It seems that privacy policies, notices and statements are everywhere these days. Given the increased public interest and more stringent legislation on information security and privacy protection, these privacy-friendly mechanisms are becoming more and more important on websites and online services. Generally, privacy policies, privacy notices and privacy statements tend to follow a specific format, use the same vocabulary and style.
Enterprise Privacy Programs
Developing and maintaining enterprise-wide privacy programs require top-down cooperation and collaboration of the different individuals in an enterprise.
Standardization of enterprise privacy programs is becoming more and more of an issue in recent years. Even though the primary objective of enterprise privacy policies is for internal use, standardization of such policies brings numerous advantages:
- Technical parts of regulations could be encoded into a standardized language
- Enterprises with heterogeneous repositories of personal data could develop consistent enforcement tools to ensure compliance with internal privacy practices
- 1. Policy Identification Details
This section defines the policy name, version and description.
- 2. P3P-Based Components
This defines policy attributes that would apply if the policy is exported to a P3P format. Such attributes would include: policy URLs, organization information, PII access and dispute resolution procedures.
- 3. Policy Statements and Related Elements: Groups, Purposes and PII Types
Policy statements define the individuals able to access certain types of information, for certain pre-defined purposes.
- Notice – Companies should provide consumers with clear, conspicuous notice that accurately describe their information practices.
- Consumer Choice – Companies should provide consumers with the opportunity to decide (in the form of opting-out) if it may disclose personal information to unaffiliated third parties.
- Access and Correction – Companies should provide consumers with the opportunity to access and correct personal information collected about the consumer.
- Security – Companies must adopt reasonable security measures in order to protect the privacy of personal information. Possible security measures include: administrative security, physical security and technical security.
Consumer’s Point of View
- What personal information is being collected?
- How will your personal information be used?
- How will your personal information be stored?
- Are there security measures protecting your personal information?
- How long will your personal information be kept by the company?
- Will your personal information be shared with others?
- How can you contact the company?
CIPP Exam Preparation
In preparation for the Certified Information Privacy Professional/Information Technology (CIPP/IT) exam, a privacy professional should be comfortable with topics related to this post, including:
- Personally Identifiable Information (PII) (I.A.a.)
- Consumer privacy concerns (II.A.a.)
- Organizational privacy practices (II.A.b.)
- Prominent notice and opt-in consent (II.B.b.)
- Privacy mechanisms – privacy by policy (III.A.)