|
|
||
The Threat to Privacy and Corporate VulnerabilityMichael Erbschloe, Republished from SafetyIssues Vol 2 Issue 18, May 2003 |
( Part 1 of 4) |
Volume 4 Issue 43June 2005
|
| Maintaining the privacy of enterprise information is a meticulous process and requires coordination across all departments and functions within an organization. It is important that everyone on the privacy management team understand the basic issues and concepts of privacy management as well as enterprise policies and procedures. An understanding of the basic issues and concept will help managers make operational decisions about privacy during the day-to-day course of events. It also enables them to more fully participate in formulating policies and procedures. | ||
|
As organizations start working on a privacy plan it’s important to include a basic set of definitions along with policies and operating procedures. This will enable new managers to more quickly develop an understanding of privacy management. It will also leave fewer items open to misinterpretation by all employees responsible for managing privacy. This overview of basic issues is based on the questions that have been most frequently asked about the topic of privacy. These topics were selected as a result of several meetings and focus groups where managing privacy in an organization was discussed, among other issues. The following points provide a basic understanding of key privacy topics. |
|
|
Defining Privacy is a ChallengeUnfortunately the definition of privacy is not straightforward. There are cultural, societal, political, legal, and national viewpoints as to what privacy is and what constitutes a violation of privacy. Thus it is important to establish an operational definition of privacy in an enterprise. A strong definition of privacy will help prevent inadequate interpretations of policies and procedures as well as poor decisions regarding the privacy of information when there is a lack of specific procedures covering specific incidents or information elements. At the most basic level the privacy of information is tied to ownership of information. Ownership of information is clear in many cases. If an enterprise, for example, creates information about its products, business strategies, or operations that information belongs to the enterprise. The information is the property of the enterprise. Managers in the enterprise then get to determine who has the right know that information and when and where it can be disseminated. Disseminating the information, however, is not the same as giving away ownership and the rights that are inherent in that ownership. This is where the definition of privacy becomes more complicated. It is common practice for an organization to provide another organization with proprietary in order to facilitate a business relationship. During this process the two organizations establish a basis for the exchange of information and expectations, and requirements as to how that information can be used are agreed upon. Individuals also have ownership of information about themselves. If, for example, an individual applies for a loan, they provide information about themselves to a bank or finance company. This is also done within the context of expectations as to how that information can be used. There has been considerable controversy lately regarding individuals providing information about themselves to gain access to Web sites or services. Because the consumer provides the requested information have they given up the right to expect that such information is no longer theirs and is private? The ultimate outcome will be highly dependent on the privacy contract between the information provider and the information user usually put forth in the privacy policy or statement on the Web site.There Are Many Reasons Privacy Is ImportantWhen organizations exchange information to help facilitate business process the importance of privacy has been fairly well established and has become customary. An organization wants its information kept confidential to prevent damage that may occur if the information was obtained by competitors or other parties that could use the information to negatively impact the competitive position or the well being of the information providing company. The provider of the information has a public image to protect and the misuse of confidential information could result in bad publicity. In the case of publicly held companies improper dissemination of proprietary information could negatively impact stock value. Individuals who provide information to businesses or government organizations can also be negatively impacted by the misuse of information. Such misuse may impact their job, career choices, and lifetime earnings. An individual who is gay or lesbian may choose to keep this information private in order to have to deal with potential social or financial negative consequences. People that are making investments decisions, who are considering changing jobs, or who have decided to get divorced may suffer damages from the release of information related to their life or their plans. The common thread between the privacy or proprietary corporate information and personal data provide by individuals is that the improper dissemination and use of their information can cause damage. In some cases such damage could be financial while in other cases it could damage reputations.Understand the Privacy ContractBecause there is a lack of universal definitions as to what constitutes the ownership of information and the privacy of information the privacy contract is essential to establish an agreement between the information provider and the information recipient as to the use of the information exchanged. The example of a business-to-business exchange of information to facilitate business processes is done under specific conditions with agreed upon procedures and rights to use the information. Likewise the exchange of information between a consumer and a business needs to be governed by a similar contract that establishes rights and expectations. When information is exchanged there must a contract between the parties that are giving and receiving information as to the scope of use of that information. It is not reasonable, nor prudent, to expect both parties to share a common view for the rights to use the information. Where there is local or national law governing the use of information the contract should of course be in compliance with such laws. Where there is a lack of specific laws the exchange of information should be governed by a contract that both parties can understand and which binds them. The concept of the privacy contract is exemplified in the privacy statement on a Web site. To be in compliance with the Safe Harbor principles of the European Union, an organization must inform individuals as to why information about them is collected. The privacy statement must also indicate how to contact the organization with inquiries or complaints as well as disclose what types of third parties the information will be disclosed. This notice must be provided to individuals in clear language at the point when individuals are first asked to provide personal information or as soon thereafter as is practicable. In all circumstances the organization must inform individuals before it uses information for any purpose other than that for which it was originally collected or before it discloses information to a third party.In upcoming issues you will read: |
||
Email this article to a friendEmail a friend a link to our web site |
Next: Part 2 of 4 Back to Safety Issues... | |
|
||
|
|
||
