The battle over what consumer information should be kept private and what can be sold to the highest bidder is starting to shape up – and according to NCR Corp. IT departments are on the front line.
Traditionally, privacy hasn’t been a hot topic of discussion in IT circles. But Robert Henderson, vice-president of the newly created NCR privacy center of expertise (COE) in San Diego, said that’s about to change.
“My belief is that privacy is as large, if not larger than, the Y2K issue,” Henderson said. “The difference is that Y2K has an ending, while the privacy issue will be an emerging, iterative activity.”
Giving up personal information in order to do business isn’t a new phenomenon, Henderson admits. But as the number of on-line transactions grow, consumers are being asked to give up more data to more people, more often. Many are starting to question the practice, and with good reason, according to Henderson.
“When you look at a lot of businesses, the type of consumer profiles they have today is more extensive than profiles a lot of government agencies have had on people in previous decades. So this says that (the issue of) privacy is not going to go away,” he said.
Companies can still collect personal information about their customers, Henderson adds. But they are obligated — if not by law, then by ethics — to tell customers exactly how the information will be used, and promise not to share it with third parties without permission.
That’s where information technology comes in. Customer profiles are normally cobbled together from information stored in databases. As such, any corporate privacy policy will naturally involve restrictions around an organization’s data stores.
In most cases, it’s the CIO that should take responsibility for implementing privacy policies, both because they have a firm grasp of corporate data, and the executive teeth to get the job done, said John Boufford, I.S.P., president of e-Privacy Management Systems, a security and privacy consultancy in Lakefield, Ont., and member of the Canadian Information Processing Society (CIPS) external liaison committee.
“IS departments have a very important role to play in implementing privacy principles across the organization, ” Boufford said. “[But] IS folks have a ways to go to understand the obligations of their organizatons.”
He views privacy as an opportunity for IT to take charge of an issue affecting the entire business, something they’re increasingly being forced to do anyway, he added.
Echoing Henderson, Boufford said that as the public learns how companies can – and are – abusing confidential information, the issue of privacy will become a central social concern. “Privacy will be the next big issue on the horizon, ” he predicted.
Henderson said NCR is ready for the onslaught. The company is launching a new program under which privacy becomes a core customer satisfaction issue. That includes the creation of the NCR privacy COE, a three-person organization that Henderson heads, and several other tools and services to help customers implement privacy policies and compare standards to that of their peers.
They include Privacy Discovery Service, which helps users of NCR’s Teradata define their own privacy goals; the Privacy Assessment Service, which helps users implement them; the Privacy Data Modeling Template, which shows organizations how to optimize warehouses for privacy without affecting performance; the Privacy Administration Utility, to help customers prepare for a privacy audit; and the Privacy Consumer Access Interface, which lets Teradata users give their customers access to personal data stored in a warehouse.
“I think that privacy will…create a new way of doing business where enterprises treat privacy as a different shade of competitive advantage,” Henderson said.
The best way to optimize databases for privacy is to improve the logical data model. This is done by constructing databases with several layers, according to NCR. Each layer provides a more detailed profile, depending on customer preference. The final layer – the one with the greatest restrictions — would include the most sensitive information.
While banks and hospitals long ago adopted privacy principles, Boufford expects other companies to be less proactive. But whether they know it or not, most companies are already practising ethical privacy policies, he said. He also plays down cost concerns, adding that privacy will save some organizations time and money.
“Organizations tend to collect more information than they need…and [privacy measures] save them money in terms of collecting less information about individuals.”
NCR’s Privacy Discovery Service is currently available. The remaining services will be available by the end of 1999.
NCR Canada Ltd. in Toronto is at (416) 351-2104.