This addresses privacy in two ways: 1) it specifies the privacy policy for this site and 2) speaks to why there is a privacy policy for MyBestDocs and what should be considered in writing a privacy policy. The second topic is presented here for the benefit of those less interested in the policy of this site and more interested in what to include and how to undertake preparation of a privacy policy for their own organizations. Although the second topic might more logically be presented first, as a courtesy to viewers, rather than make it difficult for them to find the components of the MyBestDocs policy, it is presented first. Viewers interested only in the second topic should skip down to the section entitled, "Why a Privacy Policy for MyBestDocs".



MyBestDocs Privacy Policy



Why a Privacy Policy for MyBestDocs


Technically speaking, MyBestDocs Website ( may not require a privacy policy, because no personally identifying information is collected from site visitors since the operation of the site Guest Book www.mybestdocs/guestbook.html was terminated in 2002. Nonetheless, I choose to include one here, because I believe it is important for all Websites and other electronically published information resources, such as discussion lists, blogs, etc., to have privacy policies, even if only to do the courtesy of informing visitors that no personal information is captured or used by the site owner.


Another reason a privacy policy is published here is because of questions received from viewers and other colleagues about what should go into a responsible privacy policy. Such inquiries typically ask for examples of good privacy policy models. I could, for example site the privacy policy of the New York Times as an excellent model, but it might contain coverage that wouldn't apply to many organizations. Rather than repeating these things, it is easier simply to point individuals interested in the subject to this one.


Privacy vs. Security


Sometimes people use the terms privacy and confidentiality or security interchangeably, especially when responding to people who are concerned about why personal information about them that they consider private is maintained by someone else, typically a company or government office. The response, especially from IT professionals, often is: we have this information password controlled, maybe encrypted, and highly secured physically. That, of course, is important to the consumer, but it is separate from the question of privacy. Privacy has to do with what personal information an individual chooses to share with others, and on what terms. Security has only to do with how protected such information is. A company may have the very best security possible to protect information, but it may be information that an individual chooses not to share with that company or anyone else. Or, the individual may agree to share that information, such as a home address and phone number, only for the purposes of a particular service or transaction, and not more.


To illustrate, state governments require anyone registering for a drivers license and car registration to provide the person's date of birth, home address, make of car, etc., and will take a (typically unflattering) picture of the applicant. One cannot legally drive without a license and cannot own a car that is being driven without a car registration. One cannot drive without surrendering this kind of information to the state. It is a pre-condition to driving. Some states, however, have sold such information including even photos to organizations with a commercial interest without the permission of the individuals concerned. If you have ever received an unsolicited promotional letter suggesting that you sell your 5-year old car (make and model) and buy a new one of the make being promoted, you will know what this is all about. Outraged citizens have caused most state legislators to pass legislation prohibiting the use of personal information gained for one purpose for other purposes without the prior written consent of the subject of that information, or unless it is clearly stipulated (even if in 10 pages of very fine print) that by requesting this service, you agree that the information you supply will be made available to third party business partners of the organization collecting the information. If not illegal to use personal information for purposes other than which it was requested, it is certainly unethical.


Privacy Officers and authors of privacy policies should keep these distinctions in mind when writing or discussing such policies and in training staff on how to deal with questions that may arise concerning an organization's privacy policy. Moreover, they should elevate the discussion of this subject and related risks to CIOs and other executives at the early stages in planning such policies. Failure to do so could easily result in significant legal, ethical and public relations risks once such policies are introduced and published. The best policies are written not only to protect the organization, but also to protect individuals communicating with the organization. The two interests need not be mutually exclusive. For example, when an organization makes the default condition "opt-in" (which means the individual has to specifically initiate a request for a service, such as a newsletter or promotional material, it tells the observant individual right away that this organization is demonstrating concern for the individual's perspective. Unfortunately, most organizations make "opt-out" the default condition. This means that the organization can use personal information or convey it to others without the knowledge or permission of the individual unless and until that individual takes the step of opting out of that condition. This may not be illegal or unethical, but it is certainly not a client friendly or pro-ethical approach. The length, complexity and small print of some such policies understandably wear most people down so that they may never even know that their personal information has been passed on to others. With such policies, one should go straight to the sections on what information is collected, how it is used, and how does one opt in or out. If that information isn't easily located, or if it reveals a policy with which one is uncomfortable, don't go any further. With enough such cases, organizations with such policies may create a very negative image as a poor steward of personal information without even knowing about it.


Minimum Topics for Coverage in Privacy Policies


In my opinion, every privacy policy should include the answers to the following questions.


Rick Barry, Editor and Content Manager, MyBestDocs