Protecting PRIVACY.

• Author: DUFF, WENDY M.
• Position: Brief Article

AT THE CORE

THIS ARTICLE EXAMINES:

* the role of information professionals in privacy protection

* privacy legislation

* a privacy audit

In the May 1999 issue of The Economist bearing the cover title "The End of Privacy," the author of the lead article argues that the benefits of the new information economy, such as safer streets and better services and products, more than offset the costs of loss of personal privacy. However, the article also documents a growing concern about protection of personal information. This concern will only intensify as controlling the mounting volume of personal information available to third parties becomes more difficult. Further, the editor of The Economist argues that one would have to go to extreme lengths today to preserve a level of anonymity common just 20 years ago. In fact, personal privacy may become one of the most endangered resources of the 21st century.

One means for helping to preserve the privacy of personal information is a privacy audit. Privacy audits are one way to monitor and influence the level of privacy protection maintained by organizations, governments, or systems. Reports by privacy auditors can assure individuals that organizations adhere to privacy standards and that those organizations that pledge to protect privacy actually do so. A records and information professional can play a key role in the privacy audit because privacy protection requires that organizations adopt recordkeeping and disclosure practices consistent with their own policies and legal requirements that affect them.

A new perspective on privacy protection focuses on (1) the roles of information professionals and auditors and (2) how they can collaborate to strengthen privacy. Broader organizational controls for protecting privacy, notably the roles of privacy commissioners and organizational privacy policies, are also addressed in the following sections.

Privacy Defined and Legislative Framework

The right to privacy is a fundamental right that should be guaranteed to all individuals. Privacy has been defined as "the claims of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about themselves is communicated to others (Westin 1967)." The loss of privacy, according to a Yale Law Journal article, is the "extent to which we are known to others; the extent to which we are the subject of others' attention; and the extent to which others have physical access to us" (Gavison 1980). Even more simply stated, privacy is the "right to be left alone" (MacNeil 1992). Individuals differ as to the types of information they want to protect, because ultimately privacy is personal and subjective.

During the last 20 years, society has increasingly focused attention on issues surrounding privacy. This trend seems to be a reaction to the dramatic decline in privacy as documented in The Economist article. These concerns arise over the quantity of information known about a person and the technological advances in accessing it via computerization, telecommunications, and monitoring. Citizens have voiced special concern over the government's use of information and, in particular, its ability to use computers to link or match data about individuals from multiple sources. This issue of privacy is one of the most important and complex ethical issues facing society today.

Many governments have passed data protection legislation to prevent misuse of personal information by government. The underlying principle of this legislation is that information that citizens must disclose to government should be protected -- not used for purposes other than that for which it is collected -- and not improperly disclosed to others. In Canada, for example, the federal government and some provincial governments have passed privacy legislation to protect citizens against the misuse of personal information collected by the government. In the United States, the Privacy Act of 1974 protects personal information captured in records held by government agencies. Some equivalent statutes have been passed at the state level as well. In Australia, the principal federal statute, the Privacy Act of 1988, contains 11 Information Privacy Principles that apply to the records of federal government agencies. Australian states also have privacy laws that apply to government records.

Of course, issues of protecting personal information extend beyond personal information collected and maintained by government institutions. Efforts have been made in some jurisdictions to address the protection of personal information collected and maintained by private sector organizations. In Europe, for example, control of information by the private sector is regulated by the Organization for Economic Cooperation and Development's (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (Organization for Economic Cooperation and Development 1981) and the Council of the European Union's (EU) Convention for the Protection of Individuals with Regard to the Processing of Personal Data (Council of the European Union 1981). In addition to these instruments, the European Union has also enacted the Data Protection Directive that attempts to harmonize data protection laws throughout the EU. The Directive requires EU members to enact complementary legislation and "imposes an obligation on member states to ensure that the personal information relating to European citizens is covered by law when it is exported to, and processed in, countries outside Europe" (Electronic Privacy Information Center and Privacy International 2000).

In Canada, comprehensive privacy protection legislation for the private sector may be forthcoming. The Canadian federal government has introduced the Personal Information Protection and Electronic Documents Act. This legislation would extend privacy legislation to segments of the federally regulated private sector and, potentially, segments of the provincially regulated private sector as well. This Act, Bill C-6, is modeled on the Canadian Standards Association's Model Code for the Protection of Personal Information developed in 1996 and based in large part on the OECD Guidelines. The primary objective of the Code is to assist organizations in developing and implementing policies and practices to be used when managing personal information (Canadian Standards Association 1996).

In Australia, rather than introduce federal privacy legislation that would apply to the private sector, the Prime Minister directed the Privacy Commissioner to develop voluntary codes of conduct for the private sector. In 1998, the Privacy Commissioner released these voluntary codes as National Principles. The Principles detail guidelines for the fair handling of personal information. In 1998, the federal government announced its intention to introduce "light-touch" legislation that would apply to the private sector and be based on the National Principles. Under the proposed legislation, those in the private sector will be allowed to develop their own codes for protecting the privacy of personal information, including its collection, storage, use, and disclosure. If organizations fail to develop their own codes, the legislation provides default privacy rules (Attorney General [Australia] 1999). In the meantime, some pieces of legislation protect personal information in specific industries or functions, such as telecommunications, medical research, and credit reporting.

In the United States, no privacy law applies to the private sector generally. Such federal legislation has been broadly debated, but few initiates have moved forward into law. However, piece-meal legislation applies to specific sectors, functions, or areas of information such as financial records, educational records, telephone records, and credit reports at both the federal and state levels.

Within the context of regulatory environments, perceptions of privacy are often culturally and politically bound. As noted in an article in CA Magazine, in Europe privacy is generally viewed as a basic human right, while in the United States, privacy tends to be viewed more as an economic good that can be sold or exchanged (McKendry 1996). For example, in the United States, one individual launched a court case against a company that sold his name to another company for marketing purposes. This individual argued not that his privacy had been violated but that the company had violated his property rights by selling his name. Thus far, in Canada and Australia, privacy seems to fall somewhere in between these two extremes, although the sale of names via marketing lists remains common practice (McKendry 1996).

This discussion of privacy legislation and codes provides a context for understanding privacy audits as discussed in the balance of this article. An organization's legislative and policy environment is a key component in a privacy audit's assessment of acceptable risk.

Risk Management and Audit

Organizations face many different types of risk, and an auditor must evaluate each relevant type the organization faces. Auditors define risk as anything that will prevent the enterprise from meeting its objectives. Organizations may risk possible litigation, loss of business, and loss of reputation if they do not protect the privacy of their customers and staff. For example, if...