Privacy statements: Providing users transparency and choice

July 9, 2012

A message from Erika Donald, OCIO-Privacy and Policy

So, you've built a new website for your department. The site features a web form to enable visitors to sign up for classes and register for events. You've set up Google Analytics to generate detailed statistics about visitors to your site. Cookies will help deliver web content specific to your users' interests. But have you forgotten something? Did you post a privacy statement? Did you know that all campus websites are required to post one?

The Berkeley Campus Online Activities Policy states:

Technology service providers who collect data via website interfaces must adhere to the provisions of the Privacy Statement for UC Berkeley Websites(https://security.berkeley.edu/content/privacy-statement-uc-berkeley-websites) and must post a privacy statement to notify users regarding the types and uses of data that is gathered. Online service providers may further refine the standard campus privacy statement to include additional privacy provisions, but may not reduce the level of their activities' compliance.

This policy, securely rooted in the Fair Information Practice Principles (FIPPs), asserts that Berkeley websites will be transparent in their data collection practices and will provide users with sufficient information so that they can make an informed choice about the personal data they share online. [1]

Personal data

Personal data — often referred to as "personally identifiable information" — is

any data about an individual maintained by an agency (or entity), including (1) any information that can be used to distinguish or trace an individual's identity, such as a name, Social Security Number, date and place of birth, mother's maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information. [2]

In other words, the data you collect may become personally identifiable information when it is combined with information that could likely come into your possession. Examples include student or employee records with name, ID, family member's name, or address; and financial records with name or account number.

The privacy statement

A good privacy statement lets users visiting your site know what kind of personal data will be collected and with whom it will be shared; how that data will be protected; and how long it will be retained and disposed. The privacy statement must inform users about how their personal information will be collected, used, stored, and whether third parties will have access to it. It is not enough simply to link to the Privacy Statement for UC Berkeley Websites to be in compliance.

The statement must also be easy to understand, accurate in its data collection practices, and posted "conspicuously" on the home page by means of either an icon or text link clearly identified as the privacy policy so that it is readily accessible to your site's visitors.

By making your data collection practices clearly visible and transparent, you provide users the opportunity to make an informed choice about the personal information they share. You also instill trust that you take their privacy seriously.

But remember, trust must be earned. If your privacy statement declares "We will not share your information with any third party," make sure that is indeed an accurate statement. In addition, if your business practices change, make sure that your privacy statement is updated to reflect that change.

As the Fair Information Practice Principles (FIPPs) become the foundation of a new privacy program at Berkeley, the five privacy principles — transparency, choice, information review and collection, information protection and accountability — will set the stage for how we protect and respect personal privacy at UC Berkeley. Posting a privacy statement on your website demonstrates your commitment to respecting the personal privacy of your user community.

Notes

1. A training course on the Fair Information Practice Principles [FIPPs] is available through the UC Learning Center. For more information, see the iNews article Privacy awareness training now available.

2. Guide to Protecting the Confidentiality of Personally Identifiable Information (PII): Recommendations of the National Institute of Standards and Technology. [PDF] National Institute of Standards and Technology, US Department of Commerce, NIST Special Publication 800-122, April 2010.