(This is the second installment in an on-going examination of the first principles of data privacy and security. The first installment can be read here. These principles, often represented in regulations and privacy practices, form the foundation for how an organization should treat the customer data they collect.)
Imagine you belong to one of the largest, most well-known organizations in the world. And your role in the organization is to make contact with your peers in other organizations. As part of that, you keep an extensive list of phone numbers in your mobile phone—a mobile, modern “rolodex” that lets you contact others as needed.
Another department in your organization approaches you and explains that, as a risk mitigation strategy, they are collecting the numbers off people’s mobile phones. This other department proceeds to perform surveillance on your peers from the other organizations.
If some reports are to be believed, this is how the NSA got mobile phone numbers for officials from other countries: by just asking high-level American officials to share their contacts. And since the NSA allegedly performed various kinds of surveillance on those officials’ mobile phones, those foreign officials are less than happy with their American counterparts. This is a dramatic and recent example of how trust can be created and destroyed depending on how you treat the information you are given, starting with what assumptions are made by the person who gives it to you. “Notice,” which is the first of the first principles of data privacy and security, is to make sure there are no misunderstandings.
You have to tell people what data you are collecting and what you intend to do with it. This establishes more than trust. It enables some of the other items that are themselves first principles of privacy and security. If the subject of a data collection activity does not know that data on them is being collected, then:
- They can’t meaningfully consent to that collection and use
- They can’t make corrections to the information
- They can’t expect any of the remedies available to them if it is misused
Notice was considered so important to the people that crafted the Health Insurance Portability Accountability Act (HIPAA), privacy rule, that they did not just specify what had to be in it, but the exact words of the header at the top of it. 
How much of a difference does notice make? You just need to ask yourself if those Foreign officials would have shared their phone numbers with people who said “oh, and if it is all the same to you, I might share this with other U.S. government departments like the NSA”. Perhaps not.
In other words, the notice must not just tell you that the entity is collecting data about you, but tell you what they will/might do with it.
Consider the data collected on you at the supermarket. If you pay for your groceries with an ATM or credit card and/or if you use a loyalty/rewards card, a fair amount of information can be collected about you. If you don’t want to have that information collected about you, then you can refrain from using the rewards card and pay with cash.
In their notice of privacy practices, one supermarket chain advises that in addition to using the data they collect about you internally: “We may also provide Customer Identifiable Information to service providers that perform services for us, such as sending a direct mail offer from us to you. We require these companies to sign a confidentiality agreement that prohibits them from using the information for unauthorized purposes.”
Notices can also include how the data are collected, a description of what data elements are collected, how to find out more and even who exactly is doing the collecting. This last becomes very important in a world of out-sourcing, parent corporations and other ways in which the data collector might not be the data user.
Data collectors have raised some objections to this. Why, they ask, do I need to tell people I am collecting the data they just voluntarily gave me? For example, a covered entity (i.e., a healthcare organization required to comply with HIPAA) can argue very reasonably: I just took your blood; of course your name is traveling with that specimen. You don’t want us to mix it up with someone else so we are extremely careful with how we identify the specimens.
The truth is that those who are the subject of data collection efforts rarely if ever mind that their information is used for the transaction they just completed with the data collecting organization. It’s all those other uses that tend to upset people. Putting aside the extreme case of “I gave your mobile phone number to the NSA, wasn’t that ok?” we have all the gray areas. And they get pretty gray. In the supermarket notice above, it mentions that service providers are prohibited from using your information for “unauthorized purposes.” Nowhere in the notice does it actually describe which purposes are authorized and which ones are not. It is clear in fact, that you, the subject of the data collection, do not get to define that. And depending on what those authorized purposes are, you might or might not regret providing the data.
For example, few people would mind if their supermarket gave them a coupon for hot sauce when they bought chicken wings, but what about a promotional flyer for a child care provider when they bought diapers? And what about non-commercial, business related uses? What if an employer gave employees a card to scan at the supermarket that gave them 5% off on certain products but also allowed the employer to know more about their employees’ diets? What if the employer tied employee contributions to the company sponsored health insurance to whether or not people bought what the employer considered to be healthy food? What if they merged that with employee credit card transaction data to know what restaurants employees ate at and added that in their evaluation of each employee’s “lifestyle?”
These hypothetical examples may seem extreme, but they demonstrate why notice is so important. It’s important to tell people what you will do with their data, but also how and with what it might be merged.
To sum it up: notice, and transparency helps to minimize surprises when someone else uses someone’s information.
There are two things that should be very clear in the discussion above. First of all, it should be clear that notice sets the stage for the second first principle of data: consent. Secondly, there are roles being assumed when we consider data usage. In the next installment, before we get to consent, I’ll talk about those roles.
 The notice must contain the following statement as a header or otherwise prominently displayed: ‘‘THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.’” §164.520 (b)(1)(I)