Information Technology and Ethics/Privacy Policies and Principles

Privacy Policies Principles edit

What is a Privacy Policy?

A policy can be thought of as a rule set forth at an organization such as a company, municipality, or even University.  These rules essentially are in place to govern the actions of employees, faculty, or students in keeping with a previously established code of conduct. Policy controls how its staff, teachers, or students behave in accordance with a moral code that has already been established. When referring to a Policy one can think of it as “...a statement imposed from the outside and must be obeyed to avoid incurring some kind of penalty…”[1]

A privacy policy is a series of guidelines created to safeguard both individuals' and an organization's privacy. These guidelines are frequently instructions on how to maintain privacy when utilizing a particular technology.[2]

What is a Privacy Principle?

Privacy principles are fundamental values or theories that define how an individual or organization views privacy. These principles help to shape and direct laws, policies, and practices that govern the handling of personal information. Privacy principles can include things like transparency, accountability, and consent, among others.

To ensure that a privacy policy is effective, it must be communicated clearly and in plain language that is easily understood by everyone. This is particularly important in settings like the workplace or higher education, where individuals may come from diverse backgrounds and have varying levels of education and familiarity with privacy issues. Using basic terminology and avoiding technical jargon can make policies more accessible and help to ensure that everyone understands their rights and obligations. Additionally, privacy policies should be concise, well-organized, and easy to navigate, so that individuals can quickly find the information they need and make informed decisions about their personal data.[2]

Appropriate Content for Policies and Principles

There are a few common aspects of all policies that make them effective, especially in a workplace or higher education environment.  A policy should always be written in simple terms in order to best be understood by the most number of people, which also means clear language must be followed.  The benefits to stakeholders or individuals affected by this are taken into account when forming a policy.  

A policy should be well balanced in which it’s not too restrictive to individuals and not too free flowing and broad.  It also has clearly defined and easy to understand steps, in this case steps to take in order to have privacy.  And one of the most important aspects is that individuals affected by a policy are able to understand it in order to follow it to the best of their ability.

Government Privacy Principles

The government privacy principles vary depending on the country and its legal framework. However, in general, government privacy principles are intended to protect the personal information of citizens that is collected, used, and disclosed by government agencies.[3]

Here are some of the common principles:

  1. Collection Limitation: Personal information should be collected only for a specific purpose that is related to the government agency's functions or activities.
  2. Data Quality: Personal information should be accurate, complete, and up-to-date.
  3. Purpose Specification: The purpose for which the personal information is collected should be clearly stated and understood by the individual.
  4. Use Limitation: Personal information should only be used for the purpose for which it was collected, except with the consent of the individual or as required by law.
  5. Security Measures: To safeguard personal information from unauthorized access, disclosure, or abuse, government agencies should implement adequate security measures.
  6. Transparency: Government agencies should be transparent about their privacy rules and procedures, making them freely accessible to the public.
  7. Individual Participation: Individuals should have the ability to view and amend their personal information maintained by government entities.
  8. Accountability: Government agencies should be held accountable for adhering to privacy rules and regulations, and they should be able to demonstrate compliance to the public.

Below is the Privacy policy created by FTC in USA.

FTC

In 1998, the Federal Trade Commission in the US codified what already were basic principles of privacy long before the mainstream explosion of the internet.  The report was called “Privacy Online: A Report to Congress”, and at the start with:

“Over the past quarter century, government agencies in the United States, Canada, and Europe have studied the man ner in which entities collect and use personal information-their "information practices"-and the safeguards required to assure those practices are fair and provide adequate privacy protection. The result has been a series of reports, guidelines, and model codes that represent widely-accepted principles concerning fair information practices.”[4]

In this report, the FTC set the groundwork for how it would be involved in enforcing privacy in the United States.  With that it pointed out five principles of privacy protection, which include Notice/Awareness, Choice/Consent, Access/Participation, Integrity/Security, and Enforcement/Redress.

   Notice/Awareness

   The concept of Notice means to know or be conscious of a certain action being taken.  In terms of privacy on the web, users are put on notice to how websites view ownership, security practices, and terms of use (like the end user license agreement).  Examples of this include splash pages for user to click through that explicitly say by clicking through the user accepts the terms of use.  A common one is notifying the user that cookies are being used on the site to track their visit.

   The privacy statement of a website will also include, in more codified language, a means of providing privacy notice to users.  That FTC has deemed that some or all of the following points should be included in any privacy statement and to make sure the user is informed of what they are doing when given away personal information:

  • Identification of the entity collecting the data
  • identification of the uses to which the data will be put
  • identification of any potential recipients of the data
  • The nature of the data collected and the means by which it is collected if not obvious ( passively, by means of electronic monitoring, or actively, by asking the consumer to provide the information)
  • Whether the provision of the requested data is voluntary or required, and the consequences of a refusal to provide the requested information, and
  • The steps taken by the data collector to ensure the confidentiality, integrity and quality of the date[4]

   Choice/Consent

   The main purpose of this principle is to give end users governance over the use of their own personal data.  The FTC wanted to mainly focus on the secondary use of data, or “uses beyond those necessary to complete the contemplated transaction.” [4] There are two methods that have become commonplace to deal with Choice/consent, that is either opt-in or opt-out.  Opt-in has the users explicitly allow certain use of their data.  While opt-out has the user explicitly deny the use of their data. The difference between the two is the default option, opt-in users by default allow their data to be used, while opt-out by default deny’s the use of a user's data for things outside of the initial transaction.  

Access/Participation

   The third principle involves letting people know that a corporation has information about them and allow them to dispute the accuracy of the information.  According to the FTC, “...access must encompass timely and inexpensive access to data…”[4]  Meaning that the ability to submit changes needs to be quick and inexpensive to accomplish by the user.  The mechanism for these changes must also be simple, have a way that the corporation can verify submitted information, and be able to disseminate the corrected information to all recipients of the data.

  Integrity/Security

   This principle ties in closely with the Access/Participation principle, with this one having the goal of making sure that date is accurate as well as secure.  This principle puts the onus on the data collectors by making them take appropriate steps. Things such as providing consumers appropriate access to data, using data sources that are reputable, investigating where that data is coming from, and relevant technical measure to protect the data once it is in their hands. Some technical measures included by the FTC are:

  • Use of encryption in the transmission and storage of data
  • Limits on access through use of passwords
  • Data is stored on secure servers or computers that are inaccessible by modem

   Enforcement/Redress

   The final privacy principle states that “...the core principles of privacy protection can only be effective if there is a mechanism in place to enforce them.”[4] This essentially means that in order for any of these state privacy principles to be effective, proper mechanisms must be in place to enforce them.  In the case of no enforcement or redress mechanisms, outside forces take precedent such as industry self-regulation, government legislation, and even regulatory schemes brought about through civil and criminal sanctions.

References edit

  1. https://facilethings.com/blog/en/principles-vs-rules
  2. a b "FERPA | Protecting Student Privacy". studentprivacy.ed.gov. Retrieved 2023-04-24.
  3. "Data protection and privacy laws | Identification for Development". id4d.worldbank.org. Retrieved 2023-04-24.
  4. a b c d e United States, Federal Trade Commission, Privacy Online: A Report to Congress, 1998, p.7-10