Privacy Questions From the Audience
Even when I conduct seminars at healthcare institutions, where confidentiality should be a natural element of operations, I am often surprised at the lack of privacy awareness. People tend to treat personal information in the same way as others around them do, and no one pays much attention to the fundamentals or the ultimate purpose. This is one reason change creates problems. The lack of basic understanding leaves people unable to make rational decisions in new environments. Their instincts are dull.
Here is a good example. One online company did not collect home addresses from its customers. This was a good practice because the information was not needed, and the company could demonstrate its privacy sense by not collecting unnecessary data.
Eventually, the company offered a promotion that provided new customers with an item that had to be mailed to their homes. Now the company needed to collect home addresses. The old policy that said "no addresses" now needed to be changed, and the company had to make decisions about what it was going to do with addresses for some customers but not all.
A second area of inquiry is whether a single person or office can handle both privacy and security. The good thing about this question is that it reflects some understanding that privacy and security are not the same. Too many people, especially Internet users, confuse privacy and security.
The answer depends. Size and resources certainly make a difference. Small organizations may not be able to afford and may not need two offices. In general, however, I prefer to see privacy and security handled separately for two reasons. First, the skills are different. The techies who normally handle security do not always have the policy, legal or organizational skills to do a good job on privacy. It is not impossible that the same individual or group could manage both issues, but it is hard enough to find people qualified to do either job.
Second, when both issues are together, the security demands are often so great that privacy is a stepchild. At one company, the person who handles both security and privacy is overwhelmed by security demands. He is concerned about privacy, but the company is constantly moving its offices, changing computer equipment or establishing new relationships with other organizations. Security needs take up all available resources.
Another set of questions addresses international privacy concerns. Any multinational organization that does business in Europe should already pay attention to European Union data protection requirements. International problems are harder for companies that just have Internet sites that accept orders from abroad or that have more incidental contact with Europe. Of course, with the new Canadian privacy law already in effect, we can no longer limit international concern just to the European Union.
It is hard to advise firms to ignore other nations' privacy laws when applicable. But for ones that have not really come to grips with their American privacy responsibilities, dealing with foreign laws can be too much.
The first step is to get your domestic house in order. If possible, do it with an eye to international requirements. It really is not that hard and, in any event, may save effort later.
If that is not appealing, then wait on the international side until you are ready or until the pressure mounts. International privacy enforcement is mostly invisible so far, and there are many legal questions surrounding the Internet and privacy. You can probably slide by on the international front for a while if you are willing to take the risk.