The IT Law Wiki


A privacy policy is

a written, published statement that articulates the policy position of an organization on how it handles the personally identifiable information that it gathers and uses in the normal course of business. The policy should include information relating to the processes of information collection, analysis, maintenance, dissemination, and access. The purpose of the privacy policy is to articulate that the agency will adhere to those legal requirements and agency policy determinations that enable gathering and sharing of information to occur in a manner that protects personal privacy interests. A well-developed and implemented privacy policy uses justice entity resources wisely and effectively; protects the agency, the individual, and the public; and promotes public trust.[1]
[a] set of rules and practices that specify or regulate how a person or organization collects, processes (uses) and discloses another party's personal data as a result of an interaction.[2]
[a] legally binding notice of how an agency handles an information contributor's personal data. The privacy policy should contain details about collecting information and secondary uses of data, including how information is shared with third parties and who those third parties are.[3]


A privacy policy usually includes at least the following four points: notice (notifying users that the business is collecting data), choice (users have a choice over the collecting data), access (users can access the collecting data) and security (the business protects the collected data).

Federal law does not require all firms to post a privacy policy. Several laws require covered entities to provide certain types of privacy policies or notices. For example, the Gramm-Leach-Bliley Act and the Children's Online Privacy Protection Act of 1998 require covered entities to provide a privacy policy.[4] Rules implementing the Health Insurance Portability and Accountability Act of 1996 require covered entities to provide notice of how protected health information they collect is used and shared.[5]

Core concepts[]

The following core concepts should be addressed in any privacy policy:

  1. Purpose Statement — What is the purpose of the privacy policy? Articulate the importance of privacy in the organization's environment, and explain what the policy will accomplish.
  2. Policy Applicability and Legal Compliance — To whom does the policy apply and under what authority does the entity operate? Articulate what laws, statutes, and regulations apply to the entity's conduct and to its operating policies.
  3. Governance and Oversight — Who is responsible for oversight, development, [[implementation], and enforcement of the policy? Identify those charged with these tasks and their responsibilities.
  4. Definitions — What key words or phrases are regularly used in the policy? Define terms that are not commonly known or have multiple meanings.
  5. Information — What information does the policy apply to and how is it handled? Identify information that may or may not be sought, retained, shared, or disclosed and the processes for labeling and categorizing the information, including limitations of its use.
  6. Acquiring and Receiving Information — What are the policies that require that information be obtained legally? State the agency’s position that information acquired or received must comply with applicable law.
  7. Information Quality Assurance — How is information quality addressed? State the process for ensuring the quality of collected, maintained, and disseminated information.
  8. Collation and Analysis — What are the parameters for collation and analysis? State who is authorized, what information is analyzed, and for what purpose.
  9. Merging Records — What are the parameters for merging records? State who is authorized, the criteria for merging, and the policy for partial matches.
  10. Sharing and Dissemination — What are the conditions for sharing information inside and outside the agency? Identify levels of access, credentials, policies, and the public records process.
  11. Redress — What is the process for disclosure and correction of information? State the conditions for disclosure to individuals and the procedures for corrections, appeals, and complaints.
  12. Security Safeguards — How is information kept secure? Specify the administrative, technical, and physical mechanisms to secure information and breach notification procedures.
  13. Information Retention and Destruction — How long is information retained? State the retention period and procedures for the review, purge, and destruction of information.
  14. Accountability and Enforcement — How do you ensure transparency, accountability, and enforcement? Specify how the policy is provided to the public, the schedule for policy updates, the point of contact for inquiries and complaints, the process for reporting violations and evaluating compliance, and sanctions for noncompliance.
  15. Training — What are the training requirements for the privacy policy? State who is required to receive privacy policy training and what is covered by the training.[6]

Benefits of a privacy policy[]

"A strong privacy policy is good public policy, because it is responsive to widely held public expectations about the collection and use of information about individuals and the fair and open operation of a democratic government."[7]

Why they are ineffective[]

There are several reasons that privacy policies are ineffective:

  1. Privacy policies are difficult to read
  2. They lead consumers to believe that their privacy is protected
  3. The amount of time required to read privacy policies is too great
  4. There is not enough market differentiation for users to make informed choices
  5. Potential dangers are not salient to most users. And even when they are salient, they are difficult to evaluate against the benefits of using a particular website. Thus, most users rely on heuristics and suffer from cognitive biases.[8]

Privacy policy vs. security policy[]

"A privacy policy is different from a security policy. Although security policies protect certain aspects of privacy, their main function is to protect organizational assets and the organization's reputation. They do not focus on protecting individuals from harm, consider whether personal information should be gathered or collected in the first place, address data quality, specify how information and intelligence should be used or stored and with whom it should be shared, or establish policy on retention. A comprehensive privacy policy will address both security and privacy, including key privacy, civil rights, and civil liberties protection issues."[9]


See also[]

This page uses Creative Commons Licensed content from Wikipedia (view authors). Smallwikipedialogo.png