Back to all blog posts

Scope Creep

When new technologies arrive on the scene, there is a rush to use them everywhere. Bluetooth technology led to including it in almost any new product regardless of whether it actually adds anything. Internet connectivity has also seen a similar reaction; most notably I recall a juicer that was connected to the internet leading to a great deal of online derision and mockery. A question that should be asked in any such case is “why?” This simple, one word question is more important than almost any other. Why? You can amend it in numerous ways, but for our purposes we want to ask, “why is this necessary?”

Privacy concerns itself with the use of personal information. So, as we propose new products, services, or projects, we must know how information is used for those purposes. Whatever that purpose is, the follow up question will always be whether it is necessary. If the answer is yes, we can proceed. If the answer is no, we must figure out whether the risk of using that information in that way is appropriate or worth the risk. A privacy impact assessment would determine if this is the case. If you’re willing to take on the risk of additional information processing beyond what is necessary, a process for reevaluating risk at regular intervals should be established.

As a more practical example, imagine you make a new electronic dog collar that is wi-fi enabled to track lost dogs or to track them in your house. Being able to locate a lost pet is a useful service. However, in theory we could improve the collar to track health, movement speed, and maintain a record of geolocation data. This gets messy fast, because there are a lot of secondary uses that could now come into effect. Like Apple’s Air Tag, someone could attach this new dog collar to a car or stash it in a bag to track someone. We now have a problem where we must determine how to curtail unintended use or otherwise control the fallout from unintended uses.

It is important to ensure that scope creep – where intended uses of new technologies are expanded over time – is kept in check. Always consider whether and when it makes sense to allow the use of information. In general, if it feels intrusive or there is an obvious downside that is serious and outweighs the benefit of the processing, it is advisable to avoid it. Keep track of risks and be sure to have a process to evaluate and reevaluate them. Once again, Privacy by Design is a best practice, if not THE best practice.

Feel free to reach out to Privacy Ref with all your organizational privacy concerns. You may view our complete event calendar here, which includes our training and webinars.