Is Privacy a "Risk"?

These days, the issue of Security'is given automatic priority in most IM&T projects, especially those with some form of public access, such as e-commerce applications. Until recently the same degree of attention has not been afforded to the issue of Privacy. Are these two issues related, and what has privacy to do with risk management?

Our advice is that privacy should be high on the list of issues considered when developing the risk management strategy.

At the federal and state levels, governments have introduced privacy legislation.  We anticipate that with strong lobbying from various directions, current legislation will only be strengthened over the coming years.

Organisations, including government agencies will be put under increasing pressure to limit their information collection to that specifically related to the business needs. Already, some states have legislated requirements for organisations to include privacy information on application forms, detailing which information is compulsory (and why), what will be done with the information gathered, and the extent to which this information will be shared with other organisations.

Penalties are being introduced for non compliance with legislation, including the improper use of 'private' information. In an increasingly litigious environment, people and organisations will be increasingly likely to initiate action for abuse of private information. In Australia and overseas, there have been some hefty compensation orders against companies who have been on the receiving end of these lawsuits.

We can only imagine the damage this does to the organisations reputation, goodwill and eventually, share prices.

While much of this will relate to corporate governance, and the resulting corporate policies in this regard, Information Systems also play a significant role.  The development of information systems is most often a complex and costly affair.  Information is captured, stored, processed, and reported in systems of ever increasing complexity. At the same time, systems which used to be 'contained' within an organisations computer, are increasingly being opened up to access from outside bodies.  A few examples:-

  • Online customer based systems
  • Business to business transactions
  • Business to government transactions
  • Internet / extranet applications 

Either by accident or design, systems can allow access to information which clients may have a right to consider private and protected. If so, this could lead to litigation and / or penalties and consequential impacts on reputation as mentioned earlier. Further, if caused by inadequate systems design, or failure to provide adequate data security, systems 'enhancements' will almost certainly be required.  Depending on the extent to which the 'faulty' processing is ingrained into the design, the correction could range from a minor enhancement to a major systems rewrite. 

As any good systems designer knows, it is far more cost effective to design the system right the first time, than to make changes later.  As an analogy, consider the costs of producing a car compared to the expense encountered when replacing or repairing a fairly minor component. (I digress to recount a recent personal experience - the price for replacing both headlight assemblies on an eight year old car was approximately 7-8% of the current value of the car!)

Exposing the organisation to penalties, fines, litigation, and adverse publicity would constitute an unacceptable outcome in the opinion of most CEO's.  Consequently, we recommend that as a part of any risk management strategy, organisations consider the potential for the system being designed to allow access to private information, and whether that access is legal and reasonable. Consider the potential impact on the organisation if access to that information is determined to be improper, and ensure mitigation strategies are in place.

While some strategies are obvious, such as ensuring adequate data security, we also recommend ensuring a close working relationship between the IM&T developers and 'information management' specialists.