The growth of electronic business has brought forth increasing concerns about protecting the vast amounts of personal information collected and used in the transactions that drive business today. Consumers are concerned about how their information will be used, how it is protected, what process is in place that will allow them to correct erroneous information, who this information will be shared with, and who will have access to this information.
Privacy rights are considered to be, by definition, personal. Personal data are recorded information relating to an identifiable individual, which are organized such that they can be processed or retrieved. Such information includes, but is not limited to, a person's name, telephone number, address, age, occupation, marital status, salary and financial status, religious belief, nationality, credit card numbers, identity card numbers, medical records and employment records.
People simply will not post their personal information on the internet unless they receive some assurance that an entity has proper controls and related privacy disclosures. Without proper controls and proper related disclosure, consumers may choose to do business at another web site where there are appropriate controls.
But assuring privacy anywhere is no longer a simple matter. Years of technological advancement have steadily diminished our zones of personal space. It is now possible to know virtually everything about someone. The question is no longer, "Can we get the information?" Rather, we are asking, "Should we be allowed to gather the information that technology will allow?" And further, "How should we be allowed to use the information we do gather?"
We are on the horns of a dilemma: the vastness of modern databases combined with the aid of instant access threatens to eliminate privacy completely but that very information is key to realizing the immense potential of e-business.
From human resource systems management to marketing and tracking customer data, managing privacy risk has become a critical aspect of business practice. Failure to respond effectively to privacy issues and risks can result in adverse consequences that range from outright market rejection, to regulatory enforcement action, to loss of data flow, or to costly litigation.
Privacy issues drive or drag the information economy. Without privacy protections there will be no consumer confidence in e-business. So, how can an entity effectively manage its privacy risks?
A systematic approach to privacy risk management should be adopted by your entity to assist the e-business efforts in realizing the full benefits of online commerce. There are three major steps that must be undertaken.
First, develop a privacy policy. In developing a privacy policy you need to consider a number of factors: what customer information needs to collect and the appropriate uses of that information; your current and future business needs; and resources required to comply with its privacy policy statement. The policy must also be flexible in order to provide for strategic changes (such as additional services or mergers). Policies should govern personal data gathered from an individual online, via mail-in forms or faxes, or over the telephone. At a minimum, your entity would need to inform consumers of the following:
- What information is collected about a user;