Our class readings this week included an article that considered whether web sites that provide mugshots from local arrest records are an ethical way for newspapers to raise money to support traditional reporting (Grabowski and Yeng in Heider and Massanal, 2012). One of the issues raised by the article was the question of the persistence of the records. Specifically, does the publisher of the mug shot web site have the responsibility, to the community at large and to the owners of the mugs, to update these records with follow-up information on the arrest? Were the charges dropped? Was there a conviction? Was it a wrongful arrest?, etc.
 |
| Fingerprint By MetrĂ³nomo (Own work) [CC BY-SA 4.0-3.0-2.5-2.0-1.0 (http://creativecommons.org/licenses/ by-sa/4.0-3.0-2.5-2.0-1.0)], via Wikimedia Commons |
In another article this week (brought to my attention by
Cathy’s Diigo post) I read about the extra-serious scenario where the holder of
personal data (like an employer) suffers a data breach and what is lost are not
passwords and credit card numbers, but VERY personal, permanently connected data
like fingerprints or iris scans (Jaeger, 2015). For me, this was an eye opener.
I’ve never thought of my credit card number as an integral part of myself or my
identity. Mine has been stolen multiple
times. You change it and move on. But my fingerprints? Theft of data about my
fingerprints would have very practical, very permanent and probably very
psychological implications.
Together these two articles made me wonder about what
practices and policies surround the destruction of our personal data after it
is collected, coded and used to identify us. We all know that our personal data
can have a life of its own after it has been published, shared or reposted. And
in these cases data destruction is not within our grasp. But what about what we
don’t choose to share? What about information that is collected from us?
Protecting companies’ data is the focus of many of the data
destruction services offered online and that is certainly an important link in
the chain of my data’s life cycle. If businesses are clearing my old data
carefully from their databases and hard drives, that protects me as well as
them. But, as an individual, do I really have to monitor the dispersion of my
information personally? Am I responsible for monitoring the reliability of
every company that holds a password file for me or has my thumbprint?
As I looked for some reassurance in the form of guidelines for data destruction policies I
was led to several “best practices” recommendations, but no actual policies. The U.S. Department of
Education’s Privacy Technical Assistance Center (PTAC) has a detailed guidelines
document that distinguishes among various levels of information sensitivity and
recognizes the difficulty of identifying specific destruction techniques in an
evolving, cloud-based, multi-backup system (PTAC 2014). The document focuses on
the responsibility that schools have for caring for students’ personally
identifiable information (PII) and includes recommendations for data destruction
specifically as part of the lifecycle of collected data. There are also efforts
by the U.S. Department of Commerce’s National Institute of Standards and
Technology to set standards for the collection of PII (McCallister, Grance & Kent, 2010). This document recommends
the use of strict standards of necessity in the collection of data, but offers
less specific information about getting rid of collected data once it is no
longer needed.
Heider, Don & Massanaal, Adreienne, L. (Eds.). (2012).
Digital Ethics Research & Practice. New York, NY: Peter Lang Publishing
Inc.
Jaeger, J. (2015). Managing Data Security and Privacy Risks
2.0. Compliance Week, 12(136), 56-59.
McCallister, E., Grance, T., & Kent, K. (2010). Guide
to protecting the confidentiality of Personally Identifiable Information (PII)
[electronic resource] : recommendations of the National Institute of Standards
and Technology / Erika McCallister, Tim Grance, Karen Scarfone.
Gaithersburg, MD : U.S. Dept. of Commerce, National Institute of Standards and
Technology, [2010].
Privacy Technical Assistance Center, U.S. Department of
Education, Best Practices for Data Destruction. (2014). Retrieved from:
http://ptac.ed.gov/sites/default/files/Best%20Practices%20for%20Data%20Destruction%20%282014-05-06%29%20%5BFinal%5D.pdf
