Trusted transparency - Connecting the dots between what you say and what you do

This year’s Privacy Week theme – trust – got us at Simply Privacy thinking about the role of transparency in the trust picture. Transparency is a well-known privacy concept. It’s not news that being open about how personal information will be used and shared is a critical part of building trust in the way an agency will handle personal information. But transparency alone is not enough. We need to strive for trusted transparency.

It’s easy to write a privacy statement. There are examples of privacy statements all over the Internet. We “read” them everyday, perhaps even many times a day. We know generally the types of personal information our agencies collect, the broad purposes for which they use it (you know, to deliver services, to communicate with you, to keep people safe…). So there is a temptation to draft a boilerplate privacy statement, publish it online, and pat ourselves on the back for being transparent, upfront and open with our customers. But this is not trusted transparency. It’s not even real transparency. It’s a half-hearted compliance approach that fails to meet the spirit of the Privacy Act’s transparency principle. It leaves an agency’s trust balance dangerously vulnerable, because it won’t take long for customers to learn that, in fact, the agency does a whole lot more with their data than it said.

Trusted transparency describes something much more. This idea sits at the heart of the concept of “notice of purpose”, which underpins New Zealand’s privacy regime. Under the Privacy Act, an agency may set its lawful purposes and use these to decide how it will use and share personal information. Once it has conveyed these purposes to its data subjects, it may use and share personal information in these ways. However, this flexible and enabling legislative approach must be balanced with responsibility and accountability. For this concept to function, we rely on agencies being honest about their purposes, and being accountable for ensuring that personal information is in fact used and shared only for these purposes. If transparency, use and disclosure are each separate elements in the data lifecycle, trusted transparency is a way to meaningfully link them together. It can assist an agency to ensure it is being responsible and accountable.

Thus, transparency alone is not enough. It is not sufficient to publish a boilerplate privacy statement and leave it to fall into obsolescence. To achieve trusted transparency, an agency needs to develop a framework that ensures its privacy statement is properly integrated into the fabric of its operations, and can truly be trusted by its audience. This framework might include the following steps:

  1. Consult and engage with your business before drafting a privacy statement, collecting the facts you need to ensure that it truly captures the personal information you are collecting, the ways you are using it and with whom you are sharing it.
  2. Once you have published your privacy statement, work hard to make sure the employees in your agency know about it and read it. They need to know what your agency is telling its customers. It’s your privacy statement that should truly dictate how you use and share personal information, not an internal privacy policy. (That said, make sure your internal privacy policy requires employees to ensure they only use and share personal information in the ways set out in the privacy statement.)
  3. Give employees the opportunity to raise discrepancies between the privacy statement and actual practice that weren’t picked up in your first consultation. Keep a record of these, as they’ll come in handy later.
  4. Use your privacy statement as the measure for when employees need to consult with the Privacy Officer to make sure personal information can be used or shared in a particular way. If the use or disclosure is not clearly covered in the privacy statement, the agency will need to determine what lawful basis it might have to use or share information in a new way.
  5. In your privacy impact assessment process – however mature it may be – include a requirement to ensure that changes are measured against the contents of your privacy statement. This can be a good way to establish if proposed changes stray a little too far from customer expectations and need to be reined in. It also captures any changes that may be required to the privacy statement to reflect the project, which brings us to step 6.
  6. Establish a regular privacy statement review and update process, perhaps annually. This will allow you to ensure that the privacy statement remains accurate and up to date, reflecting any changes to privacy laws or internal processes and practices you’ve been made aware of during the preceding period.
  7. Make sure you keep your data subjects informed of any significant changes to your privacy statement. Remember, while you may not be relying on consent to use or share personal information in a particular way, your customers may have decided to use your agency based on what you told them about their data. If you change that message, you need to be upfront about this, so customers can maintain some control over their information.

Perhaps Privacy Week should be the week you take a look at your privacy statement, how accurate and up to date it is, and how well it is integrated into your internal business practices. Ask yourself, or are we truly delivering trusted transparency, or is this just window dressing?