Fair Information Practice Principles Generally
Over the past quarter century, government agencies in the United States, Canada, and Europe have studied the manner in which entities collect and use personal information — their “information practices” — and the safeguards required to assure those practices are fair and provide adequate privacy protection. The result has been a series of reports, guidelines, and model codes that represent widely-accepted principles concerning fair information practices. Common to all of these documents [hereinafter referred to as “fair information practice codes”] are five core principles of privacy protection: (1) Notice/Awareness; (2) Choice/Consent; (3) Access/Participation; (4) Integrity/Security; and (5) Enforcement/Redress.
The most fundamental principle is notice. Consumers should be given notice of an entity’s information practices before any personal information is collected from them. Without notice, a consumer cannot make an informed decision as to whether and to what extent to disclose personal information. Moreover, three of the other principles discussed below — choice/consent, access/participation, and enforcement/redress — are only meaningful when a consumer has notice of an entity’s policies, and his or her rights with respect thereto.
While the scope and content of notice will depend on the entity’s substantive information practices, notice of some or all of the following have been recognised as essential to ensuring that consumers are properly informed before divulging personal information:
- identification of the entity collecting the data;
- identification of the uses to which the data will be put;
- identification of any potential recipients of the data;
- the nature of the data collected and the means by which it is collected if not obvious (passively, by means of electronic monitoring, or actively, by asking the consumer to provide the information);
- whether the provision of the requested data is voluntary or required, and the consequences of a refusal to provide the requested information; and
- the steps taken by the data collector to ensure the confidentiality, integrity and quality of the data.
Some information practice codes state that the notice should also identify any available consumer rights, including: any choice respecting the use of the data; whether the consumer has been given a right of access to the data; the ability of the consumer to contest inaccuracies; the availability of redress for violations of the practice code; and how such rights can be exercised.
In the Internet context, notice can be accomplished easily by the posting of an information practice disclosure describing an entity’s information practices on a company’s site on the Web. To be effective, such a disclosure should be clear and conspicuous, posted in a prominent location, and readily accessible from both the site’s home page and any Web page where information is collected from the consumer. It should also be unavoidable and understandable so that it gives consumers meaningful and effective notice of what will happen to the personal information they are asked to divulge.
The second widely-accepted core principle of fair information practice is consumer choice or consent. At its simplest, choice means giving consumers options as to how any personal information collected from them may be used. Specifically, choice relates to secondary uses of information — i.e., uses beyond those necessary to complete the contemplated transaction. Such secondary uses can be internal, such as placing the consumer on the collecting company’s mailing list in order to market additional products or promotions, or external, such as the transfer of information to third parties.
Traditionally, two types of choice/consent regimes have been considered: opt-in or opt-out. Opt-in regimes require affirmative steps by the consumer to allow the collection and/or use of information; opt-out regimes require affirmative steps to prevent the collection and/or use of such information. The distinction lies in the default rule when no affirmative steps are taken by the consumer. Choice can also involve more than a binary yes/no option. Entities can, and do, allow consumers to tailor the nature of the information they reveal and the uses to which it will be put. Thus, for example, consumers can be provided separate choices as to whether they wish to be on a company’s general internal mailing list or a marketing list sold to third parties. In order to be effective, any choice regime should provide a simple and easilyaccessible way for consumers to exercise their choice.
In the online environment, choice easily can be exercised by simply clicking a box on the computer screen that indicates a user’s decision with respect to the use and/or dissemination of the information being collected. The online environment also presents new possibilities to move beyond the opt-in/opt-out paradigm. For example, consumers could be required to specify their preferences regarding information use before entering a Web site, thus effectively eliminating any need for default rules.
Access is the third core principle. It refers to an individual’s ability both to access data about him or herself — i.e., to view the data in an entity’s files — and to contest that data’s accuracy and completeness. Both are essential to ensuring that data are accurate and complete. To be meaningful, access must encompass timely and inexpensive access to data, a simple means for contesting inaccurate or incomplete data, a mechanism by which the data collector can verify the information, and the means by which corrections and/or consumer objections can be added to the data file and sent to all data recipients.
The fourth widely accepted principle is that data be accurate and secure. To assure data integrity, collectors must take reasonable steps, such as using only reputable sources of data and cross-referencing data against multiple sources, providing consumer access to data, and destroying untimely data or converting it to anonymous form.
Security involves both managerial and technical measures to protect against loss and the unauthorised access, destruction, use, or disclosure of the data. Managerial measures include internal organisational measures that limit access to data and ensure that those individuals with access do not utilise the data for unauthorised purposes. Technical security measures to prevent unauthorised access include encryption in the transmission and storage of data; limits on access through use of passwords; and the storage of data on secure servers or computers that are inaccessible by modem.
It is generally agreed that the core principles of privacy protection can only be effective if there is a mechanism in place to enforce them. Absent an enforcement and redress mechanism, a fair information practice code is merely suggestive rather than prescriptive, and does not ensure compliance with core fair information practice principles. Among the alternative enforcement approaches are industry self-regulation; legislation that would create private remedies for consumers; and/or regulatory schemes enforceable through civil and criminal sanctions.
Finance and IT – a special relationship?
Article published on the CPAI site
People often perceive the Finance and IT functions to be inseparable. Some would even say that there is a special relationship between these two functions.
If a special relationship exists then this bond could be based on the fact that in a lot of businesses there is a perception that every ill that could possibly befall a business is usually the fault of IT or Finance. Of course IT and Finance have responsibilities within a business and are at fault when some things go wrong but not everything!
Being the convenient fall guy could explain the special relationship between IT and Finance.
However a special relationship between IT and Finance also exists in the quest for successful IT implementation in the SME.
Achieving Successful IT Implementation in the SME
An essential weapon in any business’ arsenal is information. Having the information however is only half the battle; making proper use of it is the real challenge. If properly designed and well implemented, Information Systems can prove an invaluable investment in the long-term success of your business.
In common with any other production process raw material is required and in this case the raw material is data. Information therefore, is the product of applying Information Technology to data, which must be entered into a computer system in a consistent fashion. Whilst this may appear to be stating the obvious, this consistency, or lack of it, is a major reason why Information Systems implementations fail.
Critical success factors for successful IT implementations
- Systems analysis – are the requirements clearly stated?
Operating needs – Functionality required from a system?
Storage needs – Data that needs to be recorded and held in the system for future use? Information needs – What information do you need to be available from the system?
- System development / sourcing – does it fit?
One key objective in sourcing any system is that it is compatible and will integrate into the existing or planned operating environment.
- User commitment – are users on board?
To achieve success, it is imperative that use of any system be based on clearly defined procedures developed in conjunction with the users and taking into account current and future user requirements.
- Training and communication – what training is planned and when?
It is human nature to resist change and employees often fear the implications. Having defined the changes required everyone must be kept fully informed and trained before the changes are implemented.
- System hand over and user acceptance
How and when will the end of the project be identified?
This is arguably the most important phase of any project. The system must be formally handed over to the users at the end of the implementation phase. From then on, it is the user’s responsibility to operate the system.
- Standards and Infrastructure
Ironically one of the easiest things to do on Information Systems projects is deliver the technology. Many Information Systems projects suffer though because of the quality and standard of the technology applied. There is no point in buying cheap and paying later in terms of lost time for users and extra technical support costs, i.e. the much talked about ‘Cost of Ownership’.
All personal computers are not the same. All printers are not the same. All software is not the same, etc. Cheap technology is a major factor why IT projects fail. Computers, which are of a suitable quality and correctly implemented, should not need constant fixing. If you find yourself in this situation then maybe its time to seek outside help to audit your systems and put a plan in place to rectify the root causes of the constant fixing.
Be aware of the critical parts of your system – It’s not always just the server!
Assessing the needs of your maintenance contracts is similar to assessing your insurance needs. You are seeking to predict and minimise exposure to risk in your business. You can get cheap insurance, which, on paper will discharge your responsibility to carry it, but it may not deliver when you most need it. The same is true of maintenance contracts. It is one of the hidden costs of stable computer systems. When choosing a service partner make sure that they have the staffing levels and skills to deliver on the commitments they make to you. Be prepared to pay reasonable rates to get the best contract.
- Outsourcing IT
Depending on the business there may or may not need to be staff dedicated to the IT function. One of the cardinal sins of smaller businesses is to dump the responsibility for IT on the shoulders of the manager who finds it easiest to turn on a PC. The end result of this is a stressed out member of staff struggling to do the job they are paid to do combined with maintaining computer systems.
Outsourcing the technical support aspects of the computer systems is a good way of dealing with this problem of competing priorities.
Many Finance and IT people have a relationship which is based on a mutual disrespect and would find it hard to consider the cooperation required for this special relationship. They are wrong. By making this relationship work both parties can achieve their objectives and make an invaluable contribution to the success of the business, especially in the case of successful IT implementation in the SME.