But privacy advocates are making a big mistake by harping on only. Privacy isn't about deleting my data, it's about controlling access to my data--most of which I don't want thrown away.
I want to know who's been looking at my medical records, my credit report and my bank account. Privacy means that the right people (my doctor or loan officer) get to see the data they need, while the wrong people (credit card thieves) don't.
Through privacy rules, I get to decide who the right people are--and what they see. Every time my data is accessed, it should be logged and reviewed by me or by a delegate I trust. For this to work, I need a log of every single instance that my data is accessed: who saw what, where, when, and most importantly, why, in order to keep proper checks and balances in place.
Privacy advocates should take a break from obsessing over new legislation that pends on Capitol Hill to read the laws already on the books. Many require companies to keep data--to not throw it away--as a way to identify and punish insider abuse of access or leakage of information.
The best known example is theof 1996. Already seven years old, HIPAA requires health providers and insurers to protect the confidentiality and security of their clients' data through enforced standards. Your HMO (health maintenance organization) must adhere to written procedures for regular review of activity on their information systems. That includes access reports, audit logs and tracking reports for suspicious incidents that could point to a security breach.
HIPAA mandates that companies keep this audit data for six years. So, if an HMO client loses his job because his employer obtains a leaked copy of his patient record, he can demand the evidence necessary to obtain legal recourse against the HMO for compromising his privacy.
New laws set similar requirements for the financial industry, such as theof 1999, which forces financial services companies to guard credit card information against employees who might sell it to thieves. But these laws were just a warm-up for the .
Sarbanes-Oxley applies information technology to the problem of corporate governance by requiring companies to keep and produce detailed electronic records of internal activity for auditors. Introduced to Congress and signed by President Bush last year, the law was a heated response to the shameless destruction of corporate records at Enron and Arthur Andersen. It's a wonder that thedidn't cause more people to rethink the notion that deleting data may bring more privacy for white-collar criminals but could actually harm their employees or customers.
Privacy advocates should take a break from obsessing over new legislation that pends on Capitol Hill to read the laws already on the books.
As usual, the oversight committee that's convened to set the exact standards for Sarbanes-Oxley probably won't come to agreement on the final specifications until much too close to June 15, 2004, when corporations and their auditors will be required to meet them. But the SEC means business--it's beefing up its staff with at least 200 more regulatory examiners to keep an eye on corporate audits.
Rather than risk going the way of Arthur Andersen, the remaining Big Four auditors--KPMG International, PricewaterhouseCoopers, Ernst & Young and Deloitte & Touche--are pushing their clients today to implement systems and procedures that Sarbanes-Oxley will likely require.
Unless you're going to live in a Volkswagen bus, you're going to want the benefits of having your full medical and financial records available.
Yes, managing all that data is going to be a lot of work, but the laws were passed with the knowledge that new technologies are already making the job much easier. Those same technologies can protect your privacy as well as they protect corporate accounting records. And unless you're going to live in a Volkswagen bus, you're going to want the benefits of having your full medical and financial records available.
You'll just want to be sure that the companies you give them to can be trusted, because their employees--and executives--can't mess with your data without being caught. That kind of assurance doesn't come from deleting data, but from keeping more of it. I don't know about you, but I'll sleep a little better at night knowing that my data is in check.