Saturday, July 05, 2008

Changing Perspectives on Privacy

Privacy - totally relaxed or head in your hands?
12" x 16", pencil on Daler heavyweight paper 135lb
copyright Katherine Tyrrell

Earlier this week I commented on privacy and data protection law in the UK and the rest of Europe (see Art societies and art galleries - data protection, privacy and you). It's very apparent to me that levels of data protection awareness are much lower in the art world and art economy than they need to be. Maybe this is because it's something we don't tend to talk about too much?

On Thursday Google announced (A privacy link on Google.com) that it had changed its home page - to include a link to its privacy policy - which, in fact, leads to its Privacy Centre. This provides an overview of its approach to privacy practices, the complete privacy policy in detail and then highlights specifics in relation to different Google products and services such as Blogger, Google Desktop and gmail. For example...........
The Google Desktop application indexes and stores versions of your files and other computer activity, such as email, chats, and web history. These versions may also be mixed with your Web search results to produce results pages for you that integrate relevant content from your computer and information from the Web. Your computer's content is not sent to Google without your explicit permission.
Google Desktop Privacy Policy
It also has videos which explain different aspects. The privacy pages had also been revised earlier to make them rather more accessible with rather less "legalese".

According to the New York Times, Google apparently made this change in response to questions and queries.
Some users, bloggers, and regulatory bodies have asked us why we didn’t have a link, and, after evaluating, we decided that it was the right time to add one.
Steve Langdon, Google spokesperson
- quoted in NY Times article Google Changes Home Page, Adding Link to Privacy Policy
Note, in particular, the reference to regulatory bodies. Google doesn't refer to California by name but apparently California has served or was about to serve a compliance order.

So I took a closer look at the regulatory requirements in the USA.
  • California has data protection and privacy law which is nearly as tough as the European requirements - see the California Online Privacy Protection Act of 2003. This requires people who operate a commercial Web site that collects personal information to link to the privacy policy for that website on its home page. However NOTE that this is the first time that I've come across this important piece of legislation which is being more or less ignored by Wikipedia where it does not even have a page (and that's a first!) No wonder people aren't aware of it! ;)
  • The other important requirement relates to Safe Harbor. The U.S. Department of Commerce's safe harbor program is a certification program for commercial traders which has principles relating to Notice, Choice, Onward Transfer, Security, Data Integrity, Access and Enforcement.
A safe harbor is a provision of a statute or a regulation that reduces or eliminates a party's liability under the law, on the condition that the party performed its actions in good faith.
The United States Department of Commerce runs a certification program which it calls Safe Harbor and which aims to harmonize data privacy practices in trading between the United States of America and the stricter privacy controls of the European Union Directive 95/46/EC on the protection of personal data. For more information, see Safe Harbor Principles.
Wikipedia - safe harbor
Again Wikipedia has a notable absence of information about the safe harbor program - that quote and a separate page - an extract from which is quoted below - more or less sums up the information available on wikipedia!

US companies can opt into the program as long as they adhere to the 7 principles outlined in the Directive. These principles must provide:

  • Notice - Individuals must be informed that their data is being collected and about how it will be used.
  • Choice - Individuals must have the ability to opt out of the collection and forward transfer of the data to third parties.
  • Onward Transfer - Transfers of data to third parties may only occur to other organizations that follow adequate data protection principles.
  • Security - Reasonable efforts must be made to prevent loss of collected information.
  • Data Integrity - Data must be relevant and reliable for the purpose it was collected for.
  • Access - Individuals must be able to access information held about them, and correct or delete it if it is inaccurate.
  • Enforcement - There must be effective means of enforcing these rules.

Companies must also recertify every 12 months. They can either perform a self-assessment to verify they comply with these principles, or hire a third-party to perform the assessement. There are also requirements for ensuring that appropriate employee training and an effective disupute mechanism is in place.
Wikipedia - Safe Harbor Principles

The government website (see the link at the end) is very long on detail and very short on accessibility! This is the link to the page on the Safe Harbor Privacy Principles.

I then read in another New York Times Bits Blog post Our Paradoxical Attitudes Toward Privacy (2nd July 2008). It covers some recent research work about by Carnegie Mellon behavioral economist George Loewenstein who is the Herbert A. Simon Professor of Economics and Psychology at Carnegie Mellon University in Pittsburgh. Behavious is apparently paradoxical. This seems to suggest:
  • personal guards are lowered and we're more likely to give personal data away when we're feeling relaxed. Consequently informal rather than official sites are likely to be more successful at extracting data from us.
  • if we're assured that any data we provide will be treated confidentially we're less likely to be honest and provide accurate data
  • unprofessional / informal sites are more likely to present a privacy risk
Our privacy principles are wobbly. We are more or less likely to open up depending on who is asking, how they ask and in what context.
New York Times - quoting research findings
It occurs to me that maybe the paradox also extends to level of attention given to privacy by sites which ought to be acting responsibly. The more there is a need for website owners to protect personal data, the more likely they are to remain ignorant of their responsibilities. Why on earth has it taken Google this long to put a link to its privacy policies on its front page?

Anyway, as a result of having read the two NY Times articles, the California requirement and the extremely limited information on wikipedia about safe harbor
  • I have now changed both my websites so that there is an explicit link to the site privacy policy on the front page (rather than just on the pages where I have links to mailing lists).
  • I'm now wondering whether all bloggers who are selling from their blogs also need a link to a privacy policy in their side column........and I think I'm leaning towards concluding 'why not?'.
I'll leave you with some questions:
  • Do you think you know enough about privacy and what the law is in different places?
  • How do people who buy your art know that you will protect their personal data?
  • Are you making any changes to how you deal with privacy on your website and/or blog?
  • Does anybody want to participate in a search for good practice examples of privacy policies?
If you know of a good example of a privacy policy - legal, honest and accessible - then leave a link in the comments section below.

Note: The drawing at the top is one done in the Free Drop In Life Class which is generally run on the first Thursday of each month during term time at the Prince's Drawing School in Shoreditch. The model is the same person. He swopped between poses about every 5-10 minutes for about 25 minutes. The challenge was to get the same person on the same page and to plan the drawing and relationships from the beginning. Try it at home! Life classes for a fee are also run in the evening during term time - and you can sign up for the Autumn Term now.

Links:

No comments:

Post a Comment

COMMENTS HAVE BEEN CLOSED AGAIN because of too much spam.
My blog posts are always posted to my Making A Mark Facebook Page and you can comment there if you wish.

Note: only a member of this blog may post a comment.