 |
 |
|
|||||
| ||||||||||||||
| ||||||||||||||
Gary Clayton, Chairman and Founder
Abby Stewart, Assistant Director, Public Policy
Privacy Council, Inc.
The Privacy Management Process [pdf]
The debate about privacy continues as consumers increasingly engage in online commerce and the Federal government evolves towards systems of electronic information and online transactions. Organizations, both public and private, recognize that they are affected by consumers' privacy concerns. To address these concerns, organizations must implement a comprehensive privacy management process. In doing so, they can greatly benefit by meeting rising consumer expectations and by the strategic value that comes from more effective information resource management.
Organizations often perceive privacy as a difficult issue to manage because many aspects of privacy are misunderstood. Some common questions about privacy are:
Privacy and security are not the same thing. Although privacy and security both relate to how personally identifiable data is handled within an organization, they present very different management concerns. Privacy is concerned with an individual's ability to control how an organization gathers, uses and discloses personally identifiable information. Security, on the other hand, refers to how an organization protects the data during and after collection. An organization can have good security without an effective privacy strategy. However, if an organization wants an effective privacy strategy, a comprehensive and solid security program is essential.
Because the privacy debate has tracked the rapid development of online technology, organizations often mistakenly perceive privacy as a concern only for those conducting business online. While the Internet continues to raise awareness of privacy concerns because of the massive amounts of personally identifiable information that can be collected, shared and disclosed with the click of a mouse, organizations come into contact with personally identifiable data in many ways outside of the online world. Increasingly, data gathered online is merged with offline data to profile customers, employees and others. To effectively manage privacy in a responsible and appropriate manner, organizations must consider both its click-and-mortar
and brick-and-mortar
privacy practices.
In a word: No. Managing privacy involves more than simply creating and posting a privacy policy. If an organization posts a policy and then does not verify that the policy is being followed in actual practice, the privacy policy can become more of a liability than an asset. Responsibly managing privacy involves a comprehensive process of assessing an organization's data use needs, putting in place appropriate privacy practices, posting a privacy policy that reflects those practices and establishing processes that allow management to verify compliance with the stated policy.
Effectively managing personally identifiable information is critical to almost every organization. Information about current and prospective customers, as well as data about employees, is essential for business. Reliable and current information are particularly valuable. A company that builds a trust relationship with consumers and employees by actively acknowledging and respecting the privacy of personally identifiable information will be able to have individuals provide up-to-date information.
Managing privacy also assures that a company complies with relevant laws, regulations and best practices related to information privacy. Moreover, responsibly managing privacy can enhance brand recognition for a business. A study conducted in November of 2001 by Privacy and American Business found that consumers are willing to change their behavior if they feel a business has established strong and trustworthy privacy practices Ð about 1 out of 2 consumers say they will buy more frequently and in greater volume, and they will recommend that company to friends and family.
[1]
Conversely, if privacy is not well managed or is ignored, companies may risk loss of customer and employee goodwill, money wasted on avoidable privacy litigation, bad publicity and decreased stock value. The Privacy and American business study additionally reported that 83% [of consumers] say they will stop doing business entirely with a company if they hear or read that a company is using its customers' information in a way they consider to be improper.
[2]
E-government proponents have long believed that new technologies in general and the Internet in particular can be used to enhance the way that citizens interact with government. The Internet gives citizens an easily accessible way to interact and transact with government. It holds the potential to reinvigorate government institutions by initiating a new era of citizen involvement, government transparency and administrative efficiency.
Key to making e-government work, however, is public trust that the privacy of the information they share with government online will be protected. To establish that trust, government, like business, must engage in effective privacy management. If privacy is protected, the public will be more inclined to trust that the government will collect, use and share personally identifiable information in a manner consistent with sound information privacy practices.
Managing Privacy as a ProcessMean?
Managing privacy as a process means applying many of the same management processes that are used to manage other assets such as intellectual property or financial resources. It requires an understanding of the value of the information being managed, the risks associated with its management and the potential for a return on an organization's investment. Only when these factors are understood will companies and organizations bring together the people, technology and financial resources to proactively and effectively manage customer and employee privacy concerns.
When coping with privacy concerns, organizations too often suffer from the silo effect.
As stated by Gary Clayton, founder of Privacy Council, Inc. until recently, organizations managed information within individual departments and not on an enterprise-wide basis. These individualized silos seldom viewed customer or employee records comprehensively, making it almost impossible to effectively manage compliance with laws, regulations and an organization's own privacy policies and practices.
The general counsel's office may, for example, write a privacy policy that complies with legal requirements, but may not reflect what the customer service representatives, marketing executives or technical staff ultimately do with the information the organization collects. A commitment to responsibly managing privacy requires that organizational units develop integrated privacy solutions.
