Security vs Privacy

I posted a response to a posting about needing your employees to be privacy aware. I’ve copied my response below. I’d be interested in feedback on my analysis. Basically my argument is that while privacy awareness among employees is good, really a business should be looking at process design to avoid employees being in a position to make decisions about privacy. I need to write more about this! Bob, I would like to argue that none of the scenarios above are ideally dealt with by making your employees “privacy aware.” I submit three alternative ways of dealing with the issues Scenario 1 is process problem. The process has been design in such a way as to allow leakage of private customer information. I analogize this to the difference I experienced at the DMV and a doctors office. When I entered the DMV, I was assigned a customer number and when called to the window I was called by my customer number. At the doctor’s office, a nurse came out and called my name. The process at the doctor’s office is not privacy friendly because it removes my control over who knows my name in the waiting room. In Scenario 1, the process in the problem, not the employee. Scenario 2 is an information security issue. I understand why many people think this is a privacy issue but the privacy problem isn’t the retailers, it is the credit cards companies. They have abdicated their duty and essentially created a info security problem for retailers. Now here, unfortunately, their is a case for security training but not privacy training, IMHO. Scenario 3 is again an information security problem. This is the companies proprietary data and employees need to be aware of security lapses. If one were to approach it as a privacy problem, you should redesign the way you define relationships and give customers the ability to prove the ongoing relationship (a loyalty card) without keeping their identifying information where it becomes a security issue requiring employee training. Just my 2 cents

Personal knowledge

This article makes a good point about the difference between personal use of personal information and the impersonal use of personal information. I would like to expand on that concept a bit here. For the last few years, I’ve gone to the same barber at the same barber shop near where I live and work. Though he frequently forgets, I almost consider it a dereliction of duty if he doesn’t remember the setting on his shavers or how I like my hair cut. I expect him to know this in order to provide me with quality care. I also talk to him about my personal and professional life and the conversations are much more than I would share with most companies I do business with. I do this in order to get close interaction with what is a very personal service (grooming and hair care). And while I want that level of interaction with my barber, I would be a bit disconcerted if other barbers in his shop would be able to immediately engage me with the same level of knowledge he has built up over the years about me. The point is I don’t expect him to share that information, even within the same business. While I do clearly see the benefit in a business being able to provide me with very personalized service, I don’t necessarily want that information escaping the confines of how and when I’ve shared it. When I develop a rapport with a particular customer service representative who knows of my travails, I don’t want that representative to gossip about me to others in the firm, even though such is possible and in all likelihood, probable What companies need to realize is that they need to find a way of delivering that personal service without the risks to the customer that the information escapes the bounds of the relationship they’ve developed (i.e. hacker, crackers, looky-loos or governments).