Calendar of Events Weather Traffic and Transportation Message Board Directory
for on This Site All the Web Google
 

 

Law & Technology

Law and Technology

Privacy Policies and Fair Information Practices

By Deborah Pierce

Dec 20, 2001 -- Third in a series

What rights does a Web site--or any other data collector--give you with regard to the information that has been collected about you? Can you view the files it's keeping on you? Amend them? Delete them? How much access do you have? Can you see everything that has been collected about you or just a part of it?

This article will discuss the "Access" provision of Fair Information Practices. The sidebar has links to Web sites with more information including (for those who missed last issue) the core elements of Fair Information Practices (Notice, Choice, Access, Security, and Enforcement).

Access

We're all becoming aware that corporations gather a lot of information about us. The information collected comes from numerous sources: our credit card purchases, cable TV subscriptions, banking habits, browsing e-commerce Web sites, and, in some cases, public records. At some point you may want to see what information a particular company is storing about you. So, you call it up and ask to see the data. Seems pretty straightforward, right? Well, not so fast.

Fairly quickly, we begin to descend into a morass. What exactly does "access" to "your personal information" mean? Does it mean that you get to see all of the information stored about you, but not change any of it? Do you get to see the whole file, or only parts of it? If you don't want the corporation to keep information on you, can you demand that it delete the data?

Assuming that you've resolved that question, the next question becomes "Access to what?" Is it only personal information you are after? What about transactional information--information such as a list of your deposits and withdrawals at the bank constitutes--or the logs of Web sites you visit? Corporations gather data from a wide variety of sources, including partners and affiliated companies. Should you have access to information gathered from a partner company? What about a partner of a partner? Where does one draw the line?

The Federal Trade Commission's Advisory Committee on Online Access and Security

As a member of that committee, I can testify that we tried very hard to answer the above questions--with mixed results. A link to the final report can be found in the sidebar.

We came up with four options:


  1. Total Access: Allow consumers as much access as possible--access to information kept on them.
  2. Default to Consumer Access: Allow consumers access to personal information collected on them, if the information could be retrieved in the ordinary course of business.
  3. Case-by-Case Including Sectoral Considerations: Exactly what it says--consider things on a case-by-case basis.
  4. Access for Correction: Allow access only if the information determines whether the consumer gets a "significant benefit," and then only if access is likely to produce an improvement in the accuracy of the information that justifies the costs.


Web links
Privacy Rights Clearinghouse (for more information about “access”)
http://privacyrights.org

The Federal Trade Commission’s Advisory Committee on Online Access and Security
http://www.ftc.gov/acoas/papers/finalreport.htm


Fortunately, our task was not to reach consensus, but to present options to the FTC. As a consumer privacy advocate, my viewpoint was represented best by Option No.1. If a company is collecting and storing personally identifiable information about you, you should have access to it.

We spent much time in the committee discussing the cost to companies if they provided access to everything. The consensus of the corporate representatives was that the cost could be quite high, high enough that that cost would be passed on to consumers. Those of us on the consumer side questioned whether all of information collected was actually necessary. And, if the corporation isn't actually using the information, then why collect it in the first place?

How does the principle of access play out in the real world? One very important privacy law, The Fair Credit Reporting Act, allows people to view their own credit reports. In cases of identity theft, being able to view the complete contents of all transactions in the report can help limit the damage. If you couldn't see the files, the credit reporting companies are keeping on you, you may not find out until much too late that another person has stolen your identity.

The question of access is likely to become even more important very soon. Data collectors--credit reporting companies and others--are suggesting that their information might be useful for background checks, for everything from previously non-sensitive jobs to purchasing airline tickets. What databases are potential employers and airlines accessing to determine that you're not a threat? If you can't view the contents of that file, and the information in it is erroneous, procedures should be in place to allow you to view and amend or delete the incorrect information.

What can you do?

The good news is that under the access provision of the Fair Credit Reporting Act, you do have some rights under the law. You can get a copy of your report and make amendments and deletions.

If you're doing business with a company online, read their privacy policy. In an off-line situation, ask to see any written policies a company may have on its data-handling practices. Does the corporation follow fair information principles? What information is it collecting? What are your options? I hate to sound like a broken record, but if you aren't satisfied, consider doing business with another company.


Reader Comments

Discuss this article in the forums!

   No comments yet!
 

© 2008 Seattle Press on Line.

Powered by JournalMaker.