WARNING: ACRONYMS AHEAD:
WTIA (Washington Technology Industry Association)
PII (personally identifiable information)
IT (information technology)
SSN (Social Security Numbers)
RFID (Radio-frequency identification)
(You have been warned)
I am a member of the WTIA (Washington Technology Industry Association) task force on privacy. Recently, Lew McMurran, VP, Government and External Affairs and chair of the task force, sent out a set of principles developed to guide WTIA members and the technology industry of Washington state when using personally identifiable information (PII) in the course of business.
As he pointed out in his email, the loss, misuse and stealing of PII is a national problem, and if businesses don't respond to the problem seriously and effectively, then a government body likely will. Already many state legislatures are proposing and passing laws requiring a number of protective measures from encryption to limitations on target marketing.
In the long run, businesses need to take the lead in adopting standards and guidelines to protect individuals and consumers from threats both real and imagined. With that, Lew drafted and sent out for review some guidelines, which I am posting here. Take a look and offer opinion if you are so inclined. This is a draft only, and will be subject to discussion and review. I would like to open that review to you all as well.
PII is information about people. Any misuse, loss or stealing of PII affects the lives of people. This must be kept foremost in the minds of WTIA members and the technology industry.
PII is critical data for business. It must be understood that way from the top of an organization to the bottom. Loss, misuse or stealing of PII should not be tolerated and policies to protect PII must be developed that apply to everyone in an organization.
Access to PII within an organization should be limited to those who have a critical need for it. For those within an organization that need access to PII, personal financial information should be segregated from other PII to lessen the opportunity for misuse or stealing of personal financial information.
Organizations must be transparent to consumers and individuals about what PII they collect, how they use it, with whom it is shared, what protective measures are in place and options consumers have to limit disclosure of PII. Privacy policies can serve this purpose but should be written in plain English, be more prominent and must be developed with the input of legal, marketing, IT and others who will have access to PII.
Consumers may or may not be aware that companies are using behavioral targeting as a means to develop and market products and services. The use of behavioral targeting tools, such as cookies, web bugs, web beacons and others must be disclosed prominently, either within privacy policies or separately.
Organizations must closely monitor third party vendors for access to and use of PII. Access to personal financial information and SSNs should be limited only to those where it is necessary. Third party vendors’ use of PII should be restricted to only what is contracted and be prohibited from transferring PII to anyone else.
New information gathering technologies, such as RFID, must be carefully monitored when deployed. When using new technologies, PII should be collected with a consumer’s or individual’s knowledge with a convenient means to opt out.
This is the start of an important discussion and not an exhaustive list. The WTIA is taking the lead in advocating for the market adoption of these principles, and though the organization lobbies for market based, industry self regulation, they still may support legislative measures that make sense.