Privacy Advisor

Close-Up On Privacy Notices Workshop at the IAPP Privacy Academy 2006: A Nymity White Paper on the Need for a Transparent Approach to Privacy Policies

August 1, 2006

A Nymity White Paper on the Need for a Transparent Approach to Privacy Policies

The following Nymity White Paper will provide some preliminary background for attendees of the IAPP Privacy Academy 2006 in Toronto who plan to attend the advanced session, "Simplified Privacy Notices Workshop." The privacy notices workshop will be held Thurs., Oct. 19. Terry McQuay, CIPP, President of Toronto-based Nymity, Inc., will moderate the panel, which will discuss the U.S. Government Consumer Research Project to develop privacy notices that are easier for consumers to understand, use and compare. The panel also will examine multi-layered privacy notices and review international efforts to standardize the short-notice format. The panelists are: Martin E. Abrams, Executive Director, Center for Information Policy Leadership; Michael Hintze, CIPP, Senior Attorney, Legal & Corporate Affairs, Microsoft Corp.; Susan Kleimann, President, Kleimann Communications Group; Joel Winston, Associate Director for the Division of Privacy and Identity Protection, Bureau of Consumer Affairs, Federal Trade Commission.

Privacy Notice: Nymity's Primer for Transparency

Critical to building trust and mitigating privacy risk, privacy notice is quickly becoming the key component of organizations' privacy management programs. Effective privacy notice stems from a transparent approach to privacy policies and practices. As organizations strive to provide full disclosure to help ensure compliance with laws containing privacy rules, privacy notices are becoming more complex. This increased complexity has resulted in long privacy notices, often written in complicated legal language, which frustrates consumers. In some cases the consumer feels the organization is being deceitful and hiding the true uses of their personal information.

Transparency ensures that an organization's privacy policies and practices are clearly stated in a way that consumers can understand and use to make informed decisions.

This paper discusses the benefits of transparency and addresses the conflict that arises from the need for full disclosure and the need to build consumer trust.

Privacy Notice

Nymity defines "privacy notice" as: "the information made readily available about an organization's privacy policies and practices."

Privacy notices are used:

  • to comply with laws;
  • to attain informed consent;
  • to mitigate business risks;
  • to build consumer trust; and
  • to meet partner and contractual requirements.

Privacy notices take many forms, including:

  • customer contracts;
  • posters, possibly in customer service or retail locations;
  • telemarketers' call scripts;
  • call recordings; and most importantly
  • online or printed privacy notices, often in the form of a privacy policy.

Effective privacy notice requires transparency. Nymity defines "transparency" in this way:

"Transparency is clear, complete and readily available notice on an organization's privacy policies and practices."

Transparency increases corporate accountability, provides consumers with the information to make an informed decision, and helps an organization demonstrate compliance with privacy laws.

Privacy Policies as Privacy Notice

Privacy policies are documents that define an organization's personal information handling policies and practices. The Generally Accepted Privacy Principles (GAPP), from the American Institute of Certified Public Accountants and the Canadian Institute of Chartered Accountants (AICPA/CICA), defines "policy" as:

"A written statement that communicates management's intent, objective, requirement, responsibilities, and/or standards."

For the private sector, it is common, and a best-practice, for an organization to make its privacy policy available on the organization's website and, where applicable, as a brochure for face-to-face consumer interactions. Sixty-three percent of corporations in Canada place their privacy policies/codes on their websites.  When the privacy policy is made available in this manner, it becomes a major component of the organization's privacy notice.

When the organization's privacy policies are online and easily viewable by consumers, business partners, and regulators, they enhance the organization's transparency. 

Legislative Notice Requirements

Around the world, there are an increasing number of laws that regulate the use of personal information, and providing notice is a fundamental requirement in these laws. In Canada there are privacy laws and consumer protection laws that specify notice requirements. For example, the federal private-sector privacy law, the Personal Information Protection and Electronic Documents Act (the "PIPEDA"), Principle 8 - Openness, states:

"An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information."

PIPEDA also states in Principle 2 - Identifying Purposes:

"The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected."

In fact, all the 23 privacy laws in Canada have several requirements to provide notice, including the laws of Alberta, where opt-out consent comes with this requirement:

"The organization must give an easy-to-understand notice before, or at the time, it collects, uses or discloses the information."

The Office of the Information and Privacy Commissioner for British Columbia states:

"PIPA requires each organization to establish a set of policies and procedures for complying with PIPA. It also requires organizations to make their policies and procedures available to the public."

Similarly, the USA has several laws with rules for privacy notice, including the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), and the Children's Online Privacy Protection Act (COPPA).

