Personal information privacy: implications for MIS managers

Abstract

Recent media attention to information privacy issues has shown that citizens are increasingly concerned about information privacy and their right to it. Governmental and other organizations have been collecting data about individuals at an increasing and, to many, alarming rate. The ability to gather so much information on individuals is largely because of advances in information technology (IT). It is important for IS managers and professionals to understand the issues surrounding personal information privacy in order to protect the rights of those from and about whom they collect data. A model is presented to provide managers guidance in dealing with privacy policy. Taking a proactive stance against privacy invasion could help stave off government intervention in passing legislation to create tighter controls over what can be done with an individual's personal data.

Introduction

Privacy is a fundamental right recognized in the United Nations Universal Declaration of Human Rights, the Council of Europe's Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, the International Covenant on Civil and Political Rights, and many other international and regional treaties. Privacy has been defined as the `right of individuals to control the collection and use of personal information about themselves.' The right to privacy has become one of the most important ethical issues of the information age [19].

Nearly every country in the world recognizes the right to privacy in their constitutions or laws. While some only provide provisions for such rights as inviolability of the home and secrecy of communications, many recently written constitutions, such as South Africa's and Hungary's, include specific rights to access and control one's personal information. In many countries such as the United States, Ireland, and India where privacy is not explicitly recognized in the constitution, the courts or new laws have identified the right to privacy. In addition, international agreements that extol the right to privacy, such as the International Covenant on Civil and Political Rights or the European Convention on Human Rights, have been adopted into law by many countries.

Privacy, as a right, has roots deep in history. Evidence of the protection of privacy — with a focus on the right to solitude — can be found in early Hebrew culture and ancient China. Other cultures have recognized the right of privacy as a formal concept for centuries: the Greek `contumelia,' the Roman `injuria,' the German `Personlichkeitsrecht,' the Swiss `Geheimsspare,' and the French doctrine of `la droit de la personnalite.' The English allowed limited protection only if a collateral property right or breach of a confidential relationship was involved [16].

Privacy laws can be traced as far back as 1361 when the Justices of the Peace Act in England provided protection from peeping Toms and eavesdroppers. During the following centuries, several countries developed privacy laws. The Swedish Parliament enacted the Access to Public Records Act in 1776. This Act required that all government-held information be used for legitimate purposes. In 1792, the Declaration of the Rights of Man and the Citizen proclaimed that private property was inviolable and sacred. Stiff fines were invoked in 1858 as France prohibited the publication of private facts about individuals. In 1890, American lawyers Samuel Warren and Louis Brandeis published a paper that quoted Judge Thomas Cooley's claim that the individual has `the right to be let alone.' At this point, the whole issue of the right to privacy was the direct result of technology and lifestyle, thereby prompting the rather stinging commentary by Warren and Brandeis: “Instantaneous photographs and newspaper enterprise have invaded the sacred precincts of private and domestic life; and numerous mechanical devices that threaten to make good the prediction that `what is whispered in the closet shall be proclaimed from the house-tops'” [32].

The 1948 U.N, Universal Declaration of Human Rights provided a modern privacy benchmark. Article 12 states: “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, not attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks” [31]. Similar provisions can also be found in Article 8 of the 1950 Convention for the Protection of Human Rights and Fundamental Freedoms. From this Convention, the European Commission of Human Rights and the European Court of Human Rights were created to oversee the enforcement of privacy rights. The American Convention on Human Rights Article 11 defines the right to privacy in a manner similar to the Universal Declaration. In 1965, the Organization for American States called for the protection of privacy in the American Declaration of the Rights and Duties of Man.

The advent of information technology (IT) increased interest in the right of privacy issue in the 1960s and 1970s. Largely due to increased surveillance potential and record-keeping abilities of computer systems, laws governing the collection and handling of personal information were demanded. In 1970, the first data protection law in the world was enacted in the Land of Hesse in Germany. National laws soon followed in several countries: the Swedish Data Act of 1973, the United States Privacy Act of 1974, the 1978 Austrian Datenschutzgesetz (DSG), the 1977 German Federal Data Protection Act (BDSG), the Danish Private Registers Act of 1978, and the 1978 French Act on Data Processing Data Files and Individual Liberties [22].

At the international level, two crucial instruments evolved in the 1980s: the Council of Europe's (COE) Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data and the Organization for Economic Cooperation and Development's (OECD) Guidelines Governing the Protection of Privacy and Transborder Data Flows of Personal Data. The rules contained within these two documents call for the protection of personal information at every step, from collection to storage and dissemination. Individuals also have the right to access and correct or amend their data 7, 23.

Over 20 countries have adopted these documents as the core as their data protection laws [14]. Based on Article 5 of the COE Convention, personal information must be:

• obtained fairly and lawfully;

• used only for the original specified purpose;

• adequate, relevant and not excessive to purpose;

• accurate and up to data; and

• destroyed after its purpose is completed.

A renewal of the interest in information privacy occurred in the late 1980s as a result of increased database marketing and telemarketing [8]. During this period, many more countries around the world adopted data protection laws. Information privacy issues remained at the forefront of consumer concern into the 1990s. This attention has been brought about by the increasing impact of IT on daily life [28]and by recent media attention. As evidence of the renewed interest, articles have appeared in newspapers and magazines. Television shows have included exposés involving loss of personal data, and books have been published on privacy. All have contributed to the growing concern about information privacy. However, perhaps the major impact on information privacy and data protection concerns in many countries will come from the two European Directives that provide their citizens with a wider range of protection of their data.

In 1995, the European Union adopted the Directive on Data Protection designed to establish minimum standards for the processing and use of personal data. There were two reasons: (1) to ensure protection of the `fundamental right' to privacy with respect to the processing of personal data, and (2) to prevent restriction of the `free flow of personal data' among EU Member States on grounds of privacy protection [9]. The Telecommunications Directive was adopted by the Council and Parliament of the European Union in 1997. This Directive provides for protection to ensure the “fundamental rights and freedoms, and in particular the right to privacy, with respect to the processing of personal data in the telecommunications sector” and to ensure free movement of data, telecommunications equipment and services among Member States [10].

Consumer attitudes about information privacy, concurrent with the increased media attention and the European Union Data Protection Directive, have brought about a significant increase in the potential legal liability for misuse of an individual's personal information [29]. Organizations are being held liable for the improper use of information technology and personal information. Therefore, organizations need to be constantly aware of the issues surrounding personal information privacy and any repercussions that can occur if they do not take precautions to protect the information they collect on individuals. This paper presents a normative model designed to aid information system (IS) professionals and managers protect the personal information of their customers and other individuals.

IS professionals and managers should be aware of information privacy issues — especially the potential impact on existing IS and on future systems development. IS managers have the oversight responsibility for information liability as they have the most extensive knowledge of their organization's systems and programs, and an intimate understanding of the data [27]. However, in order to perform this oversight function effectively and to provide justification for increased information security to policy makers, IS managers and professionals must understand the driving forces surrounding individuals' concern about personal information privacy.