Privacy Questions From the Audience

I occasionally conduct privacy seminars for organizations. The goal is to introduce a range of officials to the basics of privacy. Because privacy issues cut across many traditional organization lines, it has been effective to have lawyers, marketers, public relations folks, chief information officers, HTML coders, security officials and top executives at the seminars. People leave with a detailed introduction to privacy and with some hope of being able to spot a privacy issue at the earliest possible stage.

Even when I conduct seminars at healthcare institutions, where confidentiality should be a natural element of operations, I am often surprised at the lack of privacy awareness. People tend to treat personal information in the same way as others around them do, and no one pays much attention to the fundamentals or the ultimate purpose. This is one reason change creates problems. The lack of basic understanding leaves people unable to make rational decisions in new environments. Their instincts are dull.

A few questions seem to come up at many of these seminars, and it might be useful to answer some of them here. Companies often ask whether all they need to do is post a privacy policy. Perhaps the most difficult point to make is that the need to pay attention to privacy is not extinguished once a basic policy is adopted. The reason is change. Operations that involve personal information change all the time as businesses add, subtract and modify activities. How often has your company done something different with the way that it collects, uses or discloses personal data? Have you bought another line of business lately? These changes require a review of the privacy policy to make sure it reflects the new activities.

Here is a good example. One online company did not collect home addresses from its customers. This was a good practice because the information was not needed, and the company could demonstrate its privacy sense by not collecting unnecessary data.

Eventually, the company offered a promotion that provided new customers with an item that had to be mailed to their homes. Now the company needed to collect home addresses. The old policy that said “no addresses” now needed to be changed, and the company had to make decisions about what it was going to do with addresses for some customers but not all.

Unfortunately, no one was paying attention, and the promotion started without any change in the policy. The company eventually caught on and resolved the discrepancy before any problems arose. Not keeping a policy current and not following your own policy are two things that attract government investigators and trial lawyers. Once you start a privacy policy, you have to keep it up-to-date. It is not hard, and an ounce of prevention is worth a ton of class-action suits.

A second area of inquiry is whether a single person or office can handle both privacy and security. The good thing about this question is that it reflects some understanding that privacy and security are not the same. Too many people, especially Internet users, confuse privacy and security.

The answer depends. Size and resources certainly make a difference. Small organizations may not be able to afford and may not need two offices. In general, however, I prefer to see privacy and security handled separately for two reasons. First, the skills are different. The techies who normally handle security do not always have the policy, legal or organizational skills to do a good job on privacy. It is not impossible that the same individual or group could manage both issues, but it is hard enough to find people qualified to do either job.

Second, when both issues are together, the security demands are often so great that privacy is a stepchild. At one company, the person who handles both security and privacy is overwhelmed by security demands. He is concerned about privacy, but the company is constantly moving its offices, changing computer equipment or establishing new relationships with other organizations. Security needs take up all available resources.

Another set of questions addresses international privacy concerns. Any multinational organization that does business in Europe should already pay attention to European Union data protection requirements. International problems are harder for companies that just have Internet sites that accept orders from abroad or that have more incidental contact with Europe. Of course, with the new Canadian privacy law already in effect, we can no longer limit international concern just to the European Union.

It is hard to advise firms to ignore other nations’ privacy laws when applicable. But for ones that have not really come to grips with their American privacy responsibilities, dealing with foreign laws can be too much.

The first step is to get your domestic house in order. If possible, do it with an eye to international requirements. It really is not that hard and, in any event, may save effort later.

If that is not appealing, then wait on the international side until you are ready or until the pressure mounts. International privacy enforcement is mostly invisible so far, and there are many legal questions surrounding the Internet and privacy. You can probably slide by on the international front for a while if you are willing to take the risk.

Related Posts