Note: This post is part of a series on the Mid-Atlantic Privacy Compass. Over the following weeks, Commissioner White will explore each of its Compass Points in greater detail.
Abstract:
Use of personal information should keep the individual at its heart, and the organisation’s relationship to the individual should guide its decision-making.
Respecting the rights and preferences of the individual builds trust and deepens the relationship.
Tandem individual and corporate actions are needed to protect privacy, not an adversarial, oppositional approach.
Much ink and many photons have been spilled extolling the need to keep individuals at the forefront of privacy activities, so while I am more brief here, know that it is not for lack of importance.
If an organisation were to keep the individual front of mind, they could likely intuit their way to a successful privacy program. What does this individual expect of me? How am I keeping the promises I make to them? What could happen to them if the data is misused? Communications, like privacy notices, should be written to individuals, not to judges or the Internet. Privacy breaches harm a specific person, and it is for that person's sake that we work to prevent them.
The relationship between an organisation and individual is often considered in the context of receiving the person's consent to process their personal data - and unfortunately, for many organisations that is the sole focus of the relationship. This leads them to communicate details and receive consent, not in the best way for the individual to understand, but in the simplest way to get the signature. Bewildering legalese and long terms of service discourage individuals until they give up and check the box marked "I Consent".
Organisations should think of their relationship to the individual in terms of trust. An individual must trust a business to purchase something online, or they won't risk sharing their financial data or address. Customers reward such efforts to build trust with their loyalty, so it is in organisations' interest to ensure that individuals understand their practices, accept them, and are satisfied with the access, correction, or deletion services that are provided.
Organisations should be encouraged to, and rewarded for, working with individuals to help them understand what is happening with their data. We can only unlock data's potential, while respecting rights, through communal action. We must ensure that all stakeholders play their part in data protection, and individuals are key stakeholders.
Alexander McD White
Privacy Commissioner
To reach out to the Office of the Privacy Commissioner, please visit our Contact Us page.