S. Department of Commerce.
Safe Harbor allows American companies that have shown they satisfy the "adequate level of security protection" required by the EU Directive to transfer data on EU citizens to the United States. It also requires all EU members to recognize the Safe Harbor for a U.S. company that has been certified as compliant. And it provides provisions for EU citizens to bring claims against U.S. companies for violations.
Entering Safe Harbor is a voluntary decision. Companies that choose to do so are required to
* publicly declare their intentions
* self-certify annually to the U.S. Department of Commerce that they are in compliance
To date, 176 U.S. companies have self-certified.
Canada enacted extensive privacy legislation on a national level in 1998. This law, entitled the Personal Information Protection and Electronic Documents Act, became effective January 1, 2002, and protects all data collected by companies on Canadian citizens, regardless of when it was collected. The lack of a grandfather clause requires companies conducting business in Canada to examine their information handling procedures to ensure that all information, even that already collected, is protected from disclosure.
Canada's law implements the following 10 principles:
1. Accountability--The organization controlling data is responsible for the information and must appoint a responsible individual.
2. Identifying Purposes--The organization must identify and document the purpose for the information prior to collecting it.
3. Consent--Except where inappropriate, the organization must obtain knowledgeable consent from the individual prior to collection.
4. Limiting Collecting--The organization must collect only that information which is necessary for the identified purpose.
5. Limiting Use, Disclosure, and Retention--Information may only be used for identified purposes; disclosure must be limited, except where prior consent is obtained, and data must be destroyed when no longer required.
6. Accuracy--Information must be kept as accurate as reasonably necessary.
7. Safeguards--Information collected must be guarded from loss, theft, and tampering. Organizations should consider policies that include encryption of data.
8. Openness--The organization must provide readily available information regarding its information collection policies and practices.
9. Individual Access--Individuals have a right to determine the existence, use, and disclosure of personal information about themselves. They also have a right to challenge accuracy and to require correction of inaccuracies.
10. Challenge Compliance--Individuals have a right to challenge an organization's compliance with the above principles.
The Canadian privacy law applies to all commercial activities, as defined in the trade and commerce section of the Canadian Constitution. It applies to all personal information including information about employees--but does not apply to provincial public sectors, municipalities, or universities. The legislation acts as a floor privacy rule and it is up to the Individual Canadian provinces to create tighter laws within their jurisdiction.
Gary Clayton, J.D., is founder and Chairman of the Board of the Privacy Council, which provides consulting services and knowledge products for privacy and data protection solutions. Over the past decade, Clayton has worked closely with U.S. and global business leaders and policymakers on Internet, technology, privacy, security, and data protection issues. He may be reached at firstname.lastname@example.org.
|Printer friendly Cite/link Email Feedback|
|Publication:||Information Management Journal|
|Article Type:||Statistical Data Included|
|Date:||May 1, 2002|
|Previous Article:||Universal SuperSTOR 2.0 is certified to manage TeraCart DVLs. (Market Place: new products & industry announcements).|
|Next Article:||Protecting your identity; private information theft has become a plague on modern society, but you can protect your business and yourself with the...|