library Email this page members only
about uscib global network what's new
    Search      
Home Policy Advocacy: USCIB Committees and Working Groups Dispute Resolution: USCIB and ICC Arbitration Calendar of Events: USCIB and Partner Events Trade Services: USCIB Services to Facilitate U.S. Exports/Imports ATA Carnet: USCIB's Duty-Free and Tax-Free Temporary Exports/Imports
USCIB

Positions & Statements
contact us
membership info
membership info

Positions & Statements

 

Privacy Diagnostic

 

Developed by the United States Council for International Business'

Information Policy Committee and Working Group on Privacy and Transborder Data Flows

~ Contact: David A. Fares, tel: 212-703-5061, e-mail: dfares@uscib.org ~

 

Does your company have a privacy policy? ... It should!

 

THE USCIB IS PLEASED TO PROVIDE YOU WITH THE ATTACHED "PRIVACY DIAGNOSTIC." It is designed to assist companies wishing to establish internal privacy policies and procedures _ a corporate project which is becoming more urgent for the reasons set out below.

 

Privacy protection of consumer information is of increasing concern to both consumers and governments with the advent and rapid increase of electronic commerce. Internet surveys have established that consumers are reluctant to conduct business electronically due to a perception that there is insufficient specification in the area of privacy rights and protection. The Clinton Administration, in its "Framework for Global Electronic Commerce," has called upon industry to address this issue through effective self-regulation. The Administration has clearly stated that the failure of industry to address the need for effective self-regulation will result in solutions dictated by the government, including legislation. The "Framework" directed the relevant executive Departments to submit a report to the President by July 1, 1998 setting forth industry's efforts in this area.

 

More immediately, the Federal Trade Commission, as of March 1, will begin to survey 1200 commercial websites to assess the extent to which companies disclose how they collect and use personal information. The results of the survey will be included in a report to Congress on the effectiveness of self-regulation.

 

In order to avoid governmental solutions that will be less workable than effective self-regulation, all sectors of U.S. business must address this issue. The USCIB is in the process of launching a cross-sector inter-industry association initiative to promote awareness of the issue, share information, and perhaps discuss the utility and parameters of joint efforts.

 

The time for all companies to act is NOW.

 

The USCIB's Information Policy Committee and Working Group on Privacy and Transborder Data Flows developed the attached diagnostic as a tool for use by companies in developing effective privacy guidelines. We hope that it will be useful to you in your efforts to address the important issue of privacy so as to prevent unnecessary governmental intrusion in the free flow of information _ a free flow that is vital to the competitiveness of American businesses.

 

WHAT'S INCLUDED IN THE DIAGNOSTIC:

 

·         What is Personally Identifiable Information?

·         How is it collected?

·         Who should be involved in its collection?

·         Who controls it?

·         How and where is it stored?

·         Why collect it?

·         How is it used?

·         Will it be transferred or shared?

·         Are there currently standards regarding Personally Identifiable Information?

·         Do redress mechanisms currently exist?

·         What are Privacy Principles?

·         What are International Principles?

 

 

 

How would a company approach the question of whether it needs privacy guidelines?

 

Personally Identifiable Information - What is it?

·         E.U. Directive Definition

·         OECD Definition

·         Is an actual identity (name) required or are personal characteristics sufficient?

·         Are "cookies" used in the collection process?

 

How is personally identifiable information collected from EXTERNAL SOURCES?

·         Web sites

·         Purchased Databases/customer lists

·         Census/Directories/public information

·         Proprietary databases/customer lists

·         Telemarketing activities

·         Promotion: redemption, other name gathering techniques

·         Sales force-generated information

·         Referrals

·         Third party Advertisers/web hosts

·         Warranty/customer service information

·         Investor relations contacts/share-related information

·         Customer transactions

·         Potential customer inquiries

·         Supplier/Partner/service provider information

·         collation of information from various sources

·         data warehousing

·         data mining

·         customer profiling

 

How is personally identifiable information collected from INTERNAL SOURCES?

·         HR - Employment-related

·         Employment application/other paperwork

·         Employment physical

·         Pension/retirement information

·         Financial information

·         expense reports, travel

·         flexible spending

·         mortgages

·         relocation assistance

·         Insurance related information

·         medical - personal/family

·         personal - beneficiaries/partners

·         Child care

·         Conflicts of interest/influence disclosures

·         Telecommuters (also external)

·         Labor/Union

·         General Administrative & Security

·         Background checks

·         Computer/phone/mail logs

·         System Administrator Access

·         Computer monitoring

·         Video/surveillance/general security

·         Third Party Collection (from or on behalf of)

·         Government required reporting

·         workers compensation

·         Charities

·         PACS/Lobbying

·         Independent contractors/partners

·         shared databases

·         outsourced functions

·         joint development

 

Who needs to be involved in collecting the above information and in the corporate decision making

 process?

