Information privacy is about choice. It is the freedom of individuals to choose how they wish to be treated by organisations that control information pertaining to them.
For decades, companies have been collecting customer data on computers that have been hidden from public scrutiny. During the past decade, however, the Internet has brought data collection practices into people`s living rooms and privacy has emerged as a major societal issue as individuals have begun to question the levels of technological intrusiveness they will tolerate.
But there is another side to this issue. Organisations need customer data to market and sell products and services. In the 20th Century, trade was defined as goods and services flowing from city to city, across borders and oceans on trucks, trains, ships and planes. In the 21st Century, trade flows via cables and satellites in data streams, and organisations will collect massive amounts of data about individuals in every city, in every nation.
A privacy architecture allows enterprises to maximise the business use of personal information.
Alkesh Patel, principal consultant of security and privacy services at IBM SA
Technology allows organisations to access and collect a plethora of personal information from multiple sources across the globe. Once-disparate databases can be bridged with middleware and allow users to match up legacy with click-stream data collected on the Web. Organisations will use this information to construct complex personal profiles to better customise their offerings and target the right products and services to the right customers at the right time.
At the same time, governments around the world are reacting to growing individual demands for privacy protection by writing stringent information protection laws. In SA, the Protection of Personal Information (POPI) Bill is being drafted to regulate the protection of personal information, in line with international trends.
Better protection
Although a voluntary regime to privacy protection exists within the Electronic Communications and Transactions (ECT) Act, the POPI Bill will further enforce information protection requirements, bringing into effect the following eight privacy principles derived from the OECD Privacy Guidelines:
1. Limitation of processing
2. Purpose specification
3. Further processing limitation
4. Information quality
5. Openness
6. Security of information
7. Individual participation
8. Accountability
During the past few years, organisations have responded to growing legislation and customer demands for information privacy by constructing privacy policies and Web statements. Some have appointed chief privacy officers to take organisational responsibility for navigating complex privacy regulations, building comprehensive information privacy policies, and providing assurances to customers that their individual privacy preferences will be respected. But is that enough?
Until now, even while understanding what regulations and sound privacy practices are required, the obstacle for business has been a question of how to implement privacy; for example, the ability to associate privacy policy information with individual data elements in a customer`s file.
Future strategy
How do information-intensive organisations operate in an information dependent world, while respecting privacy?
A comprehensive enterprise privacy architecture is required. Privacy in the context of IT architecture and infrastructure is a relatively new concept compared to areas like security. The rise of cyber crime, particularly identity theft, has made the average person begin to worry about how personal data is stored and who has access to it. Because of this, privacy has to be related to other concepts such as security, personalisation, trust, education and business process. Security and privacy are inter-related but separate. One thing is certain - you can have security without privacy, but you cannot have privacy without security.
A privacy architecture allows enterprises to maximise the business use of personal information, to add value to themselves and their customers, while respecting privacy concerns, obligations and regulations. It includes the strategy, management framework, policies, regulations and controls to enforce policy, as well as mechanisms to integrate privacy into business processes and address the transaction level management of privacy.
An holistic, architecture-based approach to privacy drives out the full spectrum of benefits:
* Enhance and preserve the value of data assets: this entails providing a reference for privacy business transformation that allows maximum utilisation of data through depersonalisation or by keeping the data anonymous
* Operate consistently with multiple privacy regulations and standards. This will help to define common denominator compliance obligations across jurisdictions and express these in common terms
* Build and promote trust in the marketplace. A policy of this nature provides openness and responsiveness in terms of privacy, thereby promoting trust
* Realise substantial privacy management choices. This provides the capability to highlight choices for uses of less sensitive data types, and show both high-risk and redundant privacy relationships
* Operate a sound platform for persistent privacy management. This is fundamental but critical, as it ensures ongoing environmental input on privacy
The net result is that enterprises can use privacy protection as a competitive enabler, since they will be positioned to confidently offer their client the benefits of personalisation with the assurance of privacy protection.
Share