It is not unusual for me to make assumptions about how my personal information will be treated based on my past experiences. With technology changing as quickly as it does this is probably a mistake. Reviewing a privacy policy or looking for a notice when new technology is introduced is a good idea as a recent episode will show.
A current project for Privacy Ref is the evaluation of privacy practices at a federal agency as part of a performance audit. It is a very interesting project. Of course, obtaining a security clearance is involved.
After taking an hour or so to fill out a questionnaire, the final step was fingerprinting. Not being in Washington, DC, an alternative location was needed to have the fingerprints taken. Off I went to the sheriff’s office.
The last time my fingerprints were taken was in the late 1970s. I had visions of ink, rollers, paper,and Joe Friday ready to manipulate my fingers. I was pleasantly surprised (though I shouldn’t have been) when the I just had to place my fingers on some glass and the fingerprint images were taken. No ink, no paper, and Joe Friday was no where to be found. Then the privacy professional in me emerged.
Looking for some poster, some sign, some brochure, or any other kind of document to tell me how the electronic fingerprints would be used and shared was futile. Given that there was no notice nor a consent form, was it possible that the information would immediately be deleted?
Getting my hopes up I began to think about the process back with Joe Friday. He would have taken my fingerprints, returned the copies to me to submit for the security clearance with nothing left for his own files. Remembering this is the information age I reached the only reasonable conclusion…immediate deletion was not likely.
Checking with the officer who was working with me, it turns out that the sheriff’s office would retain my fingerprint records for six months, they would do a criminal check against them, and may make them available to other law enforcement organizations. It might have been nice to receive notice of how my personal information would be used before I payed for the privilege of having it collected.
Applying this to the private sector, your customers provide personal information every day. If they are repeat customers I am sure they are making assumptions about what personal information you collect, how you use it, how you protect it, and with whom you share it.
Over time, your business practices and your technologies will change. If these changes materially impact your privacy policy you must make your customers aware of these changes. In fact you may want to think about ways to re-obtain the consent for use of their information.
For example, within the past year Google changed their business practices by allowing the sharing of personal information across over 60 applications resulting in a significant change in their privacy policy. For weeks prior to the new policy’s implementation Google provided a very conspicuous notice on their web site about the change as well as making a concerted effort to notify data protection authorities and the media globally. When the day of the implementation came it was not a surprise to any of their users.
Based on the size of your business and the type of change you are making to your policy you will want to develop and implement a plan to provide reasonable notification of the changes to your customers.