·         Management

·         Legal - M&A

·         Marketing

·         Finance

·         Labor - Union/Worker Representatives

·         Investor relations/ PR

·         Policy / Government Affairs

·         Relevant Third party providers / Independent Contractors

·         Techies

·         System Administrator

·         Web Designers

·         Communications

·         Network

·         Security

 

Who controls the information once collected?

·         Is the information shared between the departments?

·         Is the information shared with third parties?

·         If the information was collected by an "agent" what record of the information do they retain?

·         If third party-generated information, is it licensed? co-owned?

·         Is the information subject to external restriction?

·         Does the controller audit the accuracy of the information?

·         Government compliance?

 

How and where is the information stored?

·         Centralized

·         Distributed

·         Geographic location(s)

·         Is the storage location different from the collection location?

 

What is the purpose for collecting the information?

·         Was a primary purpose for the collection disclosed?

·         Would a primary purpose be reasonably imputed - delivery, warranty...

·         Were any other purposes for the collection of information disclosed?

 

How is the information used?

·         Is the information used for the purpose(s) it was collected?

·         Is the information used for other purposes?

·         Will the purpose (or character) of the information change?

 

Transfer/sharing of the information

·         Within the company

·         within the same state, province, country?

·         Within third parties

·         within the same state, province, country?

·         Is the information available on a Computer Network

·         LAN (Local Area Network)

·         WAN (Wide Area Network) /VPN (Virtual Private Network)

·         w/in the same state, province, country?

·         Will the sharing/transfer of information generate fees/income?

·         Is the sharing/transfer of information pursuant to agreement or contract?

·         Were the subjects of the information aware of the potential for this sharing/transfer?

·         Is this sharing/transfer the result of compliance with or compulsion by Government?

·         What is the medium for transmission of the information?

·         Is the confidentiality of the information protected during transmission?

 

Are there existing standards, guidelines, regulations which apply to the collection, control or transfer of the information?

·         Regulations/legislation/required record-keeping

·         Federal/Agency

·         State/Agency

·         International

·         Industry/Sector practices, standards, norms

·         Formalized self-, co-regulation

·         Company Guideline/Practice

·         Association Guideline/Practice (ITI, DMA...)

·         Third Party (FASB)

·         Adhered to Principles (ICC, COE, OECD)

·         Sectoral Issues

·         Information across sectors with different standards

·         collection

·         use

·         reuse

·         accuracy

·         confidentiality

·         Sectoral Stratification (continuum of privacy: vaccine information to highly personal info)

 

Do redress mechanisms currently exist?

·         How are they enforced?

·         Are they effective?

·         How are they publicized or communicated?

·         Has the company experienced privacy policy-related problems?

 

Privacy Principles: mostly sourced from OECD Guidelines.

·         Limitations on the collection of information:

·         Scope needed to accomplish end sought

·         knowledge/disclosure of what information collected

·         consent to collection where practicable - has been read to mean some form of opt out provision is needed

·         Data Quality

·         Relevant

·         Accurate

·         Specified Purpose

 

·         Why is the information being collected?

·         Specify the use at the time of collection

·         Compatible subsequent uses w/ stated purpose of collection

·         Use Limitation - for purpose specified

·         Security - safeguard the information

·         Open- accessible policy and information

·         Individual Participation

·         right to check information

·         right to have information corrected

·         Accountability of Data Comptroller

·         Is the concept of a data comptroller still viable with the Internet?

·         data controller may be remote from data collector, user or other parties.

 

International Principles:

·         Avoid developing practices that would create obstacles to international free flow of ideas.

·         Consider transborder implications.

·         Uninterrupted, secure, free flow of data.

·         Do not impose restrictions on countries which substantially comply.

 

This Diagnostic was created for the benefit of the business community and you may copy and disseminate the diagnostic with the following legend and version/date information:

 

The USCIB Privacy Diagnostic v. 1.0 (3/98) is a tool for companies to use in evaluating information collection practices and developing privacy guidelines. If you have specific questions on the Diagnostic please send e-mail inquiries to: info@uscib.org with "Diagnostic" in the subject header. Current versions of the Privacy Diagnostic may be found at http://www.uscib.org.

 

United States Council for International Business

1212 Avenue of the Americas

New York, NY 10036

 

 

 




ALL RIGHTS RESERVED 2013 | PRIVACY POLICY STATEMENT | CONTACT US