Solve the Privacy Puzzle
Although respect for the privacy of customer information has always been a pillar of good business, few businesses felt the need to develop formal policies until they entered the world of e-commerce and Web sites. Nowadays it’s rare to visit a corporate Web site that doesn’t have a “Privacy” link to a statement describing the company’s privacy practices.
Your company’s privacy statements must be based on policies to which you are committed. This implies a considerable amount of corporate decision-making, which in turn implies a corporate strategy with respect to privacy. Such a strategy must include more than what you say about privacy; it must cover what you do, including how you handle problems.
Statement, Notice or Policy?
Principles and Requirements
When deciding what to call the statement you make about privacy on your Web site, or in company literature such as mailings to customers, one noticeable trend, pardon the pun, is to use the term “Privacy Notice.” This is in line with Fair Information Practice Principles, a list of privacy protection best practices for businesses compiled by American, Canadian and European government agencies over the last 25 years, the first, and arguably most important, of which is notice. But you already knew that, right? The Fair Information Practice Principles are the ground rules of privacy as it were, so they should be familiar territory to you and anyone else at your company who works on privacy.
Notice: You must tell people how you will use their data before you collect it, including both primary and secondary uses.
Choice: You must let people choose whether or not to supply data. You also must give them a choice about secondary uses of their data unrelated to the primary purpose for which it was collected.
Access: The principle that data subjects have a right to see the data that you have about them, and change it or delete it if appropriate.
Security: You have to protect the confidentiality, integrity and availability of the information, which means only allowing it to be seen, changed or used by persons who are authorized to do so.
Enforcement/Redress: You must have mechanisms in place to make sure that these principles are upheld, and to impose penalties if they are not.
Bear in mind that there is no universal legal requirement that says you must adopt or abide by these principles. Nor is there a universal legal requirement that says you are bound to post a privacy statement on the Web or to your customers. However, there is a universal legal requirement in America that such notices, if posted, be accurate. That requirement comes from the Federal Trade Commission Act, and the FTC considers a privacy statement to be a “privacy promise.” As the agency’s Web site states: “Under the FTC Act, the Commission guards against unfairness and deception by enforcing companies’ privacy promises about how they collect, use and secure consumers’ personal information.”
For many companies, the most demanding requirement—the biggest obstacle to putting out a defensible privacy statement—is the very practical one of determining what personal data the company is collecting, what is being done with it and by whom. The answer is to map your data flows. Track exactly what happens to customer data, typically defined as personally identifiable information (PII), from the moment it enters the system.
Use the Web site as an example. Customers may enter PII in a form on a Web page. What happens to that data when the “Submit” button is clicked? The more complex and interactive the Web site, the more work it will take to create a complete map of the data flow. In practical terms, you might try using a large whiteboard for the project, or a large network diagram pinned on the wall. This can be a good starting point. Here are the main points that need to be documented:
* The business entity collecting the data.
* The intended use of the data.
* All potential recipients of the data.
* The nature of the data collected.
* The means by which data is collected, if not obvious (for example, passively, by means of electronic monitoring, or actively, by asking the consumer to provide the information).
* Whether providing the requested data is required or voluntary (and the consequences of refusing to provide it).
* The steps taken by the data collector to ensure the confidentiality, integrity and quality of the data.
• Respect for customer privacy has always been a priority at [Your Company].
•[Your Company] respects the privacy of customers and maintains strict customer information privacy policies.
• [Your Company] is committed to meeting customer expectations regarding the collection, control, use, transfer, storage and disclosure of personally identifiable information.
• At [Your Company], privacy means giving customers control over the collection, use and distribution of their personal information in order to build and maintain trust and loyalty.
Each of these works as a high-level statement that can be issued both publicly and internally. When issued publicly, for example in the Web site privacy statement, it constitutes, or forms part of, the pre-amble. When issued internally, it prefaces more detailed statements about the privacy responsibilities of managers and employees.
From Policies Down to Procedures
“AT&T has a long-standing tradition of recognizing and protecting the privacy of customers who use its telecommunications networks. The company maintains strict customer information privacy policies and uses state of the art technologies to safeguard customer information and communications from unauthorized intrusions.”
This works for all aspects of the company’s operations, as both an internal and an external statement. Now look at the natural extrapolation to address online services:
“AT&T recognizes that the growth of online services, including Internet services, has created additional privacy concerns, particularly for consumers. Online privacy concerns focus primarily on the protection of “customer identifiable” information which an individual or other customer reasonably expects to be kept private.”
“XYZ has a long-standing tradition of recognizing and protecting the privacy of customers who use its billing and customer care solutions.”
“Protecting the privacy of our customers and clients is an absolute ‘must’ at PQR. We have a long-standing tradition of recognizing and protecting the privacy of customers who utilize our services and purchase products from our firm.”
While the above are published statements of high-level privacy policies, they work just as well as the starting point of internal policy documentation. Both hint at the next level of detail that is needed. For example, XYZ will need to address privacy issues specific to users of the company’s billing solutions, as well as to users of its customer care solutions.
The Business Value
The Royal Bank of Canada, a diversified financial institution, has taken a privacy-positive stance for some time now, re-engineering its IT systems to track customer privacy preferences, ensuring that they are respected by all bank departments, affiliates and partners. Through surveys and other research, Royal Bank of Canada has determined that 7 percent of the demand for the bank’s consumer and retail business is driven by privacy. Based on the shareholder value of its consumer and retail business (about $9 billion in U.S. dollars) that 7 percent values privacy at $630 million.
These days, a 7 percent increase in shareholder value should get senior management pretty excited; but if it doesn’t, try thinking about it this way: You have to figure that failure to be privacy-positive comes at a price. One company’s 7 percent gain is another’s 7 percent loss, and that’s just if the company losing out is privacy neutral. Failure to manage privacy effectively leads to damaging privacy incidents. We have seen such incidents produce an immediate 10 percent drop in shareholder value.
Fortunately, there are some inexpensive ways of doing this. Most companies have existing channels of communication, from employee newsletters and bulletin boards, to staff meetings, e-mail and Intranet. Creative use of these channels can be very effective in producing employee awareness of the company’s commitment to privacy and the specifics of its privacy policies, including the responsibility it places on each employee. And should there come a day when your company’s commitment to privacy is challenged, a well-documented, in-house privacy awareness campaign will go a long way to proving the company was duly diligent in this increasingly important aspect of its business.
Stephen Cobb is the author of “Privacy for Business” and operates www.privacyforbusiness.com. In addition to being a certified information system security professional and adjunct professor of information assurance, he is a senior research fellow at ePrivacy Group (www.eprivacygroup.com). He can be reached at (212) 655-9392.