Functional solutions

Functional solutions allow an organisation to set clearly defined expectations of their employees with regard to securing private information. They also assure customers that they will secure their details and keep all information private.

4.4.2.1 P3P organisation

The P3P organisation has been developed to enable web sites to communicate their privacy policies in a standard machine-readable format. This means that browsers will be able to communicate and negotiate a suitable privacy policy with the web site. This will allow the browsers to obtain a snapshot of the site's policy, they can then compare relative policy with the user's preferences and finally alert and advise the user on whether to accept this web site [CONN 00].

Ultimately this P3P standard will provide a standardised scheme that will enable a web site to still collect data whilst protecting the user's privacy. This standard will define a set of rules for the collection and dissemination of information as well as other formats for privacy disclosure. More importantly, this standard will be implemented in an XML format that will allow the unique definition of tags that will be used in the creation of a privacy policy [W3OR 00]. The policies created by the P3P can also be adapted to organisations and so an association can be created with web pages and web sites with the P3P organisation [W3OR 00].

This organisation will assist users in understanding privacy policies, but it is not a complete solution yet. Other factors that should be included are detailed below.

4.4.2.2 International issues

The EU Data Directive prohibits secondary uses of data without informed consent. In most instances this means that if an organisation wants to create personally identifiable online profiles, users will have to specifically click on the online, opt-in scenario if they wish to have information on them stored. Another factor here is that most sites or organisations will have to give upfront notice when data is being collected, i.e. no web bugs will be allowed. Finally, no transfer of private data will be allowed to non-EU countries unless there is an adequate privacy protection policy/legislation [CONN 00].

4.4.2.3 Privacy policies

Privacy policies must be displayed on web sites. They let customers, trading affiliates and other participants know about the sites’ privacy practices.

Customers, trading affiliates and other participants can then decide whether or not practices are acceptable, and whether to opt-in or opt-out in personalising the web page. Ultimately this policy will provide customers with confidence in the web site. If they trust the site they will do business there. The only drawback of these policies for customers is that they are long, difficult to understand and can

even be hard to find. Finally, it is up to the individual to keep up with any changes to the privacy policy of the web site.

4.4.2.4 Voluntary guidelines and codes of conduct

Numerous codes of conduct and guidelines are available, such as the Association for Computing Machinery (ACM) code of conduct [GOTT 00]. This will be discussed in a later chapter on available standards and codes. It should, however, be mentioned that there are plenty of non-profit organisations that will assist organisations and individuals in creating privacy policies or help to illustrate organisational and individual rights.

4.4.2.5 Seal programs

Another option available to individuals and organisations is the ability to check certification or to gain certification from a reputable organisation. These organisations, such as TRUSTe and BBBOnline, give their approval that this web site can be trusted implicitly. These web sites in turn give assurance to customers that their information will be kept private.

There are some basic guidelines that will help organisations assure as well as educate their customers in becoming more aware of trying to protect themselves whilst online [DOUB 00] [GREE 00]:

• Organisations should prompt customers to read the web site's privacy policy – They should indicate that a privacy policy describes and details the information gathering and dissemination practices of an organisation’s web site. Customers should understand what types of information are going to be collected and how this information will be used before they do business with this web site. It is then the customer’s decision whether or not to do business with web sites that do not have written privacy policies.

Most web sites put a link to their privacy policy on the home page where it is easy to find. In addition, if a site shares information with a third party, it should tell the customers and give them the ability to restrict such use.

• Customers should check if the web site has a third party privacy seal – This seal will give assurance that a web site is abiding by its posted privacy policy. For example, BBBOnline (a subsidiary of Better Business Bureaus) and TRUSTe seals provide a mechanism to handle the customers' complaints if they feel that this web site has not complied with its privacy policy.

• An organisation should allow the customers to decide what information they want to disclose – Customers essentially want to disclose information only to web sites with business practices with which they are comfortable.

Customers should have the opportunity to contact the web site to find out more about its privacy and security practices before making a purchase.

• The organisation’s web site should remind customers to not tell anyone their password – It should be emphasised that under no circumstances should they tell anyone their password. They should be reminded to use different passwords at different web sites and change them often.

• Customers should be encouraged to use a secure browser – The organisation should integrate browser technology that complies with an industry security standard, such as SSL (Secure Socket Layer), SHTTP (Secure Hypertext Transfer Protocol) or SET (Secure Electronic Transfer) protocols. This in turn should be explained to the customer in help pages.

Having seen that there are many functional tools as well as technical tools that can be used as solutions to privacy problems by organisations and consumers alike, it is now necessary to see where this all fits into the structure of the organisation.