PRIVACY POLICY

 

This addresses privacy in two ways: 1) it specifies the privacy policy for this site and 2) speaks to why there is a privacy policy for MyBestDocs and what should be considered in writing a privacy policy. The second topic is presented here for the benefit of those less interested in the policy of this site and more interested in what to include and how to undertake preparation of a privacy policy for their own organizations. Although the second topic might more logically be presented first, as a courtesy to viewers, rather than make it difficult for them to find the components of the MyBestDocs policy, it is presented first. Viewers interested only in the second topic should skip down to the section entitled, "Why a Privacy Policy for MyBestDocs".

 

 

MyBestDocs Privacy Policy

 

• What personally identifiable information does this site collect and how? I do not capture any personally identifiable information from visitors of www.mybestdocs.com. Prior to 2002, there was a Guest Book on this site, www.mybestdocs.com/guestbook.html. I have found it necessary to disconnect the sign-up page for the Guest Book after discovering that it had being used by unknown parties to harvest email addresses for SPAM purposes. So long as I am aware, it only happened once before I caught it. As soon as I did, I removed all the personal contact information from all Guest Book entries. I regret that inconvenience and miss not hearing from people that way who have found this an informative and helpful place to visit and leave feedback. I invite you to peruse the entries. I did however keep the Guest Book entries up until that time, without the contact information, and invite you to visit that page. You may run into old friends. In future, I may reopen this page in a manner that suppresses personally identifiable information, except for my own viewing for purposes of responding privately to such visitors. When this happens it will be posted on the home page.
• How is such information used? When it was possible for visitors to leave their names and email addresses in the Guest Book, I used that contact information solely for the purposes of replying to site feedback messages left there by visitors.
• Who information is shared it with without your prior consent? None.
• How is information security for such information maintained? Not applicable. When the Guest Book was active, such information was stored in electronic form on backup disks.
• Can/how can individuals verify information about them and notify us of incorrect information? Not currently applicable.
• Can/how can individuals opt-in/opt-out? Not currently applicable.
• How can individuals contact the Website on this or other subjects by phone, email, postal mail? Initially, contact can be made by email to: info at mybestdocs dot com, following which other email, telephone or snail mail communications will be established if necessary to meet the need. Originally, my business email address was posted on the site. Unfortunately, like the Guest Book, that practice had to be changed because of the activities of email harvesters who were using my email address both to SPAM me and, by spoofing my email address, to send spurious emails to others without my knowledge, some of which contained viruses or inappropriate messages. Thus it became necessary to switch to the <info at mybestdocs dot com> address to establish email contact with people who don't know my regular email address.
• How are individuals notified when the policy changes? Firstly, privacy policies should be very obviously located on the home page. Most Websites locate it at the bottom of the page in very small print. Because people have come to look for it there, it is located there on this site as "Privacy Policy". However, it is also located at the top of the home page the same way for more obvious recognition. Moreover, it is in a font size that is readily readable by human beings. If any changes are made to this site, the date of the change will be reflected on the home page with the "Privacy Policy" heading.

 

Why a Privacy Policy for MyBestDocs

 

Technically speaking, MyBestDocs Website (www.mybestdocs.com) may not require a privacy policy, because no personally identifying information is collected from site visitors since the operation of the site Guest Book www.mybestdocs/guestbook.html was terminated in 2002. Nonetheless, I choose to include one here, because I believe it is important for all Websites and other electronically published information resources, such as discussion lists, blogs, etc., to have privacy policies, even if only to do the courtesy of informing visitors that no personal information is captured or used by the site owner.

 

Another reason a privacy policy is published here is because of questions received from viewers and other colleagues about what should go into a responsible privacy policy. Such inquiries typically ask for examples of good privacy policy models. I could, for example site the privacy policy of the New York Times as an excellent model, but it might contain coverage that wouldn't apply to many organizations. Rather than repeating these things, it is easier simply to point individuals interested in the subject to this one.

 

Privacy vs. Security

 

Sometimes people use the terms privacy and confidentiality or security interchangeably, especially when responding to people who are concerned about why personal information about them that they consider private is maintained by someone else, typically a company or government office. The response, especially from IT professionals, often is: we have this information password controlled, maybe encrypted, and highly secured physically. That, of course, is important to the consumer, but it is separate from the question of privacy. Privacy has to do with what personal information an individual chooses to share with others, and on what terms. Security has only to do with how protected such information is. A company may have the very best security possible to protect information, but it may be information that an individual chooses not to share with that company or anyone else. Or, the individual may agree to share that information, such as a home address and phone number, only for the purposes of a particular service or transaction, and not more.

 

To illustrate, state governments require anyone registering for a drivers license and car registration to provide the person's date of birth, home address, make of car, etc., and will take a (typically unflattering) picture of the applicant. One cannot legally drive without a license and cannot own a car that is being driven without a car registration. One cannot drive without surrendering this kind of information to the state. It is a pre-condition to driving. Some states, however, have sold such information including even photos to organizations with a commercial interest without the permission of the individuals concerned. If you have ever received an unsolicited promotional letter suggesting that you sell your 5-year old car (make and model) and buy a new one of the make being promoted, you will know what this is all about. Outraged citizens have caused most state legislators to pass legislation prohibiting the use of personal information gained for one purpose for other purposes without the prior written consent of the subject of that information, or unless it is clearly stipulated (even if in 10 pages of very fine print) that by requesting this service, you agree that the information you supply will be made available to third party business partners of the organization collecting the information. If not illegal to use personal information for purposes other than which it was requested, it is certainly unethical.

 

Privacy Officers and authors of privacy policies should keep these distinctions in mind when writing or discussing such policies and in training staff on how to deal with questions that may arise concerning an organization's privacy policy. Moreover, they should elevate the discussion of this subject and related risks to CIOs and other executives at the early stages in planning such policies. Failure to do so could easily result in significant legal, ethical and public relations risks once such policies are introduced and published. The best policies are written not only to protect the organization, but also to protect individuals communicating with the organization. The two interests need not be mutually exclusive. For example, when an organization makes the default condition "opt-in" (which means the individual has to specifically initiate a request for a service, such as a newsletter or promotional material, it tells the observant individual right away that this organization is demonstrating concern for the individual's perspective. Unfortunately, most organizations make "opt-out" the default condition. This means that the organization can use personal information or convey it to others without the knowledge or permission of the individual unless and until that individual takes the step of opting out of that condition. This may not be illegal or unethical, but it is certainly not a client friendly or pro-ethical approach. The length, complexity and small print of some such policies understandably wear most people down so that they may never even know that their personal information has been passed on to others. With such policies, one should go straight to the sections on what information is collected, how it is used, and how does one opt in or out. If that information isn't easily located, or if it reveals a policy with which one is uncomfortable, don't go any further. With enough such cases, organizations with such policies may create a very negative image as a poor steward of personal information without even knowing about it.

 

Minimum Topics for Coverage in Privacy Policies

 

In my opinion, every privacy policy should include the answers to the following questions.

• What personally identifiable information does this site collect and how?
• How is such information used?
• Who do we share it with without your prior consent?
• How is information security for such information maintained?
• Can/how can individuals verify information about them and notify us of incorrect information?
• Can/how can individuals opt-in/opt-out?
• How can individuals contact us on this subject by phone, email, postal mail?
• How are individuals notified when the policy changes?

 

— Rick Barry, Editor and Content Manager, MyBestDocs