Confusion over patchwork legislation and terminology can lead to inactivity in operationalization of privacy as a result of the inability to assign roles and responsibilities.\u00a0\u00a0<\/p>\n\n\n\n
If a Chief Privacy Officer is not required by legislation, who is responsible for organizational privacy programs, practices and outcomes?\u00a0\u00a0Ultimately, each organization decides how best to manage programs and when, or if, to track and report on outcomes.\u00a0\u00a0How does a data subject learn about how their information is managed at a given organization, and from whom?\u00a0\u00a0Such processes vary substantially from organization to organization.\u00a0\u00a0<\/p>\n\n\n\n
Without access to, or consistency of, this information, it seems unlikely that a data subject could make informed decisions about privacy, or give meaningful consent.<\/strong><\/em><\/p>\n\n\n\n The duality of a privacy professional\u2019s role combined with the variety of organizational cultures results in a number of different combinations of depth, quality, breadth, nature and application of operational privacy.\u00a0\u00a0<\/p>\n\n\n\n Privacy programs have no set criteria, metric or descriptive quality.\u00a0\u00a0<\/p>\n\n\n\n The same conditions that enable customization bring the lack of transparency for the data subject.\u00a0\u00a0How do I know if Hotmail and Gmail manage my information in the same way?\u00a0\u00a0Or if they do it differently, how do I know if that difference matters to me?\u00a0Information provided in privacy policies is often vague and lengthy.\u00a0\u00a0<\/p>\n\n\n\n There are other privacy problems that manifest for data subjects when organizations try to respond to privacy requirements under legislation.<\/p>\n\n\n\n Applying privacy legislation to service organizations means that front-line staff should be educated and empowered to discuss privacy with data subjects.\u00a0\u00a0For example, when a store clerk asks for my zip code, s\/he should be able to explain where it goes, who has access to it and why.\u00a0\u00a0Moreover, what are the implications for sharing or not sharing that information?\u00a0\u00a0Otherwise, a data subject cannot meaningfully provide consent to sharing that information.\u00a0<\/em><\/strong>\u00a0Imagine the store lines if this were the case now.\u00a0\u00a0The advent of cloud computing makes consent even more complex, particularly if the cloud services are outsourced or sold through a reseller.\u00a0\u00a0<\/p>\n\n\n\n Privacy legislation sets out the rules for managing information, but this is predicated on the assumption that the initial collection of PI was lawful and appropriate. Even then, traditional computing schemes like role based access controls are difficult to implement in environments where there is a hierarchical service delivery model. For example, one person may work directly with the customer while another is responsible for data input. The data subject may assume their point of contact is the only person they are consenting to see their data.<\/p>\n\n\n\n Breach notification requirements vary procedurally.\u00a0\u00a0<\/p>\n\n\n\n For example, characteristics for what constitutes a breach are not set out by legislation.\u00a0\u00a0An unauthorized access by a staff person may or may not require notification, depending on the organization\u2019s practices and internal policies.\u00a0\u00a0<\/p>\n\n\n\n Further, the mechanisms for identifying breaches, for example, back end logging, may increase the risk of breach itself by creating more records of PI.<\/p>\n","protected":false},"excerpt":{"rendered":" Confusion over patchwork legislation and terminology can lead to inactivity in operationalization of privacy as a result of the inability to assign roles and responsibilities.\u00a0\u00a0 If a Chief Privacy Officer is not required by legislation, who is responsible for organizational privacy programs, practices and outcomes?\u00a0\u00a0Ultimately, each organization decides how best to manage programs and when, … <\/p>\n