Privacy Advice

I went to a Jesuit undergraduate institution in New England. During my time there I took a business ethics class. In the morning we read the front page of a major newspaper, and the professor, a Jesuit ethicist, expounded on various business ethics issues that were related to the paper and the stories we read. At the end of the course he imparted the best piece of privacy advice I have ever received: "Don't do anything you wouldn't want to read about on the front page of the Washington Post the next morning."

In today's environment, where we don't have clear privacy laws, that is really the best piece of advice I can give to both individuals and companies. It is important for individuals, because without specific legislation, there is a limited level of comfort that your personal information and information about your activities won't be disclosed to third parties without your consent. With respect to companies, they may very well have the right to collect personal information, disseminate it, use it for commercial purposes, change your privacy policy without notice, and sell collected personal information to the highest bidder - but just because you can do it, doesn't mean you want to confront the outcry associated with the expos on the front page of The Washington Post. For both individuals and companies, it is good advice to step back and look your intended activities before undertaking them. For individuals this means working under the presumption that information you disclose may be shared without your knowledge. For companies this means looking at data collection practices and understanding both the legal and ethical repercussions of sharing or marketing this information.

Once a company considers undertaking a privacy policy, it is important to make sure they are committed to implementing the policy. In the absence of a specific requirement, too many companies are eager to adopt privacy policies without ensuring that they have the internal mechanisms to enforce them. Also, all too often companies are not realistic with respect to the resources and the effort they will need to employ to make sure they can implement those privacy policies. Having an effective mechanism to implement a privacy policy involves committing time and resources. Development requires input from marketing, human resources, and legal, if not other departments. It also means ensuring that the sales teams, legal department, human resources group, Web site administrator, and others are all aware of and in compliance with these privacy guidelines. Furthermore, the company must make sure it has an ongoing mechanism to audit those various divisions. The risks of not having a privacy policy are great. But the risk of having a policy that is not implemented correctly is even greater.

In considering who should handle privacy matters, I would suggest the responsibility be shared at different levels within a company, with one person performing oversight - the CPO. The chief privacy officer should be exclusively focused on these issues. Further, the CPO should have the authority to participate in decision-making on legal, marketing, and human resource issues, because privacy intersects with each of those areas in an organization. Marketing input is important to the development and enforcement of privacy practices because information is collected, sold, and disseminated through marketing processes. The legal department should be included in this process, as well, because various contracts (either vendor contracts or contracts with third parties) may address issues related to information collected or information shared about customers. Obviously, human resources needs to be involved because a company may have sensitive personal data concerning employees, and this data may be subject to separate employment privacy laws. The choice of the people to lead corporate privacy initiatives does depend a lot on the size of the organization, but it also depends on the organization's desire to address privacy issues and its commitment to incorporate privacy considerations throughout the sales, marketing, contracting, and hiring functions. Above all, good privacy officers must spot issues and implement solutions.

For individual companies that do not have a chief privacy officer, it is very difficult, if not impossible, to stay on top of all the new developments in privacy. One good piece of advice is to focus on the issues that are specific to the company's particular industry because, in the United States, much of our privacy legislation is directed at particular industry segments. Also, privacy audits by independent third parties should be conducted on an annual basis. Take a look at your existing privacy policies and contracts, and make sure your internal mechanisms are sufficient to ensure compliance with those policies. If you can't keep up with every new rule, turn to third-party providers for advice.