Privacy Impact Assessment
Social networks like Facebook hold so much information about our thoughts, our behavior, our relationships that official investigations naturally seek to uncover it.
Privacy on the Ascendancy
But as technology collects more data, powerful voices are championing greater respect for the privacy of the data. These voices arise from around the world; I’ll point to two voices from the US.
The White House has published a Consumer Privacy Bill of Rights, broadly declaring, “Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data.” Although this document focuses on the rights of consumers, it is consistent with rising expectations that the privacy of individuals be respected at a time when technology is enabling an unprecedented accumulation of personal data.
|Free from Unreasonable Search|
A Rift in Society
A rift has emerged in society. On one side are the forces of justice that seek to discover the truth about disputes and compliance with law. These forces are represented by all the means through which our legal system supports the gathering of evidence -- subpoenas . . . safety inspections . . . inquiries by police . . .e-discovery in civil litigation . . . due diligence by prospective employers . . . evidence collection in divorces and child custody battles . . . probes by disciplinary officials at schools and colleges . . . audits by government tax or regulatory officials . . . and much more. These forces rightfully wish to access the mountains of relevant data stored in social networks.
On the other side of the rift are the forces of privacy.
As a consequence of this deepening rift, those people who wear the hat of "investigator" face emerging risk and responsibility. An example of the risk is Pietrylo v. Hillstone Restaurant Group, 2009 WL 3128420 (D.N.J. 2009). Management at a restaurant believed, with reason, that it needed to investigate allegations of workplace-misbehavior recorded in a forum on Myspace. Management obtained, through certain employee cooperation, access to the content of the forum and then terminated some employees based on what they posted in the forum. But the court found that by looking at the content of the forum management violated the privacy of employees; the court awarded damages in favor of employees.
For investigators, coping with privacy risk and responsibility is not easy. But I have a recommendation. Prudence dictates that all investigators explicitly consider privacy when seeking data through technology, such as social media. What does that mean in practice?
The investigator needs evidence that she thoughtfully weighed privacy concerns as she designed and executed her investigation. This evidence can be provided in a “privacy impact assessment.” A privacy impact assessment is a written statement, stored in the investigator’s file, showing rational deliberation about the effect of the investigation on the privacy of the target of the investigation, as well as on the privacy of bystanders.
A persuasive privacy impact assessment will articulate the justification for the investigation and evaluate alternative methods for getting the needed information. It will assess methods for minimizing the impositions on privacy, while pursuing the legitimate goals of the investigation. It will display a conscious weighing of factors, so as to balance need against cost.
Demonstrate Serious Contemplation
A privacy impact assessment need not necessarily be a lengthy document. For less substantial investigations, it might be only a paragraph.
But it needs to be thorough enough to demonstrate that the investigator diligently contemplated the facts and methods of the case. It might specify, for example, steps to limit the quantity of data collected, the number of people who have access to the investigation file, and the length of time data is stored before it is destroyed.
The impact assessment will be more persuasive if the investigator consults a colleague or superior in the course of drafting it.
No Perfect Solution
A competent impact assessment will not guarantee that law will determine that the investigator complied with privacy interests. But it can be powerful evidence that the investigator performed responsibly in the presence of conflicting interests.
I would be honored to hear your comments on this idea.
Mr. Wright teaches the law of data security and investigations at the SANS Institute.
Related: Complying with the Internet's tsunami of laws