Robin;

Have you looked into how what you are proposing aligns (or not) with the Ruggie rules and the UN Guiding Principles on Business and Human Rights?

John Wunderlich,

Sent frum a mobile device,
Pleez 4give speling erurz

_____________________________
From: Robin Wilton <racingsnake@fastmail.fm>
Sent: Friday, May 6, 2016 7:56 AM
Subject: Re: Privacy policy or privacy notice: what's the difference? | CIO
To: John Wunderlich <john@wunderlich.ca>, Adrian Gropper <agropper@healthurl.com>
Cc: wg-uma <wg-uma@kantarainitiative.org>, Information Sharing Work Group <wg-infosharing@kantarainitiative.org>


Hi both -
 
This (emboldened, below) is also the reasoning behind the ethical data handling (EDH) work I'm doing in ISOC at the moment.
 
My aim is to increase stakeholders' focus on EDH by providing rationales and practical guidance throughout the product/data lifecycle.
 
Obviously, data subjects ought to like the idea, because it is likely to respect their interests more than the status quo does.
It's trickier to build a compelling case for corporates to adopt EDH (for the reason John suggests below) - but I think there are possibilities:
 
- stating ethical principles externally gives customers and potential customers an indication of good faith - which should have a reputational pay-off for the business;
 
- setting ethical principles internally should help foster a culture of ethical behaviour, which is nice and cuddly, but it should also have the consequence of making compliance easier to achieve and demonstrate. That's a hypothesis, but I propose it because I think people behave better when they buy into the reasons for their behaviour... and "because it's in line with our respect for the customer" is a more powerful motivator than "because I have to tick these compliance boxes". (In terms of the layers I described earlier, it builds a stronger link between stated principles and actual behaviour).
 
If the corporate is both respecting the customer and finding compliance easier to achieve, I believe it is more likely to be effectively mitigating privacy risk, too.
 
As I say, making this compelling for corporates is one of the tricky bits: if anyone has other ideas/suggestions about building the business case (or building the case for non-commercial data controllers, of course!), please please let me know... I'll be speaking on this at CIS New Orleans, University of Vienna, OIX Rome, EWTI Vienna, etc., and you will get full attribution for any contributions!!  (That's naked bribery, I know, but who said I was proud?)   ;^)
 
 
Best wishes,
Robin
 
 
 
 
On Thu, May 5, 2016, at 10:55 PM, John Wunderlich wrote:
Criticizing corporations for focusing on compliance and managing liability is kinda like critiquing a lion for being a carnivore. I take your point, but the solution involves citizen/customer/patient activism to change the context  - like patient privacy rights is doing. 
 
But in the meantime, some corporations and some individuals in corporations want to do the right thing, and should be supported. I don't want to Brandon the field just yet. 

On Thursday, 5 May 2016, Adrian Gropper <agropper@healthurl.com> wrote:
I find articles like this and most of what IAPP stands for deeply upsetting. Everything is from the perspective of the institution, mostly compliance. There is not a single mention of the subject's perspective, much less sympathy. 
 
My guess is that 90% of Privacy Notices are 90% identical to the Staples example. Why isn't anyone calling for privacy notices to be standardized - with exceptions for the 10% that might be actually interesting or differentiating? Because of IAPP and the entire mini-industry that lives off surveillance capitalism. 
 
Shameful.
 
Adrian

On Thursday, May 5, 2016, John Wunderlich <FastMail WARNING: URL text contains a possible JavaScript attack on your machine. URL disabled. Original URL='javascript:_e(%7B%7D,'cvml','john@wunderlich.ca');'. For more information on phishing click here.> wrote:
+1 Robin
 
And your list's order correctly, I think, captures the inverse relationship between operational privacy and privacy theatre. 

On Thursday, 5 May 2016, Robin Wilton <racingsnake@fastmail.fm> wrote:
+1
 
Ian Glazer and I wrote about this in our Gartner days (so the results are hidden behind the Gartner paywall, regrettably...).
 
However, a similar discussion surfaced at the ethical data-handling workshop I ran last Friday, and we distinguished between the following layers:
 
 
- Privacy policy statement ( = privacy notice, as defined here); the outward facing doc saying what you want customers to hear.
- Privacy policy: the internal statement of what the organisation thinks it should do
- Business process: the internal statement of what the organisation thinks it does
- Actual behaviour
 
R
Robin Wilton
+44 (0)705 005 2931




This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.