David Raab Article Archive

Today’s ever-growing array of privacy regulations has spawned a bewildering variety of products to help manage compliance. Making sense of these is easier if they are placed within a general framework of privacy theory.

The framework starts with the notion that some data are more private than others. Information that can be tied to a specific individual is more protected than information that is not. Among individual information, details such as financial or health history are more sensitive than general information such as name or address.

The second major notion is that there are different uses for data, which again vary in the degree of privacy protection they receive. Information can typically be used freely to achieve the original purpose for which it was provided: for example, to process an order. But use may be more restricted for other purposes, such as marketing. Additional restrictions may depend on whether the user is the original collector of the data or a third party. But the old notion of a company “owning” its customer data, and having a right to use it pretty much however it pleases within its own organization, is increasingly obsolete. Many regulations now limit how certain data can be used regardless of how a company originally acquired it.

The third element of the framework is the individual described by the data. Increasingly this person is given rights to review the data for accuracy and to determine how it may be used.

Surrounding these elements are supporting requirements such as audit trails, authentication, encryption, and review processes. These specify how rules defined within the framework are enforced. Privacy software itself can also be described in terms of the framework components.

List Acquisition and Management Process (LAMP) (The Direct Marketing Association, 212-790-1551, www.preference.the-dma.org) is the Direct Marketing Association’s contribution to simplifying compliance with Do Not Call list legislation. In terms of the broader privacy framework, a Do Not Call list gives an individual a right to control use of his telephone number for marketing calls. Implementing that right requires a way to register preference (the Do Not Call registration process itself) and a mechanism to communicate the preference to potential callers. LAMP provides such a mechanism by combining copies of state and federal Do Not Call lists, a place to store a company’s internally-generated suppression lists, and a way to tag a company’s own files with Do-Not-Call flags. The real value here is saving the administrative effort required to assemble current Do Not Call lists from many sources.

Incidentally, Do Not Call lists are a good example of a regulation that makes no distinction between data “owners” and others: the same restrictions apply regardless of how a company acquired a name. While most regulations allow calls to current customers, this loophole is based on existing business relationships, not ownership by data gatherers.

PrivoLock (Privo, 703-569-0504, www.privo.com) provides a hosted service to manage the permission-gathering requirements imposed by the Children’s Online Privacy Protection Act (COPPA). Like a Do Not Call list, COPPA focuses primarily on individuals’ control over data: in this case, data gathered from minors online. PrivoLock lets a child start to register and then solicits the parental permission to proceed. It authenticates the parent’s identity by asking for a partial Social Security Number, credit card, or other information, which it checks against outside data sources. Parents can also view and correct the data they or their child have provided and specify how the data may be used. The main advantage of Privo is that it assumes responsibility for ensuring the registration process is handled correctly, data is stored securely, and appropriate audit trails are available. Given the substantial financial and public relations penalties for failure to meet COPPA standards, this is of considerable value.

HIPAA Fast Track (HIPAA Accelerator, 847-821-2631, www.hipaaccelerator.com) helps firms comply with the complex data access rules in Health Insurance Portability and Accountability Act (HIPAA) regulations. The system provides modules to notify individuals of their rights, to gather permissions, to let individuals view and change their data, to receive data access requests and check them against existing authorizations, and to notify individuals of data disclosures. The modules are backed by a database to organize the required information and audit trails, document management functions to generate standard forms, and workflow management to control the various processes. Data access modules are written in Java and can be run by any Web browser or Windows PC. While HIPAA Fast Track makes it easier to deploy HIPAA-related processes, it does not provide default procedures or forms. Thus organizations are still on their own to ensure they create processes that comply with HIPAA requirements. Still, HIPAA Fast Track provides a good idea of the complex capabilities required by a serious attempt to give individuals close control over personal data.

Enterprise Privacy Authorization Language (IBM, www.ibm.com, 800-426-4968) is a standard dialect of XML that describes privacy-related aspects of a set of data. It is part of an IBM research initiative to develop a general approach to privacy management. The idea is to associate the privacy rules with the data itself, rather than a particular system or user. Requests for data would pass through a central privacy management system, which would read the privacy rules and determine whether a particular request was acceptable. This ensures the rules are applied consistently regardless of what system is asking for the data. EPAL is somewhat similar to the Privacy Preferences Protocol (P3P) used to describe privacy practices at some Web sites, but the rules it allows are more sophisticated.

Whether EPAL matures into something useful remains to be seen. But it’s interesting as an extreme incarnation of the view that privacy rules apply to specific uses of specific data for specific individuals, independent of who is trying to use the data or how they acquired it. It appears that this data-centric view, rather than the traditional user-centric approach, is the wave of the privacy future.

* * *

David M. Raab is a Principal at Raab Associates Inc., a consultancy specializing in marketing technology and analytics. He can be reached at draab@raabassociates.com.