Prescribing Universal Privacy Practices is Simply Unattainable

Jim Zok, Director, Identity and Privacy Assurance, CSC

The protection of personal information, particularly the accumulation of data about a person that could be used to identify and target an individual, has become a topic of increasing concern. A recent The Wall Street Journal article outlines the Obama administration’s plan to ask Congress to pass a “privacy bill of rights” to protect Americans from intrusive data gathering, amid growing concern about the tracking and targeting of Internet users.

From a governmental perspective, we have to consider what data about an individual is necessary to be gathered, stored and shared to execute the responsibilities of an agency, bureau or service. Taken into the world of commerce, it is important to understand what data is necessary to execute lines of business and to protect an enterprise from risks of doing business. From an individual’s perspective, we must consider what data we should give up in order to obtain goods, services or entitlements; and ensure that the data we provide is only to be used for purposes one clearly understand and accepts. Consumers want assurances that the accumulation of personal data involves adequate safeguards to prevent identity from being stolen or from being targeted because the information is obtained to cause harm.

In other words, this is a Pandora’s Box of “what if’s” and there is no easy answer or solution.

With these different scenarios come lots of different terms for standardizing privacy practices. They come from the many industry groups, government organizations (including legislatures), and standards bodies that have taken up the mantle to pursue answers to the questions surrounding data privacy. Generally, there are attempts to define “fair information practices” that should be followed. It is usually accompanied by some description of “privacy by design” to assert that systems should be designed with specific attention to privacy requirements as part of the up front design and not thrown in after the business models and mechanics are completed. Unfortunately, solutions in specific industries often do not translate well into other industries. Combined with legislation aimed at crafting solutions or requirements for specific industries, broad brush solutions are often very confusing or ineffective.

Similarly, use of the term “commonly accepted practices” in privacy guidance documents gives rise to a series of different interpretations across lines of business, even within individual organizations. “Choice-based” solutions is another term that makes it difficult to develop and introduce comprehensive technical and practice solutions to this series of issues within the privacy domain. It is a fair guiding principle but very difficult to prescribe.

All of these efforts are well and good, but amid all of the chatter and politicking that revolves around privacy, we cannot lose sight of the fact that there absolutely must be flexibility to deal with specific, unique situations. The simple example is that I may not give my consent to an unlimited viewing of my medical or financial records, but when I am in an extreme situation and unable to communicate for myself, I want those in a position to provide relief to have access to my personal health data that would extricate me from my predicament. From an organizational perspective, what is done during ordinary course of business may be very different in an emergency situation. Guidance must remain flexible enough to allow sound judgment for differences in particular circumstances.

It is clear that a wide variety of practices and beliefs exist, including what governments should be able to decide and regulate. Though some commonly shared principles surround the notions of privacy and privacy protection, it is the variety of business practices, defined standards and legislation in specific nations that makes prescribing universal practices simply unattainable. Legislatures and standards bodies should resist the urge to prescribe remedies and practices at too fine a level of detail and recognize that some measure of latitude to apply sound judgment or reasonableness in recognition of the nuances and context of specific circumstances is needed.

This entry was posted in News, Privacy and tagged , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s