Privacy - the First Roadkill on the Information Superhighway? (cont.)

2. Corporate Level
   Instilling trust in customers is crucial to success in electronic commerce. The key lies in the commitment of the corporate in respecting their privacy through the implementation and openness of a privacy-aware policy, built-in security measures in customer interactions including credit card payment, and allowing for anonymity when preferred. The adoption of internationally recognised privacy practices should be well perceived, e.g. The Platform for Pirvacy Preferences (P3) being designed by The World Wide Web Consortium (WW3C), which will enable customers to be informed and to make choices about the collection, use and disclosure of their personal information on the WEB³.
   
   It is worth noting that the Office of the Privacy Commissioner for Personal Data in Hong Kong has issued in February 1998 two privacy protection guidelines with respect to INTERNET, one focusing on preventive measures individual users can take to protect privacy while surfing the INTERNET⁶, the other providing guidance to organisations, including websites and ISPs, to assist them in complying with the common requirements of universally recognised data protection principles in the collection, display and transmission of personal data over the INTERNET⁷.
   
   
3. Professional Level To support the privacy-conscious requirements of businesses and as a social responsibility, respect for the individual's right to privacy should be instilled in every IT professional's mentality as well as incorporated into every corporate culture. Information systems are normally developed within the context of a system life cycle (SLC). In a very simplified form, the SLC traditionally covers stages such as feasibility study, system definition and design, system installation; and system operation and management. In order to deal with privacy protection issues, it would be necessary to make adjustments to the traditional SLC to incorporate them as concerns that should be given considerable attention and priority in the various stages of the SLC. Not only should privacy protection be part of a corporation's mission, but the internationally recognised data protection principles should be prominently stated as part of the objectives of the design of any information system involving personal data. In addition to the traditional considerations of technology assessment and cost-benefit assessment in deciding the introduction of a new service, a new decision factor of "privacy impact assessment" is required. This privacy impact assessment should examine how best the technological solution can cater for business needs while respecting individual's right to privacy.
   
   
4. National Level
   Over 30 jurisdictions in the world have already enacted generic legislation for the protection of personal data of their citizens. With or without such legislation, many countries have also formulated relevant guidelines or codes of practice for specific industries or professions. Usually enshrined in these proclamations is a set of universal data protection principles which secure the rights of an individual with regard to his privacy. The advent of the information superhighway brings a new dimension and challenge requiring tailored measures to supplement the generic data protection legislation. A specific code of practice, or preferably legislation, to cover activities on the information superhighway based on a set of telecommunications privacy principles is essential.
   
   Canada provides a good example of and reference to such telecommunications privacy principles, as expounded by the Canadian Minister of Communications in 1992⁴:

a. Personal privacy considerations must be addressed explicitly in the provision, use and regulation of telecommunications services.
b. Individuals need to know the implications of the use of telecommunications services for their personal privacy. All providers of telecommunications services and government have a responsibility to communicate this information, in an understandable and accessible form.
c. When telecommunications services that compromise personal privacy are introduced, appropriate measures must be taken to maintain the consumers' privacy at no extra cost unless there are compelling reasons for not doing so.
d. It is fundamental to privacy that there be limits to the collection, use and disclosure of personal information obtained by service providers and generated by telecommunications networks. Except where clearly in the public interest, or as authorised by law, such information should be collected, used and disclosed only with the express and informed consent of the persons involved.
e. Fundamental to privacy is the right to be left alone. A balance should exist between the legitimate use of unsolicited telecommunications and their potential for intrusion into personal privacy. All parties have a responsibility to establish ground rules and methods of redress for protection.
f. Privacy expectation may change over time. Methods of protecting telecommunications privacy must be reviewed from time to time to meet these changing expectations and to respond to changing technologies and services.