Posted by Peter Cullen, Chief Privacy Strategist on the Microsoft on the Issues Blog:
This week, more than 400 policymakers, privacy advocates and industry representatives will be converging in Israel for the 32nd International Conference of Data Protection and Privacy Commissioners.
The conference has commenced this morning in Jerusalem, a city of
both ancient traditions and thoroughly modern influences, and I was
reminded of how that same dynamic is true of privacy in the Internet
age. Yesterday marked the 30th anniversary of the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.
These privacy guidelines have served as the basis for numerous privacy
laws in place across the globe. Yet, even these privacy principles need
to keep pace with the changing information environment. In my remarks
today at a panel discussion titled “Notice and Consent: Illusion or
Reality?”, I suggested that individual participation through mediums
such as notice and consent remains important to safeguarding users’
privacy, but by itself does not afford enough protection. This is
particularly true given the explosion of information collection and use
that is the fuel of today’s Internet economy. The same is true of the
various legal frameworks that govern data collection, usage, and
sharing. Both are important, but neither is sufficient on its own.
Alongside individual participation and regulatory oversight, another
vital aspect of privacy protection is often overlooked: the role and
responsibility of the organization in maintaining and protecting
Microsoft’s view, as outlined in a new white paper released
today at the conference, is that organizations’ privacy policies and
data management practices most directly influence whether users’
personal information is kept safe or exposed to risk. Therefore, we
believe that organizations—including Microsoft—must hold themselves
accountable for acting to protect users’ interests and taking
appropriate measures to safeguard privacy and personal data, even in the
absence of specific regulatory mandates.
This includes adhering to the essential elements of an accountability-based data governance approach identified by the Centre for Information Policy Leadership (CIPL) and other participants in the 2009 Galway Project. CIPL today is releasing its paper on Demonstrating and Measuring Accountability, an outcome of the 2010 Paris Project.
Accountability is also central to the use-and-obligations model of data
privacy management, in which each organization that receives access to
individuals’ personal information is directly responsible for protecting
data however it gets used or shared.
Another key dimension of accountability for organizations is
establishing a privacy governance framework that encompasses strong data
management policies, standards, and procedures along with
privacy-enhancing protections that are integrated into the
organization’s technology systems and its online services for customers.
Microsoft strives to achieve this through our corporate Privacy Principles and Online Privacy Statement,
which define specific obligations for data use and protection in terms
that customers can readily understand. Also, the company’s Security Development Lifecycle (SDL) process requires our developers to analyze and address potential privacy threats.
In meeting with others who believe in the importance of privacy at
this week’s conference, I am encouraged to hear so many new ideas about
how our industry can better protect personal information. I believe that
shining the spotlight on organizational accountability is crucial for
strengthening public confidence in online privacy and fostering
continued growth in the computing ecosystem.