To comply with privacy notice requirements, most organizations create and make readily available privacy notices detailing their privacy policies and practices.

Generally Accepted Privacy Principles (GAPP) Requirement

As the GAPP becomes a standard for defining an organization's privacy programs, the GAPP notice criteria will further organizations' efforts to achieve transparency.

Notice is one of the 10 principles found in GAPP. The notice principles state:

"The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained, and disclosed."

In fact, the GAPP has several principles - Choice and Consent, Collection, Use and Retention, Access, Disclosure to Third Parties, Security for Privacy, Quality, and Monitoring and Enforcement - that have a notice measurement criterion called "Communication to Individuals." This criterion mandates that the entity's privacy notice must clearly and concisely inform consumers of the pertinent information related to that principle.

Benefits of Transparency

When creating a privacy notice strategy, it is important to create the strategy with the target audience in mind. Consumers, business partners, regulators/commissioners, privacy advocates, privacy practitioners, media, and competitors are frequent readers of privacy notices. Organizations must understand the motivations of the different readers and create a notice that is in line with these readers' objectives. However, whatever the consumer's motivation, the organization's objective is to build trust and mitigate risk.

Building Trust

Consumers, business partners, and commissioners' offices seeking knowledge of an organization's commitment to and understanding of privacy frequently review the organization's privacy notice. Nymity's research has identified the following specific needs.

Consumers - When consumers want to assess an organization's commitment to privacy or have specific concerns about the organization's personal information handling practices, they will look to the organization's privacy notice. As we will see, these consumers are best served by a multi-layered notice.

To further build trust, some organizations provide added value by educating consumers on how they can better protect their personal information. These organizations help consumers understand privacy, data security, identity theft, phishing, and even privacy laws.

Business Partners - It is very common in a business-to-business environment, including outsourced data processing of personal information, for businesses to review partners' and potential partners' online privacy notices. The purpose of this review is to assess the organization's knowledge of and commitment to privacy as well as its compliance with privacy laws. Thus, many service providers have found it beneficial to demonstrate their knowledge of and commitment to privacy through an online privacy policy.

Service providers use online privacy policies, in effect, as a brochure to increase the confidence that their business partners have in them.

Regulators, Including the Commissioners' Offices - Regulators, including the privacy commissioners' offices, often review an organization's online privacy notice, especially when assessing the organization's compliance with privacy laws, possibly after a complaint or a breach, or prior to an audit.

An online privacy notice is the most visible component of the organization's efforts to comply with privacy laws. Organizations with effective provide notices benefit upon a regulator's review.

For example, in a complaint against a pharmaceutical firm, the Assistant Privacy Commissioner deliberated as follows:

"Based on her examination of the pharmacy's privacy policy, training materials, operational standards, and privacy brochure, the Assistant Commissioner was satisfied that these were comprehensive and fully addressed the company's obligations under Schedule 1 of the Act."

Risk Mitigation

Consumers with complaints, privacy advocates, media, and competitors review the organization's privacy policy when they plan to file a complaint with the regulators or take legal action. Transparency mitigates the risk associated with these readers because it may:

  1. reduce the number of complaints, since an effective notice provides consumers with the answers to their privacy concerns; and
  2. provide the privacy commissioner's office involved with the necessary information to quickly deal with the complaint and eliminate the need for a full investigation.

Effective notice through transparency in online privacy policies is a critical component of an organization's consent strategy and is required by privacy laws.

Multi-Layered Privacy Notice - Organizations are required by law, by regulators, and by best-practices to provide clear, complete, and timely disclosure of their information handling policies and practices. This increased need for comprehensive detail has resulted in privacy notices that consumer and regulators find written in language considered too legal, too wordy, and generally too difficult to understand. Consumer studies find these types of policies create a feeling of distrust because consumers believe the organization is hiding the true uses of their personal information. Providing notice in this manner conflicts with building consumer trust.
 
Solution: Multi-Layered Privacy Notice - To solve the conflicts and challenges of long and complicated privacy notices, a concept was introduced by a Berlin Memorandum of the Working Party under Article 29 of Directive 95/46/EC in December 2004.

This working group outlined the concept of multi-layered privacy notices, which include these elements:

  • very short notice - one sentence to be used on cell phones and coupons that have very limited space;
  • short notice - one-page notice providing key and relevant elements of the organization's privacy policies and practices; and
  • full notice - complete disclosure, in Canada usually in the form of a privacy policy.

The belief was that multi-layered privacy notices best meet the challenge of providing the full disclosure necessary to comply with laws while building consumer trust.

