Saturday 13 March 2010

Comparing the mask(ed privacy policy)

This week, which has seen the world premiere of “Love Never Dies”, the sequal to Andrew Lloyd-Webber’s amazing “Phantom of the Opera”, has set me thinking about privacy policies, and why, in their current form, they appear to be almost useless.

What’s the point of being obliged to provide a notice that almost no one reads? And if they do read it you have to question why they don’t get out more. Is it because the authors of the privacy policies are being deliberately vague and secretive about their privacy practices? Unlikely. Or that there is no generally accepted way of setting them out, so consumers have no real means of being able to compare like with like. Quite possibly. I have not come across too many policies that require the attention span of the sort that Albert Einstein had to comprehend them. But, on the other hand, I have not come across too many policies that Homer Simpson would have easily been able to understand and compare, either.

Even in the same industry, companies have a very different approach to the concept of just how much information needs to be put in a policy. In the telecommunications industry, for example, I can print off an Orange privacy policy on about 4 pages. But I need to stuff 30 pages into the printer if I want a permanent record of Vodafone’s privacy policy. Is one company being any fairer or more transparent than the other? Probably not. They just have a different view about what it is that they would like to say.

And I suspect that the proportions of customers who have read these policies are pretty similar.

Is there another way? – Perhaps a new way of being more informative? After all, when I want to compare flight airline companies, it’s easier – as they set the information out in a more navigable way. Or when I want to know what film to see at the weekend, I know where I can go to compare the reviews (as well as what time each cinema is showing it).

Why can’t we develop the same concept in data protection terms?

If I were a customer, thinking of buying a particular web application or electronic service, I might well want to read material which helped me answer the following questions, in order that I could understand how my privacy was being respected:

Who is providing me with this application/service?
- how can I contact them?
- what will happen as a consequence of my using it?
- how might it cause me any harm?

What information about me or my usage will be created?

With whom may the information be shared?
- how I can exercise any choices about this?

For how long could the records exist?
- how can I access them?
- can I delete any of them?

I quite like the idea of the information being provided simply, and in an easily comparable format. So long as data controllers are transparent in setting “customer expectations”, then presumably customers are capable of looking after themselves. With the exception of “public services”, customers are not generally “forced” to consume many types of electronic services. They generally “decide” to buy or consume these services. Special measures will obviously need to be in place for vulnerable customers, if the service is directed at, or capable of being used by, vulnerable people. But surely these are a minority of services that are now delivered electronically. And I presume that the more socially responsible data controllers will place the electronic services that are more capable of causing harm behind age restriction barriers.

I’m not sufficiently close to the application or electronic service development community to fully appreciate the format in which they all like guidance, or requirements, to be delivered to them. The developers I know prefer working from lists of requirements rather than finely balanced statements – but that may not be a representative sample of the developer community as a whole.

My only other thought in this blog is I’m not sure what governance process might need to be created to monitor compliance with these standards. If businesses have committed themselves to the principles then it follows logically that they have also committed themselves to enforcing the principles. Who, in practice, will be monitoring the standards, and who, in practice, will be removing apps from the stores when they do not meet the relevant standards, is something I may return to in a future blog. Is it the Office of Fair Trading, or the Information Commissioner's Office?

Or, in the event of serious disputes between individuals and data controllers, perhaps someone who used to work at both the OFT and the ICO?

Step forward again, Richard Thomas!