computing technologies enable the collection, exchange, analysis, and use of
personal information on a scale unprecedented in the history of civilization.
These technologies, which are widely used by many types of organizations, allow
for massive storage, aggregation, analysis, and dissemination of data. Advanced
capabilities for surveillance and data matching/mining are being applied to
everything from product marketing to national security.
Despite the intended benefits of using these technologies, there are also significant concerns about their potential for negative impact on personal privacy. Well-publicized instances of personal data exposures and misuse have demonstrated some of the challenges in the adequate protection of privacy. Personal data -- including copies of video, audio, and other surveillance -- needs to be collected, stored, and managed appropriately throughout every stage of its use by all involved parties. Protecting privacy, however, requires more than simply ensuring effective information security.
U.S. Public Policy Council of the Association for Computing Machinery (USACM)
sector organizations. We urge public and private policy makers to embrace the
following recommendations when developing systems that make use of personal
information. These recommendations should also be central to any development of
any legislation, regulations, international agreements, and internal policies
that govern how personal information is stored and managed. Striking a balance
between individual privacy rights and valid government and commercial needs is
a complex task for technologists and policy makers, but one of vital
importance. For this reason, USACM has developed the following recommendations
on this important issue.
Collect and use only the personal information
Store information for only as long as it is
needed for the stated purposes.
3. If the information is collected for statistical purposes, delete the personal information after the statistics have been calculated and verified.
4. Implement systematic mechanisms to evaluate, reduce, and destroy unneeded and stale personal information on a regular basis, rather than retaining it indefinitely.
Before deployment of new activities and
technologies that might impact personal privacy, carefully evaluate them for
their necessity, effectiveness, and proportionality: the least privacy-invasive
alternatives should always be sought.
Unless legally exempt, require each individual's
explicit, informed consent to collect or share his or her personal information
(opt-in); or clearly provide a readily-accessible mechanism for individuals to
cause prompt cessation of the sharing of their personal information, including
when appropriate, the deletion of that information (opt-out). (NB: The
advantages and disadvantages of these two approaches will depend on the
particular application and relevant regulations.)
Whenever any personal information is collected,
explicitly state the precise purpose for the collection and all the ways that
the information might be used, including any plans to share it with other
Be explicit about the default usage of
information: whether it will only be used by explicit request (opt-in), or if
it will be used until a request is made to discontinue that use (opt-out).
Explicitly state how long this information will
be stored and used, consistent with the "Minimization" principle.
Avoid arbitrary, frequent, or undisclosed
modification of these policy statements.
13. Communicate these policies to individuals whose data is being collected, unless legally exempted from doing so.
Establish and support an individual's right to
inspect and make corrections to her or his stored personal information, unless
legally exempted from doing so.
Provide mechanisms to allow individuals to
determine with which parties their information has been shared, and for what
purposes, unless legally exempted from doing so.
16. Provide clear, accessible details about how to contact someone appropriate to obtain additional information or to resolve problems relating to stored personal information.
Ensure that personal information is sufficiently
accurate and up-to-date for the intended purposes.
Ensure that all corrections are propagated in a
timely manner to all parties that have received or supplied the inaccurate
Use appropriate physical, administrative, and
technical measures to maintain all personal information securely and protect it
against unauthorized and inappropriate access or modification.
Apply security measures to all potential storage
and transmission of the data, including all electronic (portable storage,
laptops, backup media), and physical (printouts, microfiche) copies.
Promote accountability for how personal information
is collected, maintained, and shared.
Enforce adherence to privacy policies through
such methods as audit logs, internal reviews, independent audits, and sanctions
for policy violations.
Maintain provenance -- information regarding the
sources and history of personal data -- for at least as long as the data itself
Ensure that the parties most able to mitigate
potential privacy risks and privacy violation incidents are trained,
authorized, equipped, and motivated to do so.
USACM does not accept the view that individual privacy must typically be sacrificed to achieve effective implementation of systems, nor do we accept that cost reduction is always a sufficient reason to reduce privacy protections. Computing options are available today for meeting many private sector and government needs while fully embracing the recommendations described above. These include the use of de-identified data, aggregated data, limited datasets, and narrowly defined and fully audited queries and searches. New technologies are being investigated and developed that can further protect privacy. USACM can assist policy-makers in identifying experts and applicable technologies.