Short Notice

The short notice is typically the initial notice that an individual receives. Three common short notices are:

  • the first layer of an online privacy notice;
  • a brochure mailed to consumers; and
  • a poster physically posted in view of consumers, say in customer service or retail areas.

The goal of this notice is to provide the essential information in a highly readable and comparable format. Short notices provide consumers with:

  • a sense of control over their personal information;
  • a sense of security that their information will be safe; and
  • a sense of importance, and that the organization is upfront and outlines how its information will be used.

Privacy Facts Statement

Example Privacy Facts Statement - The Berlin Memorandum defined a format for short notice, based on considerable research, that is made up of seven sections or less, up to 27 components, and must fit onto one page. Nymity refers to this short notice format as a Privacy Facts Statement.

The wide use of Privacy Facts Statements will provide consumers with a standard format with which to compare organizations' privacy policies and practices. This approach allows individual consumers to make quick and informed decisions, thereby increasing their trust in an organization. Privacy Facts Statements further benefit the organization by linking the short notice to the full notice, thus meeting legislative obligations and mitigating privacy risks.

Many organizations have already begun using this standardized short notice format, including Equifax Canada, JP Morgan Chase, Microsoft, P&G, and Kodak. Several public sector organizations also have implemented short notice, including the Privacy Commissioner Office of British Columbia, the US Postal Service, and the Australian government.

Privacy Facts Statement

Nymity's Short Notice Guide - Nymity has published a guide to help organizations create Privacy Facts Statements based on the Berlin Memorandum. The guide provides specific details for creating short notices including tips and examples.
The guide can be found at www.nymity.com.

Full Notice

Full notice, typically in the form of a privacy policy, should provide detailed disclosure of the organization's information handling policies and practices. It is the critical component for building trust and mitigating risk through transparency.
Nymity's research has culminated in a comprehensive toolkit for creating privacy policies based on transparency. This transparency toolkit reaches over 130 privacy provisions and is published in Nymity's Canadian Notice Index. Learn more at www.nymity.com.

"Additional Information" in Notices

Multi-layered privacy notices often include links to information that provides additional value to consumers and helps increase trust. This includes:

  • a frequently asked question section;
  • a definitions section; and
  • a section that helps consumers safeguard their own personal information by explaining identity theft, phishing, spam, and viruses.

Customer Contracts

Multi-Layered privacy notices should link to, or form part of, a customer contract. This linking will go further to mitigating risk as contracts outline customer and organization obligations. In some cases, full transparency will result if customer contracts are made readily available prior to the consumer providing personal information.

Conclusion

Effective privacy notice must be a key component in an organization's privacy management program. Being transparent provides organizations with many business benefits, as it is critical to building trust and mitigating privacy risk. The increasing complexity of providing notice can be addressed in your organization by creating a multi-layered privacy notice. In doing so, your organization should create a short notice that links to a full notice, most likely your organization's privacy policy.

Next Steps

  1. Read Nymity's Short Notice Guide (www.nymity.com) to learn how to create a short notice based on the international standard.
  2. Upgrade your privacy policy/full notice prior to creating a short notice.
  3. Recommendation: Use Nymity's Canadian Notice Index, which provides extensive research for creating effective privacy policies and notices.
  4. Once the short notice is created, contact Nymity so that your firm can be listed in the short notice directory.
  5. Submit your policy for Nymity's next assessment of privacy notices for the Top Privacy Policy in Canada awards.

Special Thanks

Special thanks to Malcolm Crompton of Information Integrity Solutions, Martin Abrams of the Center for Information Policy Leadership, Robin Gould-Soil and Anna Sheehan of TD Bank Financial Group, Wally Hill of the Canadian Marketing Association, Steve Heck of Microsoft, John Wunderlich of Ceridian, Bryan Walker of the Canadian Institute of Chartered Accountants, David Young of Lang Michener LLP, Sara Levine of Fasken Martineau, and Patrick Flaherty of Torys LLP.

This paper was completed in cooperation with the Canadian Notice Index Authorized Business

Reprinted with permission. © 2006 Nymity Inc. All rights reserved

Terry McQuay is president of Nymity, Inc., based in Toronto, Ontario. Nymity provides research, education and support services for privacy professionals tasked with providing privacy expertise to corporations and not-for-profit organizations with operations in the U.S. and Canada. For more information, visit www.nymity.com. McQuay can be reached at +416.214.7838 or  by email at terry.mcquay@nymity.com This e-mail address is being protected from spam bots, you need JavaScript enabled to view it .