Before a database can forget in a responsible and planned way, however, it must know. This means customers must provide valuable, private, personally identifiable information. Based on our research of privacy statements and discussions at the symposium, it is clear that IT managers can lead a re-evaluation of company policy that places customer privacy first. For example, Ann Cavoukian, Ontario privacy commissioner and author of "The Privacy Payoff" (www.privacypayoff.com), recommended that enterprises look at privacy as a business concern rather than a compliance issue. "Businesses should embrace privacy and show customers that their private information will be used only with their permission, full stop," Cavoukian said. "In the online world, trust is practically synonymous with privacy."Organizations required by law to keep data privatesuch as health care agencies and financial institutionscan still make stringent privacy a distinguishing characteristic. For example, while HIPAA (Health Insurance Portability and Accountability Act) requires that all organizations handling patient information comply with the same rules regarding access and maintaining audit trails, assured timely access could be a selling point. Making sure that a doctor or nurse is never denied appropriate access, for example, is a major concern for many hospital IT directors. Senior Analyst Cameron Sturdevant can be reached at firstname.lastname@example.org.
Companies would do well to aggressively market simple, strict privacy agreements to customers. One of the biggest benefits is that the company gets ahead of the evolving, mutable consumer privacy legislation. If a companys privacy policies convey the idea that customer data will never be used for anything other than the original purpose of the transaction, lawyers will have a lot less to fiddle with.