There are some supremely knotty questions surrounding the issues of privacy, especially for enterprise IT professionals, whose very jobs put them in the unique and sometimes perilous position of having to protect data on many fronts.
“Privacy for Data Systems,” the topic of an invitation-only symposium held earlier this month at IBMs Almaden Research Center, explored some of the privacy challenges faced by enterprises and the role IT managers have to play in ensuring that private data is secured.
Sept. 11, 2001, shone a glaring spotlight on privacy. People who had never given a second thought to privacy were suddenly willing to give it up because of terrorism fears.
Things have become a bit more balanced since then, but the issue of who has the right to know what—and who has the right to obscure what—can be complex, troubling and potentially dangerous for companies that dont have their organizational culture, policies and technical systems in order.
IT managers should start a discussion on privacy that enables company management to remain at least a step ahead of the many privacy regulations that are likely to emerge during the next several years. IT experts, for example, are uniquely positioned to advocate data storage and access policies that protect customers and employees from the kinds of increased surveillance activities that are being developed by organizations including DARPA (Defense Advanced Research Projects Agency) and the FBI.
Rakesh Agrawal, chairman of the Almaden symposium and IBM fellow, spoke with eWEEK Labs about some of the tough data privacy questions facing IT.
“Until now, the question has been how to make sure data was stored and accessible,” said Agrawal at the symposium, in San Jose, Calif. “Now, we think about how to make databases forget information that is no longer needed. We are working on the question of associating information about data expiry.”
Page Two
Before a database can forget in a responsible and planned way, however, it must know. This means customers must provide valuable, private, personally identifiable information. Based on our research of privacy statements and discussions at the symposium, it is clear that IT managers can lead a re-evaluation of company policy that places customer privacy first.
For example, Ann Cavoukian, Ontario privacy commissioner and author of “The Privacy Payoff” (www.privacypayoff.com), recommended that enterprises look at privacy as a business concern rather than a compliance issue. “Businesses should embrace privacy and show customers that their private information will be used only with their permission, full stop,” Cavoukian said. “In the online world, trust is practically synonymous with privacy.”
Companies would do well to aggressively market simple, strict privacy agreements to customers. One of the biggest benefits is that the company gets ahead of the evolving, mutable consumer privacy legislation. If a companys privacy policies convey the idea that customer data will never be used for anything other than the original purpose of the transaction, lawyers will have a lot less to fiddle with.
Organizations required by law to keep data private—such as health care agencies and financial institutions—can still make stringent privacy a distinguishing characteristic. For example, while HIPAA (Health Insurance Portability and Accountability Act) requires that all organizations handling patient information comply with the same rules regarding access and maintaining audit trails, assured timely access could be a selling point. Making sure that a doctor or nurse is never denied appropriate access, for example, is a major concern for many hospital IT directors.
Senior Analyst Cameron Sturdevant can be reached at [email protected]