Information Technology and Ethics/Privacy Policies and Principles

Privacy Policies PrinciplesEdit

What is a Privacy Policy?

A policy can be thought of as a rule set forth at an organization such as a company, municipality, or even University.  These rules essentially are in place to govern the actions of employees, faculty, or students in keeping with a previously established code of conduct.  When referring to a Policy one can think of it as “...a statement imposed from the outside and must be obeyed to avoid incurring some kind of penalty…”[1]

In terms of Privacy, a policy can be a rule set forth to protect the privacy of an individual as well as the organization.  It can usually be a rule of what actions an individual can take while using a certain technology in order to sustain privacy.

What is a Privacy Principle?

A principal is a more abstract statement that usually encompasses a value of an individual or an organization.  It can be thought of as a concept that helps guide policies and rules.  In regards to ethics, a principal is what guides a person to commit either ethical or unethical actions. A Privacy Principle is a statement that encompasses how an individual or organization values privacy.  This principle can display how important privacy is for an individual's personal belief or the view of an organization's beliefs.

Appropriate Content for Policies and Principles

There are a few common aspects of all policies that make them effective, especially in a workplace or higher education environment.  A policy should always be written in simple terms in order to best be understood by the most number of people, which also means clear language must be followed.  The benefits to stakeholders or individuals affected by this are taken into account when forming a policy.  

A policy should be well balanced in which it’s not too restrictive to individuals and not too free flowing and broad.  It also has clearly defined and easy to understand steps, in this case steps to take in order to have privacy.  And one of the most important aspects is that individuals affected by a policy are able to understand it in order to follow it to the best of their ability.

Government Privacy Principles


In 1998, the Federal Trade Commission in the US codified what already were basic principles of privacy long before the mainstream explosion of the internet.  The report was called “Privacy Online: A Report to Congress”, and at the start with:

“Over the past quarter century, government agencies in the United States, Canada, and Europe have studied the man ner in which entities collect and use personal information-their "information practices"-and the safeguards required to assure those practices are fair and provide adequate privacy protection. The result has been a series of reports, guidelines, and model codes that represent widely-accepted principles concerning fair information practices.”[2]

In this report, the FTC set the groundwork for how it would be involved in enforcing privacy in the United States.  With that it pointed out five principles of privacy protection, which include Notice/Awareness, Choice/Consent, Access/Participation, Integrity/Security, and Enforcement/Redress.


   The concept of Notice means to know or be conscious of a certain action being taken.  In terms of privacy on the web, users are put on notice to how websites view ownership, security practices, and terms of use (like the end user license agreement).  Examples of this include splash pages for user to click through that explicitly say by clicking through the user accepts the terms of use.  A common one is notifying the user that cookies are being used on the site to track their visit.

   The privacy statement of a website will also include, in more codified language, a means of providing privacy notice to users.  That FTC has deemed that some or all of the following points should be included in any privacy statement and to make sure the user is informed of what they are doing when given away personal information:

  • Identification of the entity collecting the data
  • identification of the uses to which the data will be put
  • identification of any potential recipients of the data
  • The nature of the data collected and the means by which it is collected if not obvious ( passively, by means of electronic monitoring, or actively, by asking the consumer to provide the information)
  • Whether the provision of the requested data is voluntary or required, and the consequences of a refusal to provide the requested information, and
  • The steps taken by the data collector to ensure the confidentiality, integrity and quality of the date[2]


   The main purpose of this principle is to give end users governance over the use of their own personal data.  The FTC wanted to mainly focus on the secondary use of data, or “uses beyond those necessary to complete the contemplated transaction.” [2] There are two methods that have become commonplace to deal with Choice/consent, that is either opt-in or opt-out.  Opt-in has the users explicitly allow certain use of their data.  While opt-out has the user explicitly deny the use of their data. The difference between the two is the default option, opt-in users by default allow their data to be used, while opt-out by default deny’s the use of a user's data for things outside of the initial transaction.  


   The third principle involves letting people know that a corporation has information about them and allow them to dispute the accuracy of the information.  According to the FTC, “...access must encompass timely and inexpensive access to data…”[2]  Meaning that the ability to submit changes needs to be quick and inexpensive to accomplish by the user.  The mechanism for these changes must also be simple, have a way that the corporation can verify submitted information, and be able to disseminate the corrected information to all recipients of the data.


   This principle ties in closely with the Access/Participation principle, with this one having the goal of making sure that date is accurate as well as secure.  This principle puts the onus on the data collectors by making them take appropriate steps. Things such as providing consumers appropriate access to data, using data sources that are reputable, investigating where that data is coming from, and relevant technical measure to protect the data once it is in their hands. Some technical measures included by the FTC are:

  • Use of encryption in the transmission and storage of data
  • Limits on access through use of passwords
  • Data is stored on secure servers or computers that are inaccessible by modem


   The final privacy principle states that “...the core principles of privacy protection can only be effective if there is a mechanism in place to enforce them.”[2] This essentially means that in order for any of these state privacy principles to be effective, proper mechanisms must be in place to enforce them.  In the case of no enforcement or redress mechanisms, outside forces take precedent such as industry self-regulation, government legislation, and even regulatory schemes brought about through civil and criminal sanctions.


  2. a b c d e United States, Federal Trade Commission, Privacy Online: A Report to Congress, 1998, p.7-10