Initiating the privacy process
In general, customer privacy should be managed as a part of an organization’s information security process and procedures. When we look at information security management, there are generally four stages:
- Protection: In this stage, the focus is on continual monitoring and maintenance of customer privacy mechanisms.
- Postincident: This stage occurs when a breach of customer privacy has happened. You should record the incident, determine the cause(s), and identify methods to remedy the current problem and methods to prevent it from happening again. You also need to determine how, when, and what you will communicate to your customers.
Tools for managing customer privacy
There are many existing sources of information and tools to help you manage your customer privacy. The following list will help you start building your own policy.
Sources for current laws and practices
There are many online sources that provide a comprehensive picture of the state of privacy issues today, as well as examples of acceptable guidelines and practices. Here are a few valuable resources:
- Privacy and Human Rights 2002: An International Survey of Privacy Laws and Developments: This report provides insights into the issues of privacy not only for the United States but also for the world as a whole.
Tools for generating privacy policies
Tools for auditing privacy practices
- Data Security and Privacy Audits Adding Value to the Organisation: This paper outlines the benefits of privacy audits to organizations. If you are trying to justify conducting a privacy audit, this provides you with a starting argument.
- Conducting a Privacy Assessment: This presentation outlines how your organization can go about completing a privacy risk assessment.
- Privacy Audit Checklist: This document provides a general checklist for conducting a privacy audit.
- High-Level Privacy Assessment Matrix: The table in Figure A provides a matrix that can be used for a high-level analysis during brainstorming sessions with personnel and in reviewing existing documentation.
Chief Privacy Officer resources
Many enterprises, spurred by security issues and customer-centric approaches, are creating a new position that fits between the business units and the IT unit—the Chief Privacy Officer (CPO), a new position for many organizations. Following are two resources that provide insights into the CPO role and responsibilities:
- The CPO Guidelines: These guidelines, developed for the Computer Professionals for Social Responsibility organization, outline the nature and detail of the role of the Chief Privacy Officer.
- The International Association of Privacy Officers: This association provides resources and education for Chief Privacy Officers.
Technologies for managing privacy policies
When reviewing available technologies for implementing privacy policies, CIOs need to consider elements for assuring fair privacy practices.
Several different frameworks have been developed by different governmental and private organizations worldwide. At the heart of each are the right of the individual to:
- Know how personal information is being used.
- Choose how the personal information will be collected and used.
- Access the information collected on him or her.
- Have data remain accurate and secure.
Popular approaches in disclosing policies
Online visitors who have P3P-compliant browsers and privacy preferences defined can be notified online automatically if a site does not meet their specific privacy requirements. To learn more about implementing this technology, check out this previous article, and visit this P3P site for more information.
Compliance tools gaining favor
In addition to online policy posting and P3P adoption, there are several different software tools on the horizon for managing privacy policies. However, it is still a new segment. The major types of compliance tools are as follows:
- Privacy ratings and privacy seals—Several different organizations provide services to rate Web sites for privacy guidelines’ adherence. You should note that each service has its own set of criteria, so your site might be rated differently through each organization. There are also privacy seal programs that you can join. With these programs, an organization joins the program and then can display a seal, which indicates that it follows the privacy guidelines of the program. The two leading privacy programs for the Internet are Truste (www.truste.com) and the Better Business Bureau (www.bbbonline.org).
- Consumer-focused compliance software—The oldest segment of software are those tools that have been developed for consumers to use. These programs are designed to address different privacy issues, including securing consumer communication, keeping personal information private by separating the person from the transactions he or she is performing, and erasing history of Internet use patterns. The Electronic Privacy Information Center keeps a comprehensive list of these types of programs.
- Proxy- and filter-based programs—These programs protect customer data by blocking access to specific customer data through Web sites. Two examples of these types of programs are iPrivacy and PrivacyRight TrustFilter system.