Policies and Procedures – Page 116 – IS Survivor Publishing

What privacy means (first appeared in InfoWorld)

By: Bob Lewis|In: Business Ethics|Last Updated: September 18, 2000

Can we give the president some privacy? Zippergate, which was a trivial scandal compared to its recent presidential predecessors, pretty much ended it.

Not that the current crop of candidates helps anything by parading their religiosity on their sleeves. It goes beyond poor fashion sense. The presidency already resembles an episode of Big Brother. Why worsen the situation by making yet another private matter public?

Presidential privacy may be both an oxymoron and a hopeless issue, but the issue of customer privacy is very much alive. Consumer advocates thunder (as always) that it’s important, industry (as always) whines that it should be self-policing, and Congress (as always) holds hearings on the subject.

But what’s the subject? “Privacy” is more slippery than a presidential candidate. But since IT helps formulate and implement privacy policies, you need to understand it. And it’s complicated.

For example: Does automated identification violate privacy? Yes! Consumer advocates yell, but does it really? As stated here last week, the Internet has properties of place — your activities in cyberspace happen there, not in your home. The right to anonymity isn’t absolute in actual reality; why should it be in virtual reality?

Everyone knew Norm’s name at Cheers and that didn’t violate his privacy. Presumably, when Norm first began to patronize Cheers he introduced himself to Sam. Sam’s remembering his name was an act of courtesy, not a privacy violation. On the other hand, total strangers can’t just grab your wallet and read your driver’s license, just because they want to. Nor, for that matter, can the police, unless they’re investigating a crime.

This gives you a pretty good guideline. A customer’s right to anonymity isn’t absolute, nor solely a matter of permission, but it also isn’t waived just because they enter your web site, any more than they waive it by entering a department store. Which means your company’s identification process should be explicit and overt … a login process, or a request for permission to set a cookie.

Does privacy mean your company shouldn’t track and predict customers’ buying preferences once you’ve legitimately identified them? Woody knew what kind of beer Norm liked, and that didn’t violate Norm’s privacy — presumably, Norm would have been offended had it been otherwise.

If you tell me something, I don’t violate your privacy by remembering it. If you buy something, pay with a credit card, and provide a shipping address, the seller doesn’t violate your privacy by recording the transaction and using the information.

Until it sells the information to another company. It’s fine for Sam to know whatever Norm tells him about Vera; it isn’t fine for Sam to sell Vera’s name, address, telephone number, and size to the lingerie shop down the street.

But what if your company owns both Cheers and the lingerie company? That’s a bit fuzzier. So in your privacy policy, list the companies and brands that share customer information. If you state the policy and your customers agree to it, there’s no privacy violation; if they don’t agree to it they can take their business elsewhere. It’s a matter of mutual consent, as it should be. (If you have no policy, caveat emptor, but shame on you.)

As for companies like Doubleclick, that surreptitiously follow you from site to site, in real space, we call that “stalking”, and we arrest people for it.

Why should cyberspace be any different?

Policy prevention (first appeared in InfoWorld)

By: Bob Lewis|In: Leadership|Last Updated: August 28, 2000

Dear Bob,

As a new manager, I am interested in any publications or references that are available with sample policies — for example, sample backup policies, helpdesk policies, data retention policies, etc. I’ve searched many libraries and found few actual “templates” from which I can glean knowledge, and, if it was an excellent template, copy shamelessly from. I’m hoping you could point me in the right direction to do more research.

– Managing in Manhattan

Dear Managing,

I’m definitely the wrong guy to ask. One of my missions in life is preventing the creation of policies whenever possible.

I know there are times when they’re necessary, but in my experience it’s just one step from a policy manual to a bureaucracy, and it’s a short step at that. Any time you have a policy, you make employees responsible for memorizing someone else’s thought process instead of using their own. Be careful what you ask for.

Once you form the habit of creating policies, it won’t be too many months before you find yourself moving all of your policies from a 2-inch 3-ring binder to a 3-incher because the 2-incher won’t close anymore. You’ll have turned yourself from a leader into a policy-meister — an awful thing to do.

Another downside to policy creation is that you turn your employees into jail-house lawyers. Your policies will turn into excuses for not getting the job done. They’ll turn into reasons to turn down reasonable requests from customers. And your most innovative employees will waste potentially productive time searching for loopholes, which they’ll then take great glee in publicly exploiting.

Worst of all, your policy book will become a source of disgruntlement, because employees will use the thickness of your policy manual as a direct measure of your lack of faith in their judgment. That’s the only attention most will pay to it, too: The more policies you publish, the less impact any one policy has. The advantage to having a very thin policy manual is that it’s clear to everyone the issues they address really are important.

Anyway, if you copy someone else’s policy, you’re copying someone else’s solution instead of creating one that fits your situation. The reason to create your own policies is that it forces you to think through the issue thoroughly enough to understand the ramifications. Once you’ve thought matters through, you’ll usually conclude you need nothing more than a guideline, or nothing at all — you’re trying to fix a one-time event, which, since it’s already occurred, doesn’t need more fixing.

So always write your own policies. The problem with pre-written templates is that they make the whole process too easy.

The exceptions are compliance issues … insider trading or data retention are examples … or when it’s important to declare a company position on a subject (sexual harassment comes to mind). Under these circumstances you need not just a policy, but one that will hold up in court. Don’t mess around with these — go to either HR or Legal, go directly to HR or Legal, don’t pass Go, and don’t collect $200 either. For that matter, always run any policy you do decide to draft past HR and legal — you never know when your policy crosses some invisible line that can land your employer in court.

Avoid policies whenever you can, and consider: “policy” and “police” have a common etymology.

– Bob