Even if it only happens on a subconscious level, every business is as focused on acquiring information as it is revenue. That’s why privacy protection is so hard to sustain.
The report this week from federal Privacy Commissioner Jennifer Stoddart’s office offers an object lesson to enterprise IT managers from organizations of all shapes and sizes who want to avoid dealing with a cleanup exercise in the way systems collect and manage data. This can be found in the section of the report that details an audit of FINTRAC, the government agency which, among other things, tries to detect and prevent fraud before it happens. While commending its efforts, the report outlines a number of cases where, essentially, people jumped the gun in reporting information that didn’t amount to any criminal activity.
It is a bedrock privacy principle that you collect only the personal information you need for a specific purpose,” (Stoddart) says. “The federal government needs to have a justifiable need to collect someone’s personal information. Clearly, FINTRAC needs to do more work with organizations to ensure it does not acquire personal information that it has no legislative authority to receive – and that it does not need or use.”
This is tougher than it sounds. Much of what happens in IT is premised on the notion that gathering information is good and necessarily. You can set up a data warehouse to filter out what you really need, and you can establish security mechanisms to ward off information that could harm the business somehow, but there are few instances where companies deliberately turn information away.
Think of the implications of Stoddart’s report. Companies need not only to ensure the information they solicit is necessary and can be disposed of at the proper date, but also to make certain that unnecessary, unsolicited information is not stored at all. An organization like FINTRAC is therefore less focused on money-laundering and more focused on information-laundering.
Not all aspects of this would need to be automated, necessarily, since a great deal of the information the Privacy Commissioner’s Office is talking about would be generated through front-end parts of an organization like a call centre or perhaps even in person through a branch location. Employees could be trained, I suppose, on deleting e-mails with information they shouldn’t receive, though such judgment calls will never be completely perfect.
As companies become more sophisticated in how they communicate with external stakeholders – through blogs, forums, wikis, and social tools like Twitter – guaranteeing that you won’t “acquire personal information you have no legislative authority to receive” will be next to impossible. FINTRAC probably isn’t getting fraud tips through Twitter today, but many other firms are using technology to get closer to customers, suppliers and partners.
Perhaps the best way to set up a culture of privacy protection would be for an IT manager and other suitable stakeholders to conduct a self-audit on their information gathering objectives. This means not only figuring out if you’re only actively collecting what you need, but what you’re collecting that you receive, and why. A tall order? Certainly. But one that could yield huge dividends in terms of building trust with the government, your customers and pretty much everyone else.