Recent headlines about the scope of government snooping on telecommunications activities in the United States have prompted reactions ranging from outrage on the negative side to affirmation or resignation on the positive side. It seems that most of us have less privacy than we thought.
Privacy: More Than Just Confidentiality
Privacy is related to confidentiality, one of the cornerstones of information security (along with integrity and availability). But privacy and confidentiality are different: privacy relates to personal integrity (controlling what others see of or know about ourselves, our bodies, our relationships or our thoughts), while confidentiality relates to information such as corporate intellectual property that is shared exclusively with some individuals or groups. Privacy has been described as the overarching category of which confidentiality is a subtype.
Privacy in the Private Sphere
Is there such a thing as a private space and can I expect privacy in it? Some things we have thought of as private may no longer be as private as they once were: a private phone call, a letter, a conversation between two friends in a private place, or an email might be shared—by court order, corporate policy or large-scale government-sponsored data-mining program—with persons other than the nominal recipients. It could involve shared contents or shared metadata, such as the name of the recipient, the time and duration of the communication, the mode, etc. How does this knowledge condition our behaviour? Needing to operate in a world where intuition and friendship play as large a role as constitution, law, or corporate codes of conduct, we have rules of thumb and corresponding challenges deciding whether and how much to keep personal knowledge or thoughts private: to whom do we reveal the fact that we ourselves have feelings, aspirations, or other personal thoughts, or that such private information has been shared with us, or where it came from? Do we reveal the fact that we have met, spoken to or shared ideas with a person or organization? With whom is it right to discuss our knowledge in order to understand it better? Since intuition and friendship are often better guides than policy manuals, we might at least start with sharing the questions and hypothetical scenarios with a friend.
Privacy in the Public Sphere
Do we give up all privacy rights when we enter the public space; for example, when we use our public streets? I don’t think so. While we cannot prevent others from knowing through observation that we are in the public space, we may feel (justifiably) intruded upon if our activities in that space, albeit public, are recorded, analyzed and shared among people we don’t know. In addition to feeling slightly violated—in any space, public or private—I would wonder about how efficient it is to collect data about virtually everyone in order to anticipate and prevent illegal and dangerous behaviour by virtually no one. Would the potentially vast numbers of false positives not lead to abuses? We have all been given or observed private information that could or should be shared for moral, legal or other reasons. Do we trust our data miners any more than ourselves not to reveal private information beyond the scope of their research mandate? I don’t.
Privacy in the Workplace
Do we give up most of our privacy in the workplace? Again, I don’t think so. Our workplace is a social space where most spend more waking hours than anywhere else. We expect the environment to present a mix of private and public contexts, governed by rules not all that different from what we see elsewhere. In other words, we should not shed our humanity when we enter the workplace, and we must be enabled in that space to respect, contribute to and affirm others and their work, even as we receive respect, help, trust and affirmation ourselves. Negotiating the privacy terrain in a corporation is no easier than anywhere else, but that is no excuse for pretending there is no privacy but that required by law. We need to challenge each other to make explicit our assumptions, to share information necessary for others to do their jobs (meaning to trust our colleagues within the scope of their expertise and responsibility), and, obviously, to remain discreet in other contexts.
What’s the Corporate Privacy Officer to Do?
Often a Corporate Privacy Office is charged only with developing, implementing and monitoring policies and procedures related to legislated privacy mandates. But the issue of privacy is much larger than that.
- As noted above, trust and discretion are key factors. They can only be taught by example from the top down in terms of management style.
- If the policy is not backed up by adequate communications and training, start communicating and training now. It’s great to have levels of privacy classification, but if staff can’t figure out what belongs in each classification, can they be held accountable for following through on the policy?