Protecting the privacy of others
With every action you take in our wired world, whether making an Internet purchase or posting a blog, you leave a digital footprint, a record of who you are and what you’ve done. As a result, more people are learning to watch their digital steps.
But, while individuals must take precautions, protecting privacy goes beyond securing one’s own walls.
“There’s the issue of the information individuals voluntarily send out into the Internet, but then there’s the separate issue of the footprint of online government and company information,” says Michelle Chibba, director of policy for the Information and Privacy Commissioner of Ontario, Canada.
The maintenance and security of private information is a vital concern for any organization, one that is usually overseen by the Chief Privacy Officer. “Whoever has the responsibility for privacy in an organization should understand that privacy and security exist in a mutually supportive relationship,” Chibba stresses.
Fair Information Practices
While Europe and Canada have fairly comprehensive and overarching privacy legislation, the United States still remains a patchwork with no federal privacy law. But the internationally-recognized Fair Information Practices, or FIPS, as they’re also known, are built into all privacy standards, says Chibba.
“The FIPS have several key components,” she says. “First, they state that the custodian of personal information must keep that personal information secure. That can mean physical security or IT security. So that can mean locking your filing cabinet or putting up a firewall.”
Custodians must also clearly identify the purpose of the information being collected, and ensure that the use of this information is limited to the purpose for which it was collected.
“For example,” says Chibba. “Hospitals collect your personal information for the purposes of your care. If a hospital were to take that information and share it for the purpose of marketing, they must have your consent, because that is a secondary purpose.”
Custodians must also prevent unauthorized parties from accessing private information as well as ensuring the integrity and accuracy of the data in their keeping.
The last components to the FIPS states that the individual from whom the information is being collected must be told what is being collected, why and how it is being kept secure. And personal information should be retained only as long as necessary to fulfill the original purpose for which it was collected, says Chibba adding: “It is also important to ensure that such records [including images] are securely destroyed.”
While more companies and governments are creating the position of Chief Privacy Officer or its equivalent to implement privacy policies, the responsibility for protecting personal information should never be left in the hands of one high-level individual, says Chibba.
All employees should understand privacy rules and be able to deal with threats to privacy including a phenomenon known as social engineering, when hackers attempt to garner personal information from individuals within an organization.
“As the security of technology gets perfected, it becomes harder for hackers to get in,” Chibba explains. “So, we’ve heard about novel approaches such as social engineering. It’s like calling up a receptionist with a few details and trying to get much more information from that individual.”
The US Identity Theft Resource Centre reports that the actions of “rogue employees”, either those who set out to access personal information or those who provide it in error, account for 36% of all data breaches.
“This is why companies should put in place what we call a ‘Culture of Privacy’ or Privacy by Design. The protection of personal information should be incorporated into the soul of the organization,” Chibba says.
“It’s very important to educate the workforce, because privacy is important both to them as employees and on how they must handle our clients’ information,” says Yim Chan, Chief Privacy Officer at IBM Canada.
IBM’s online privacy education module enables 400,000 employees to learn about the company’s privacy guidelines in addition to education modules focusing on security, financial integrity, its code of ethics and business guidelines. IBM even hosts an annual, worldwide Privacy Awareness Week.
“It is important for all organizations to make sure their privacy policies are up to date,” adds Chan. “While our policies related to privacy have been around for a long time, we are also constantly updating. That demonstrates to both our employees and our clients that IBM has a strong focus on protecting personal information. Everything we do is about trust.”
Indeed, privacy is no longer just a compliance issue, but a business issue, says Michelle Chibba.
“Companies must protect their reputations. If you end up losing your customers’ personal data, those customers will surely start to wonder: What are your other business practices like?”