This week, the comic strip Dilbert has showcased the callous disregard Dilbert’s employers have for customer data. By Thursday, we learned that the company has sold their customer data to identity thieves. How fitting.
I believe IT people need a code of ethics for this new type of information brokering. Here are some of my suggestions:
- If you sell information about people or businesses, it should be accurate. If it is unverified, it needs to be prominently marked as such.
- Likewise, if your firm buys or uses unverified data to include in your decision making process, you have a duty to validate the information that impacts consumers before rendering any final decision.
- If you sell information about people or businesses, before you distribute any of it, you must give the people/businesses being profiled a chance to correct, amend or rebut the data. All sources for the information must be disclosed.
- Customers of your firm should always have the right to have their information protected and not shared or sold to others. Only through the explicit release of this right should this information be disclosed.
- Companies should never bar the sale of goods or delivery of service just because a customer wishes to protect their privacy. The requirement that the company must be allowed to trade on this information is an unforgivable abuse of power.
- Providers of information cannot anticipate how their information will be used let alone misused. As such, all access must be tracked and all users carefully vetted. Users of this information must attest to their agreement that information will not be used to discriminate and that any decision made in whole or part with this information that is adverse to the person/business involved must be fully disclosed to the aggrieved party.
- If corrected or updated information is made available to the information broker, the information broker must insure that all prior recipients/users of this personal/business data are informed anew of these changes.
- Businesses who utilize this third party information must delete it within 30 days from all of their systems. Businesses should never keep this personal, potentially damaging information on their systems unless they themselves collect it directly from the person/business.
- Information cannot be passed beyond the initial information collector-subscriber link. Purchased data that passes to unrelated third parties should be expressly prohibited. Moreover, purchased data should not be passed around different subsidiaries within the same firm.
- Web-based firms that change business models and permit other users to have access to member, customer or subscriber data must provide a warning period of 60 days or so to permit their users time to remove personal data from their site before others have access to it.
What suggestions do you have?