Q&A About 3PT - InformationWeek
08:26 PM

Q&A About 3PT

3PT is a framework approach to designing privacy solutions by developing people who create policies implemented through procedures supported by technologies.

Aftab: In 15 words or less, can you explain 3PT?

Purcell: 3PT is a framework approach to designing privacy solutions by developing people who create policies implemented through procedures supported by technologies. (OK, that's 21 words, but pretty close.) Each component--people, policies, procedures, and technologies--is critical to overall success.

Aftab: What do you mean by 3PT life cycles?

Purcell: There has been a lot of consultantspeak around this, including the idea that this work will be continuous, more like a journey than a destination. It is often expressed with 'endless circle' descriptions that show processes that go round and round. These are appropriate analogies. In fact, most business-management practices are subject to these same analogies; privacy and security are merely the newest practices to which they are being applied.

Aftab: You talk about defining privacy and creating a privacy vocabulary. Is that because privacy is a new concept in a business environment?

Purcell: Privacy is such a recent value that we have not yet clarified our language and definitions for what we mean by privacy. The vocabulary life cycle is fundamental, creating a language (taxonomy) and use (syntax) in information systems. A defined language helps people and systems achieve desired outcomes and supports needed processes and technologies.

We have seen several examples of confusion over the opt-in/opt-out models for individual choice. The language has been so twisted that the systems people who receive the data can't figure out what the person wants. A company might ask, "If you don't want us to contact you, please uncheck the box," which is opt-out choice. The resulting value would be "True, I don't want you to contact me." A different division in the same company might ask, "If you want us to contact you, please check the box," an opt-in choice. The result would be "True, I want you to contact me." It's easy to see how confusing this can get on the back end.

Aftab: As a privacy lawyer and consultant to larger companies, I see that many businesses start with a privacy policy they find on the Web somewhere and try to squeeze their practices into it.

Purcell: I've seen that, too, and usually with disastrous results. The policies life cycle is really important once the language issues have been worked out. Policies determine direction for the company in developing products, services, customer interfaces, and metrics for success. Some companies base their policies on a specific principle, like customer control over personal information. Whatever the principle, a set of corporate policies has to be clearly defined, documented, and communicated. They need to be created from the inside out, not from someone else's policies, because each company handles data in unique ways.

Aftab: One of the biggest challenges I hear from clients and people I talk with is trying to figure out what the company is already doing--what it's collecting and how. Big companies are crazed over trying to figure out what each division and subsidiary is doing, and smaller companies often don't even track what they're doing. Is there anything new in this area?

Purcell: This is the data life cycle, which is pretty straightforward and well-known. It includes information collection, storage, use, transfer, and disposal. Although it is a well-known life cycle, it is amazing how few companies have actually thoroughly documented their data life cycle. The disposal phase is of particular importance, and often forgotten, as evidenced by the stories of personal information being found in dumpsters, recycling containers, and discarded hard drives.

The activities life cycle takes into account what businesses and people actually do with information, including marketing, research, services, communications, and other uses. Depending on the activity, the amount of privacy protection, security precaution, information richness, and transparent processing all vary. For example, medical research requires many decisions around identity data, secure storage, data depth, and known rules.

1 of 2
Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of the Cloud Report
As the use of public cloud becomes a given, IT leaders must navigate the transition and advocate for management tools or architectures that allow them to realize the benefits they seek. Download this report to explore the issues and how to best leverage the cloud moving forward.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of November 6, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll