Principals for Defining Privacy Policy

16 Mar 2010 Leave a comment

by Asif J. Mir in Principals for Defining Privacy Policy Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,


Companies wishing to enact an internal privacy policy or code should consider as a starting point the three concepts that help define information privacy: data collection, data accuracy, and data confidentiality.

Data Collection: the following principles should be adhered to:

  • Data should be collected on individuals only to accomplish a legitimate business objective.
  • Data should be adequate, relevant, and not excessive in relation to the business objective.
  • Data should be obtained in a lawful manner.
  • Individuals must give their consent before data pertaining to them can be gathered. Such consent may be implied from the individual’s actions (e.g., when they apply for credit, insurance, or employment).

Data accuracy: to ensure that misleading information will not be distributed, the following principles apply:

  • Sensitive data gathered on individuals should be verified before it is entered in database.
  • Data should be accurate and, when necessary, kept up to date.
  • The file should be made available so the individual can ensure that the data is correct.
  • If there is disagreement about the accuracy of the data, the individual’s version should be noted and included in any disclosures of the file.

Data Confidentiality: the privacy policy should ensure confidentiality as follows:

  • Computer security procedures should be implemented to provide reasonable assurance against the unauthorized disclosure of data. These procedures should include physical, technical, and administrative security measures.
  • Third parties should not be given access to data without the individual’s knowledge or permission, except as required by law.
  • Disclosures of data, other than the most routine, should be noted and maintained for as long as the data is maintained.
  • Data should not be disclosed for reasons incompatible with the business objective for which it was collected.

My Consultancy–Asif J. Mir – Management Consultant–transforms organizations where people have the freedom to be creative, a place that brings out the best in everybody–an open, fair place where people have a sense that what they do matters. For details please visit www.asifjmir.com, and my Lectures.