|“||[a] set of rules and practices that specify or regulate how a person or organization collects, processes (uses) and discloses another party's personal data as a result of an interaction.||”|
- Policy Applicability and Legal Compliance — To whom does the policy apply and under what authority does the entity operate? Articulate what laws, statutes, and regulations apply to the entity's conduct and to its operating policies.
- Governance and Oversight — Who is responsible for oversight, development, [[implementation], and enforcement of the policy? Identify those charged with these tasks and their responsibilities.
- Definitions — What key words or phrases are regularly used in the policy? Define terms that are not commonly known or have multiple meanings.
- Information — What information does the policy apply to and how is it handled? Identify information that may or may not be sought, retained, shared, or disclosed and the processes for labeling and categorizing the information, including limitations of its use.
- Acquiring and Receiving Information — What are the policies that require that information be obtained legally? State the agency’s position that information acquired or received must comply with applicable law.
- Information Quality Assurance — How is information quality addressed? State the process for ensuring the quality of collected, maintained, and disseminated information.
- Collation and Analysis — What are the parameters for collation and analysis? State who is authorized, what information is analyzed, and for what purpose.
- Merging Records — What are the parameters for merging records? State who is authorized, the criteria for merging, and the policy for partial matches.
- Sharing and Dissemination — What are the conditions for sharing information inside and outside the agency? Identify levels of access, credentials, policies, and the public records process.
- Redress — What is the process for disclosure and correction of information? State the conditions for disclosure to individuals and the procedures for corrections, appeals, and complaints.
- Security Safeguards — How is information kept secure? Specify the administrative, technical, and physical mechanisms to secure information and breach notification procedures.
- Information Retention and Destruction — How long is information retained? State the retention period and procedures for the review, purge, and destruction of information.
- Accountability and Enforcement — How do you ensure transparency, accountability, and enforcement? Specify how the policy is provided to the public, the schedule for policy updates, the point of contact for inquiries and complaints, the process for reporting violations and evaluating compliance, and sanctions for noncompliance.
Why they are ineffective
There are several reasons that privacy policies are ineffective:
- Privacy policies are difficult to read
- They lead consumers to believe that their privacy is protected
- The amount of time required to read privacy policies is too great
- There is not enough market differentiation for users to make informed choices
- Potential dangers are not salient to most users. And even when they are salient, they are difficult to evaluate against the benefits of using a particular website. Thus, most users rely on heuristics and suffer from cognitive biases.
- Privacy Technology Focus Group Final Report, App. B, at 59.
- Web Services Glossary (Nov. 2, 2004).
- Guide to Conducting Privacy Impact Assessments for State, Local, and Tribal Justice Entities, at 2.
- See 15 U.S.C. §§6502(b)(A), 6803; 16 C.F.R. §312.3(a).
- See 45 C.F.R. §164.520(a)(1).
- 7 Steps to a Privacy, Civil Rights, and Civil Liberties Policy, at 2.
- U.C. Berkeley School of Information, KnowPrivacy 11-12 (June 1, 2009).
|This page uses Creative Commons Licensed content from Wikipedia (view authors).|