11:01 PM

SmartAdvice: Private Is As Private Does

Keep customer's data privacy at the forefront of your company's compliance efforts, The Advisory Council says. Also, implement P3P on your Web site, and create and enforce human-resource policies that reflect your company's privacy policy.

Question A: How do we develop a Web site privacy policy that's aligned with the needs and values of our business?

Our advice: A company's privacy policy is a statement of the "value" it places in its customer relationships. Perhaps the first reflection of that is in the value it places on customers' "property"--personal information, in this case. This simple thing can help build trust that's critical to any relationship.

However, trust is a fragile commodity, and once broken it can seldom, if ever, be regained. Consequently, not only should you ascertain the proper use of customer information, but also ensure that all perceptions related to this issue are handled correctly.

Related Links

Online Privacy Alliance

Electronic Privacy Information Center

An organization's actions rather than words are a better reflection of its real intent. Most customers are intelligent enough to distinguish between politically correct lip service and sincere action. To sustain a customer's trust, a company must support its policy with concrete action. Over time, a company must embed privacy in its business processes, and establish roles and responsibilities to ensure compliance. Remember, to a customer, this is an issue that showcases the company's beliefs and core values.

One must be aware of the legal implications of abusing a consumer's privacy. Since the Freedom of Information Act of 1970, there have been many laws passed by Congress to protect the privacy of individuals, including:

  • Fair Credit Reporting Act, 1970

  • Privacy Act, 1974

  • Right to Financial Privacy Act, 1978

  • Health Insurance Portability and Accountability Act, 1996

  • Federal Internet Privacy Protection Act, 1997

  • Communications Privacy and Consumer Empowerment Act, 1997

  • Data Privacy Act, 1997

  • Children's Online Privacy Protection Act, 1998

  • Financial Services Modernization Act, 1999

Privacy Guidelines For Companies
In light of these laws, every company must take steps to ensure the privacy of visitors to its Web site. Here are some things a company can do to ensure both compliance with the law and maintaining the trust of its customers.


  • Request only information that is absolutely necessary. For example, using Social Security numbers as a customer identifier is not a good idea.

  • Protect information at all times. Do you have security strategy, processes and infrastructure in place to prevent the theft of customer information?

  • Disseminate collected information carefully. Is the information treated on a strictly need to know basis even among company employees? Is this information sold or shared with external entities?

  • Accuracy:

  • Ensure accuracy of information. Is the information correct and consistent across sources and data stores?

  • Update information regularly. Are there processes in place to periodically verify information?

  • Property:
  • Clearly establish and communicate the ownership of information. This is a gray area and must be handled with care.

  • Clearly establish and communicate the ownership intellectual property rights.

  • Access:

  • Provide customers with access to information about themselves at no charge.

  • Clearly establish and communicate the means of information access. However, ensure that privacy is not compromised when using one of these means.

  • Provide means of updating/changing information.

  • Provide mechanisms to challenge potentially damaging information.

  • Provide equitable means of conflict resolution.

  • Notice:

  • Clearly notify consumers of policies and practices as they relate to privacy of personal information.

  • Periodically review and update these policies.

  • Consent:

  • Clearly obtain consumer's consent prior to disseminating information about them.

A company's privacy policy might not sell a product, but it sure can prevent one from being sold. Over time, negative perceptions in the marketplace can and do destroy brands.

-- Sourabh Hajela

Question B: What is P3P (Platform for Privacy Preferences), and how do we implement it on our Web site?

Our advice: P3P is an XML-based mechanism which enables a user's web browser to retrieve and interpret your Web site privacy policy. The browser can automatically compare your privacy policy with the user's preference settings, warn the user if your policies conflict with their preferences, and restrict the use of cookies. Most Webmasters first became aware of P3P in late 2001, when Microsoft Internet Explorer version 6.0 (IE6) appeared. Because IE6 restricts the use of cookies based on a Web site's P3P policies (or lack thereof), some Web sites stopped working properly with IE6's default settings.

