Privacy Expectations

Privacy is a buzzword tossed around in the news currently, leaving the public and organizations confused and unable to decide whether they are entitled to privacy. Challenges currently face businesses and governments to decide privacy entitlements when weighed on balance with national security concerns.

Free and democratic societies are characterized by full legal privacy protection extended to choices, possessions, and persons. When social expectations rise, personal rights include the right to be "let alone." This right to be let alone is an essential definition of personal privacy and has early expression in an article found in the Harvard Law Review.

The Bill of Rights guarantees, among other things, the rights of expression and association without having to answer to anyone. People have the right to privacy; that is, the right to be left alone in their lawful thoughts, activities, and expressions. Integral to collective freedom is the right to privacy and ownership regarding personal information. People are the owners of their information and only they can determine who has a legal right to see and use their property. For example, a person applying for a library card at a private institution completes a form with his name, date of birth, address, social security number, and e-mail address. Accompanying the application is a statement that states the reasons for collecting this information. This statement does not warn that the collected information is going to be sold. Applicants might expect the institution to treat their information confidentially. However, when the new library cardholder begins to receive unsolicited advertising, he soon realizes his information was sold by the library.

Governments must temper their voracious personal information needs with laws respecting individual privacy. Through individual interaction with government agencies involved with mail, taxes, property ownership, driver licensing, and pet and vehicle registration, governments at all levels are collecting vast amounts of information about their citizens. If not carefully and lawfully used, this information cannot be protected from the bias, scrutiny, and judgment of unqualified officials.

Businesses have been collecting information about their customers, using it for every imaginable purpose. At times, providers of personal information are completely oblivious to its use and dissemination. For example, in the case of customer loyalty cards offered by merchants, persons making purchases are given discounts by showing their membership cards initially obtained by providing personal information. Each time a customer wants a discount, the membership card is shown. All purchases made by that customer are attributed to the name and identification number on the discount card. The merchant sells the collected purchase and customer information to vendors who then target the individual with selected advertising, and the merchant uses the revenue to offset the customer's discount.

With this process in mind, imagine this scenario: a customer is suspected of unethical acts by her employer. Pursuant to legal action by her employer, her membership card purchases, relevant or not, are obtained and made public through legal processes, causing significant embarrassment to her and her family.

Information Ownership

Information privacy is tied to information ownership. In many cases, it is easy to identify information ownership; however, in many cases, information does not belong exclusively to the individual as ownership passes to organizations and government entities.

Information Vulnerability in the Organization

All organizations are vulnerable to threats resulting from the compromise of personal information in their custody, even institutions that think they do not have sensitive information.

Experience Note

While engaged in a practical exercise, student auditors were tasked with performing an audit on a local library in order to gain experience. One of the students, a young woman, could not see the reason for auditing public libraries because she believed they "did not have anything of value that could be exploited." Nevertheless, the instructor urged her to complete the assignment. During the audit, she discovered a spreadsheet on one of the library employee's workstations. She checked with the audit manager and the library's lawyer and determined that employees did not have a reasonable expectation to privacy on their workstations. Workstations were to be used for official use only and the spreadsheet software was not authorized. The student auditor accessed the spreadsheet program and saw an impressive list of books that had been checked out by local dignitaries. Each of the book titles dealt with subjects that, if made public, could possibly embarrass the readers and their families due to local community values. An employee was assigned to this workstation that required login before use. Checking the audit logs determined that only this particular employee had been using the workstation. The audit manager presented the results to the library director who questioned the employee. Subsequently, the employee was dismissed.

Certainly, one of the greatest vulnerabilities within an organization is the lack of understanding of the types of information the organization has collected:

• Under which circumstances and representations was the information collected?

• How is that information being used?

• To whom is that information being transmitted?

• How is that information being stored?

• Who has access, authorized or not, to that information?

Many businesses do not have an idea of how much data they collect, nor do they realize the damage that can be done when this information is lost or compromised.

Threats to Information Privacy

In essence, there are three fronts assaulting information privacy:

1. Willful or negligent misuse or theft of information

2. Unauthorized information disclosure or dissemination

3. Interaction of professionals and access to the organization's information assets

In the first case, malicious employees and outsiders target the theft of client lists, intellectual property, trade secrets, etc. In the second case, individuals who have legitimate access to information do not exercise due care and inadvertently share this information with unauthorized individuals that have malicious intentions. In the last case, professionals interested in sharing with others in solving problems can often be compromised into delivering sensitive information.

Experience Note

The question most often asked of privacy professionals is "Isn't it the job of law enforcement authorities to provide information privacy protection?" Law enforcement authorities can do very little, generally, in protecting information privacy. It is outside their legal mandate. They are actually responsible for investigating allegations and collecting evidence of unlawful acts. It is not the responsibility of law enforcement agencies to provide protection for private information, rather these obligations rest at the individual and the organization levels.