Security vs Privacy

I posted a response to a posting about needing your employees to be privacy aware. I’ve copied my response below. I’d be interested in feedback on my analysis. Basically my argument is that while privacy awareness among employees is good, really a business should be looking at process design to avoid employees being in a position to make decisions about privacy. I need to write more about this! Bob, I would like to argue that none of the scenarios above are ideally dealt with by making your employees “privacy aware.” I submit three alternative ways of dealing with the issues Scenario 1 is process problem. The process has been design in such a way as to allow leakage of private customer information. I analogize this to the difference I experienced at the DMV and a doctors office. When I entered the DMV, I was assigned a customer number and when called to the window I was called by my customer number. At the doctor’s office, a nurse came out and called my name. The process at the doctor’s office is not privacy friendly because it removes my control over who knows my name in the waiting room. In Scenario 1, the process in the problem, not the employee. Scenario 2 is an information security issue. I understand why many people think this is a privacy issue but the privacy problem isn’t the retailers, it is the credit cards companies. They have abdicated their duty and essentially created a info security problem for retailers. Now here, unfortunately, their is a case for security training but not privacy training, IMHO. Scenario 3 is again an information security problem. This is the companies proprietary data and employees need to be aware of security lapses. If one were to approach it as a privacy problem, you should redesign the way you define relationships and give customers the ability to prove the ongoing relationship (a loyalty card) without keeping their identifying information where it becomes a security issue requiring employee training. Just my 2 cents