Richard Purcell, chief executive officer of the Corporate Privacy Group, and a widely respected authority on privacy and security, created the position of Chief Privacy Officer at Microsoft in the late 1990s. He is chairman of the board for TRUSTe, an independent trust authority for privacy on the web, and is deeply involved with the International Association of Privacy Professionals. Purcell recently took part in a panel discussion on privacy issues at the conference on Synergies in an E-Society. Following is a transcript of his opening remarks.
We’ve heard a lot today. We’ve heard about information – the kind of information we’re concerned about, whether it’s biometrics, health information, our personal information, our finances. We’ve heard about lots of ways that information is being handled and potentially compromised. It’s being transferred over wireless devices (which may not be secure). And critical infrastructure protection – digitized information may be vulnerable, and what do you do about that? We’ve talked extensively about law enforcement attempts to stem terrorist activity. We’ve talked about…fraud in terms of identity theft. We’ve talked about the European data protection regime and derivatives of that regime. We’ve mentioned a few times both sides of the U.S. Patriot Act, and the scattering of privacy laws that are there (in the United States).
But: What do you do about it? That’s the question. What’s it about? Where are we going?
Short story: When you have a soda, in an aluminum can, and you finish that soda, and you have that can to dispose of – what do you do? In Canada, most people – I hope everybody – has a tendency, a strong track record, of disposing of that, so it can be recycled and remade into another product. Whether it’s plastic, whether it’s aluminum, whether it’s tin – we’ve got pretty good about recycling. And for the most part, we generally feel badly if we’re not able to dispose of recyclable items in a way that allows them to be recycled. We look for that.
That’s what we need for data.
We need to be able to ensure in the future that everybody – not just privacy officers, not just privacy commissioners – treats information like that kind of asset, that has value in and of itself and needs to be treated in an appropriate way. And they have enough knowledge to know when they don’t treat it in an appropriate way that they’re doing something. That’s an important thing to get to.
So I don’t want to talk about high-falutin laws. I want to talk about this very real thing. There’s no law that says you have to recycle. And there doesn’t have to be a law that says you have to treat personal information with care. We’re smarter than that. Everybody in this room is smarter than that. Everybody on this planet is smarter than that. If you use personal information, you’re abusing somebody’s asset. That’s all.
Perhaps more important, don’t think of privacy as only an individual right. This is a social good…Every time a piece of personal information is neglected, is abused, is mishandled, we’re all affected by that. That’s why you recycle. I don’t really care how much you individually recycle. The only thing that matters is that everybody does it. That’s where we have to go.
Government can’t tell us how; that’s not how it works. You have to do it yourself. When somebody tries to force you into a behaviour that you know is wrong, you have to resist. If somebody says: “Just pour that paint can down the drain”…I hope you don’t do that. Because you know better. And when somebody says: “Just run that customer’s file and give it to me; I’ve got to use it” – you should resist that. If a government agency asks for information, and they don’t present the proper paperwork that shows they have the full force of the law behind them, you should resist. End of story. Why do they even discuss it as if there’s another option?