BOSTON (05/31/2000) - A biomedical startup working on an improved fertility test orders a hundred vials of human female blood from a fertility lab. Each vial comes labeled with the fertility analysis--and, unexpectedly, with the name of the woman who gave the blood. Essentially, it's a list of women who are trying to become pregnant, and the list includes two very high-profile names.
It's a huge violation of medical privacy, one that's the result of a simple oversight at the testing lab.
A husband-and-wife team is arrested for credit fraud. In their house, investigators find countless credit cards embossed with other people's names.
The couple is charged with identity theft and accused of charging more than $50,000 worth of merchandise to other people's accounts. No blame falls on the credit card companies that eagerly opened the fraudulent accounts without properly verifying the couple's true identity.
A computer enthusiast buys a pair of used PCs from a computer store. On the first are three years' worth of legal records from a local law firm. The second includes a family's financial records, college application essays and five years' worth of a woman's diary.
These days it's hard to pick up a newspaper and not read an article about the ways computers are being used to triangulate our lives and attack our privacy.
In January, the New York Post described how that city's police department is using subway cards as a way of tracking the movements of criminal suspects. USA Today, meanwhile, detailed DoubleClick Inc.'s decision to combine anonymous web surfing profiles with individual names and addresses--a decision that DoubleClick reversed only after tremendous public outcry.
Americans are increasingly angered by the seeming inability of business and government to respect their perceived privacy rights. Indeed, a recent BusinessWeek/Harris poll found that 57 percent of Americans believe "the government should pass laws now for how personal information can be collected and used on the internet." But as the three previous examples show, privacy snafus aren't always the result of an organization deciding to violate our privacy for fun and profit--nor are the problems confined to the internet.
Instead, many privacy violations are simply the result of careless information handling or policies.
Poor practices for handling personal information have long been a problem for American businesses and government. One of the reasons is that they have little formal guidance or experts to whom they can turn to when it comes to techniques for properly safeguarding privacy. That's not the case in other countries, however. For example, after the Public Library of Vancouver installed 30 closed-circuit surveillance cameras to deter theft and vandalism, the privacy commissioner of British Columbia made an inspection of the premises. The commissioner then issued a report that showed how the cameras could be altered to do a better job of stopping theft while simultaneously having less impact on personal privacy--for example, by notifying the public that the cameras existed, rather than keeping their presence secret. (Details of the report can be found at www.oipcbc.org/investigations/reports/invrpt12.html.) But unlike our counterparts in Canada, Europe, Australia and even Hong Kong, Americans lack both the legislation that would establish minimal privacy standards and a regulatory agency that could advise businesses on acceptable privacy practices. The lack of such structures is increasingly causing problems for American companies that do business abroad, thanks to the European Union's Data Protection Directive, which prohibits companies from transferring personally identifiable information from EU member countries to jurisdictions where that information is not treated with respect by law--jurisdictions such as the United States. (U.S. negotiators are working with the Europeans to find some way around the EU regulations but no formal agreement is in place.) Although the United States has many laws on the books that speak to the issue of privacy--one that gives Americans the legal right to see their credit records, for example, and another that prohibits video rental stores from releasing the names of the movies that you rent--the country lacks an overall scheme for dealing with the issues of data privacy. Until such legislation is drafted and passed, American businesses operate in an uncertain environment.
Like chemical factories in the 1960s that poisoned rivers but violated no laws, today many businesses would earn the public's ire if an enterprising reporter were to merely detail their handling of personal information.
So what's an upstanding corporation to do? The best way to address these questions is by consistently applying the Code of Fair Information Practices and the 1980 OECD privacy guidelines (see www.databasenation.com for more on the guidelines). Make sure that your organization collects only the personal information that is necessary to deliver your product or service--and make sure that the information is carefully protected, accessible only to those with a need to know. Provide a means for consumers to view their own files and correct incorrect information. If you intend to use customer information for research or marketing, be sure to inform your customers of this intention, and give them a way of opting out of your plans.
Another good strategy is to make someone within your organization responsible for privacy issues. Most European companies are legally required to have such an individual, but few American companies do. That person should have a mandate to analyze and change business practices, if necessary. Their position should be akin to a director of security, since security and privacy go hand in hand.
Ultimately, privacy protection is much more than simply another feel-good public relations move. One of the most valuable assets that organizations have is the trust of their customers and constituents. Being cavalier about privacy is one of the most effective ways for an organization to tell the public to buzz off and go elsewhere.
Do you think privacy matters? Let us know at firstname.lastname@example.org. Simson Garfinkel is the author of Database Nation: The Death of Privacy in the 21st Century (O'Reilly & Assoc., 2000).