Related Links

Platform for Privacy Preferences Specification

Make Your Web Site P3P Compliant

IBM P3P Policy Editor

As a formal, structured specification, P3P requires you to describe your privacy policy in explicit detail. Most elements of P3P are straightforward, such as giving the legal name of your business, how to contact you off-line, and where on your Web site to find your human-readable privacy policy. The policy also should specify how disputes will be resolved. You must then identify each type of information you collect, why you collect it, who will have access to it, and how long it will be retained. This includes data that's automatically collected in server logs, such as IP addresses. You can, and should, define different policies for different areas of your Web site (e.g., informational pages versus customer order-entry).

There are a variety of tools and services--some free, some not--that you can use to construct your P3P files after you've collected your policy details. Then load the files into the specified location on your Web site, test it using the World Wide Web Consortium's P3P Validator (or other tool), and you're in business.

-- Peter Schay

Question C: How do we ensure that our employees don't violate our privacy policies?

Our advice: People are more sensitive about their privacy than ever. Between the Health Insurance Portability and Accountability Act on one hand, and the Patriot Act on the other, privacy guidelines are becoming more significant to the business world. There are two components to the enforcement of any corporate privacy policy: technical and procedural. Both must be in place to ensure proper compliance with corporate privacy policies.

The technical component, which can be as draconian or liberal as you wish, doesn't assume a level of trust on the part of your staff. The software either does its job or not. If you do have a policy breach, then you have the evidence to sanction the parties responsible. Watch out for overly complex technical policies, however. If the technical solution makes it difficult for users to do their jobs, users will fix the problem--you just might not like their fix! While technical methods involve combinations of setting appropriate access permissions on the data, user authentication, encryption, usage auditing, and other standard techniques, unless you have a good human-resource policy to match, compliance can be painfully difficult to enforce.

The trickier, but equally important, component is the creation of enforceable and enforced human-resource policies that reflect the stated goals of your company. Of course, having the employees sign binding contracts with sanctions for violating the privacy policies is crucial. In addition, many companies impose privacy policies by limiting the right to use sensitive information to only people who have job requirements for access. The "need to know" methodology has long been used in military and government circles as a technique to limit the exposure of sensitive data. As one wag recently put it, "Those who violate the policies are shot and killed. This does two things: thins the herd and sends a message to the rest." That approach may be extreme, but the level of compliance would, not doubt, be extremely high!

Take advantage of the standard technical systems to insure compliance, but be prepared to back up your policy enforcement with matching compulsory human resources policies. Only then will your staff will get the message that your privacy policy is important, and that you're serious about the reputation and trustworthiness of your company in its ability to handle personal data appropriately.

Related Links

Information Security Policy World

Privacy Knowledge Base

-- Beth Cohen

Sourabh Hajela, TAC Expert, has more than 15 years of experience in strategy, planning, and delivery of IT capability to maximize shareholder value for corporations in major industries across North America, Europe, and Asia. He is a member of the faculty at the University of Phoenix, where he teaches courses in strategy, marketing, E-business, and leadership. Most recently, he was VP and the head of E-business with Prudential Financial.

Peter Schay, TAC executive VP and chief operating officer, has 30 years of experience as a senior IT executive in IT vendor and research industries. He was most recently VP and chief technology officer of SiteShell Corp. Previously at Gartner, he was group VP of global research infrastructure and support, and launched coverage of client/server computing in the early 1990s.

Beth Cohen, TAC Thought Leader, has more than 20 years of experience building strong IT delivery organizations from user and vendor perspectives. Having worked as a technologist for BBN, the company that literally invented the Internet, she not only knows where technology is today but where it's heading in the future.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Email This  | 
Print  | 
More Insights
Copyright © 2020 UBM Electronics, A UBM company, All rights reserved. Privacy Policy | Terms of Service