Information Technology and Ethics/Privacy Policies and Principles
Privacy Policies Principles edit
A policy can be thought of as a rule set forth at an organization such as a company, municipality, or even University. These rules essentially are in place to govern the actions of employees, faculty, or students in keeping with a previously established code of conduct. Policy controls how its staff, teachers, or students behave in accordance with a moral code that has already been established. When referring to a Policy one can think of it as “...a statement imposed from the outside and must be obeyed to avoid incurring some kind of penalty…”
What is a Privacy Principle?
Privacy principles are fundamental values or theories that define how an individual or organization views privacy. These principles help to shape and direct laws, policies, and practices that govern the handling of personal information. Privacy principles can include things like transparency, accountability, and consent, among others.
Appropriate Content for Policies and Principles
There are a few common aspects of all policies that make them effective, especially in a workplace or higher education environment. A policy should always be written in simple terms in order to best be understood by the most number of people, which also means clear language must be followed. The benefits to stakeholders or individuals affected by this are taken into account when forming a policy.
A policy should be well balanced in which it’s not too restrictive to individuals and not too free flowing and broad. It also has clearly defined and easy to understand steps, in this case steps to take in order to have privacy. And one of the most important aspects is that individuals affected by a policy are able to understand it in order to follow it to the best of their ability.
Government Privacy Principles
The government privacy principles vary depending on the country and its legal framework. However, in general, government privacy principles are intended to protect the personal information of citizens that is collected, used, and disclosed by government agencies.
Here are some of the common principles:
- Collection Limitation: Personal information should be collected only for a specific purpose that is related to the government agency's functions or activities.
- Data Quality: Personal information should be accurate, complete, and up-to-date.
- Purpose Specification: The purpose for which the personal information is collected should be clearly stated and understood by the individual.
- Use Limitation: Personal information should only be used for the purpose for which it was collected, except with the consent of the individual or as required by law.
- Security Measures: To safeguard personal information from unauthorized access, disclosure, or abuse, government agencies should implement adequate security measures.
- Transparency: Government agencies should be transparent about their privacy rules and procedures, making them freely accessible to the public.
- Individual Participation: Individuals should have the ability to view and amend their personal information maintained by government entities.
- Accountability: Government agencies should be held accountable for adhering to privacy rules and regulations, and they should be able to demonstrate compliance to the public.
In 1998, the Federal Trade Commission in the US codified what already were basic principles of privacy long before the mainstream explosion of the internet. The report was called “Privacy Online: A Report to Congress”, and at the start with:
“Over the past quarter century, government agencies in the United States, Canada, and Europe have studied the man ner in which entities collect and use personal information-their "information practices"-and the safeguards required to assure those practices are fair and provide adequate privacy protection. The result has been a series of reports, guidelines, and model codes that represent widely-accepted principles concerning fair information practices.”
In this report, the FTC set the groundwork for how it would be involved in enforcing privacy in the United States. With that it pointed out five principles of privacy protection, which include Notice/Awareness, Choice/Consent, Access/Participation, Integrity/Security, and Enforcement/Redress.
The privacy statement of a website will also include, in more codified language, a means of providing privacy notice to users. That FTC has deemed that some or all of the following points should be included in any privacy statement and to make sure the user is informed of what they are doing when given away personal information:
- Identification of the entity collecting the data
- identification of the uses to which the data will be put
- identification of any potential recipients of the data
- The nature of the data collected and the means by which it is collected if not obvious ( passively, by means of electronic monitoring, or actively, by asking the consumer to provide the information)
- Whether the provision of the requested data is voluntary or required, and the consequences of a refusal to provide the requested information, and
- The steps taken by the data collector to ensure the confidentiality, integrity and quality of the date
The main purpose of this principle is to give end users governance over the use of their own personal data. The FTC wanted to mainly focus on the secondary use of data, or “uses beyond those necessary to complete the contemplated transaction.”  There are two methods that have become commonplace to deal with Choice/consent, that is either opt-in or opt-out. Opt-in has the users explicitly allow certain use of their data. While opt-out has the user explicitly deny the use of their data. The difference between the two is the default option, opt-in users by default allow their data to be used, while opt-out by default deny’s the use of a user's data for things outside of the initial transaction.
The third principle involves letting people know that a corporation has information about them and allow them to dispute the accuracy of the information. According to the FTC, “...access must encompass timely and inexpensive access to data…” Meaning that the ability to submit changes needs to be quick and inexpensive to accomplish by the user. The mechanism for these changes must also be simple, have a way that the corporation can verify submitted information, and be able to disseminate the corrected information to all recipients of the data.
This principle ties in closely with the Access/Participation principle, with this one having the goal of making sure that date is accurate as well as secure. This principle puts the onus on the data collectors by making them take appropriate steps. Things such as providing consumers appropriate access to data, using data sources that are reputable, investigating where that data is coming from, and relevant technical measure to protect the data once it is in their hands. Some technical measures included by the FTC are:
- Use of encryption in the transmission and storage of data
- Limits on access through use of passwords
- Data is stored on secure servers or computers that are inaccessible by modem
The final privacy principle states that “...the core principles of privacy protection can only be effective if there is a mechanism in place to enforce them.” This essentially means that in order for any of these state privacy principles to be effective, proper mechanisms must be in place to enforce them. In the case of no enforcement or redress mechanisms, outside forces take precedent such as industry self-regulation, government legislation, and even regulatory schemes brought about through civil and criminal sanctions.
- "FERPA | Protecting Student Privacy". studentprivacy.ed.gov. Retrieved 2023-04-24.
- "Data protection and privacy laws | Identification for Development". id4d.worldbank.org. Retrieved 2023-04-24.
- United States, Federal Trade Commission, Privacy Online: A Report to Congress, 1998, p.7-10