The commitment to handle privacy is less burdensome for an organization if managed in a methodical, step-by-step manner. Some practical steps of proper privacy management might include appointing a privacy manager to be held ultimately responsible for an organization's privacy policies and practices; conducting a benchmark assessment of an organization's current privacy policies and practices; educating and training staff about data collection practices; and conducting periodic reviews (audits) to monitor an organization for compliance with its privacy policies and practices.
Most importantly, as organizations begin to manage privacy, they should build off the four widely accepted principles of fair information practices. First, organizations need to provide consumers with notice of how their information will be collected, used, shared and disseminated. Consumers should additionally be provided with choice about how the organization uses the information it collects. Further, consumers should be given access to the information held by an organization so that changes can be made if the information is incorrect. Finally, organizations need to secure the personally identifiable information they collect to the greatest extent possible against alteration and modification by third parties.
To help organizations comprehensively and proactively manage privacy, Privacy Council created The Privacy Management Process. The process walks an organization's management through steps necessary to reach and maintain privacy compliance.
Organizations must first determine whether privacy is a priority based upon industry-specific laws and regulations and whether an organization wants to be a privacy leader or merely privacy compliant. Additionally, organizations must delegate authority and responsibility for managing privacy. Because privacy affects all levels of an organization, a senior manager should be accountable for the privacy process to ensure that decisions are made and acted upon.
An organization must inventory its internal privacy policies and practices and its external privacy environment. Internal assessments determine what information an organization collects from consumers and employees, how it is used and shared, and whether an organization currently manages information flow. Assessments also evaluate an organization's external privacy environment, including privacy initiatives undertaken by other organizations in a particular industry.
To establish how responsible privacy management will be implemented and maintained over time, a company must organize its privacy resources. It must analyze what resources will be needed from each department at what point in the management process. The organization can thus determine the major activities necessary to bring itself into privacy compliance and sets milestones for reaching compliance.
An organization must develop well-conceived and well-written privacy policies, practices and procedures. An organization's published policy is the heart of its privacy program. This is the organization's commitment to responsibly manage the personal information according to a set of principles and practices. The policies describe what an organization will do (or not do) with personal information, while the practices describe how the organization will live up to those principles. Procedures provide a set of metrics and lay an audit trail to measure and manage compliance with the published policy.
Implementing the organization's privacy plan and program requires bringing together the skills and resources from various departments such as IT, Human Resources, Marketing, Sales, Legal and Audit. Implementation should start conservatively with the understanding that there will be bumps in the road and that privacy management is a long-term initiative.
Proper governance and oversight of the privacy management process is crucial for a successful privacy initiative. This entails:
Issues that lie outside of an organization's standard practices and procedures require special handling. These may include:
Most important to effectively managing privacy for organizations is to approach it as an organization-wide enterprise, engaging every level and every department.
The most powerful benefit arising from implementation of The Privacy Management Process is accountability Ð to the individual's whose data is being used and to the organization that has invested in acquiring and using the personally identifiable information. From the organization's perspective, the interests of both the individual and the organization are important and must be managed effectively. Public trust in the private sector is at very low tide due to recent corporate scandals and the economic slow-down. Managing privacy as a process, with built-in mechanisms for audits, monitoring and maintenance has the potential to rebuild the public's trust in the corporate world by demonstrating a strong commitment to ethical behavior.
Additionally, for the federal government, the potential amounts of information that will be collected raise many privacy concerns. If the government manages privacy as a process, it can help maintain public trust in government by ensuring that the government is not intruding into individuals' privacy more than is absolutely necessary.
Finally, understanding the value and costs associated with personally identifiable information will allow businesses and organizations to more effectively make decisions regarding allocation of scarce resources to manage privacy. Too often businesses view privacy as merely a compliance
issue and a cost center. Better understanding of privacy and the potential for turning it into a core part of strategic business decisions will help management allocate sufficient resources to managing one of the most important assets any company has: personally identifiable information about customers and employees.
The importance of privacy to individuals will continue to grow as technology advances and the collection of personally identifiable information becomes easier and easier for both businesses and government agencies. Ultimately, the general public will hold organizations responsible for how they handle the information they collect, use, share and disseminate. Organizations, both public and private, should consider implementing effective internal management controls, such as The Privacy Management Process, to proactively handle privacy concerns before they become a problem.
[1] Privacy On & Off the Internet: What Consumers Want, A Privacy and American Business Survey conducted by Harris Interactive and sponsored by Ernst & Young and the American Institute of Certified Public Accountants. Fieldwork conducted 11/5/01-11/11/01 and presented 2/7/2002.
[2] Id.
[3] The Privacy Management Process is a registered trademark of The Privacy Council, Inc.
|
The Center For Democracy & Technology 1634 Eye Street NW, Suite 1100 Washington, DC 20006 (v) 202.637.9800 (f) 202.637.0968 Contact CDT Copyright © 2005 by Center for Democracy and Technology. |