A current project for Privacy Ref is the evaluation of privacy practices at a federal agency as part of a performance audit. It is a very interesting project. Of course, obtaining a security clearance is involved.
After taking an hour or so to fill out a questionnaire, the final step was fingerprinting. Not being in Washington, DC, an alternative location was needed to have the fingerprints taken. Off I went to the sheriff’s office.
The last time my fingerprints were taken was in the late 1970s. I had visions of ink, rollers, paper,and Joe Friday ready to manipulate my fingers. I was pleasantly surprised (though I shouldn’t have been) when the I just had to place my fingers on some glass and the fingerprint images were taken. No ink, no paper, and Joe Friday was no where to be found. Then the privacy professional in me emerged.
Looking for some poster, some sign, some brochure, or any other kind of document to tell me how the electronic fingerprints would be used and shared was futile. Given that there was no notice nor a consent form, was it possible that the information would immediately be deleted?
Getting my hopes up I began to think about the process back with Joe Friday. He would have taken my fingerprints, returned the copies to me to submit for the security clearance with nothing left for his own files. Remembering this is the information age I reached the only reasonable conclusion…immediate deletion was not likely.
Checking with the officer who was working with me, it turns out that the sheriff’s office would retain my fingerprint records for six months, they would do a criminal check against them, and may make them available to other law enforcement organizations. It might have been nice to receive notice of how my personal information would be used before I payed for the privilege of having it collected.
Applying this to the private sector, your customers provide personal information every day. If they are repeat customers I am sure they are making assumptions about what personal information you collect, how you use it, how you protect it, and with whom you share it.
Based on the size of your business and the type of change you are making to your policy you will want to develop and implement a plan to provide reasonable notification of the changes to your customers.