Our class readings this week included an article that considered whether web sites that provide mugshots from local arrest records are an ethical way for newspapers to raise money to support traditional reporting (Grabowski and Yeng in Heider and Massanal, 2012). One of the issues raised by the article was the question of the persistence of the records. Specifically, does the publisher of the mug shot web site have the responsibility, to the community at large and to the owners of the mugs, to update these records with follow-up information on the arrest? Were the charges dropped? Was there a conviction? Was it a wrongful arrest?, etc.
 |
| Fingerprint By MetrĂ³nomo (Own work) [CC BY-SA 4.0-3.0-2.5-2.0-1.0 (http://creativecommons.org/licenses/ by-sa/4.0-3.0-2.5-2.0-1.0)], via Wikimedia Commons |
In another article this week (brought to my attention by
Cathy’s Diigo post) I read about the extra-serious scenario where the holder of
personal data (like an employer) suffers a data breach and what is lost are not
passwords and credit card numbers, but VERY personal, permanently connected data
like fingerprints or iris scans (Jaeger, 2015). For me, this was an eye opener.
I’ve never thought of my credit card number as an integral part of myself or my
identity. Mine has been stolen multiple
times. You change it and move on. But my fingerprints? Theft of data about my
fingerprints would have very practical, very permanent and probably very
psychological implications.
Together these two articles made me wonder about what
practices and policies surround the destruction of our personal data after it
is collected, coded and used to identify us. We all know that our personal data
can have a life of its own after it has been published, shared or reposted. And
in these cases data destruction is not within our grasp. But what about what we
don’t choose to share? What about information that is collected from us?
Protecting companies’ data is the focus of many of the data
destruction services offered online and that is certainly an important link in
the chain of my data’s life cycle. If businesses are clearing my old data
carefully from their databases and hard drives, that protects me as well as
them. But, as an individual, do I really have to monitor the dispersion of my
information personally? Am I responsible for monitoring the reliability of
every company that holds a password file for me or has my thumbprint?
As I looked for some reassurance in the form of guidelines for data destruction policies I
was led to several “best practices” recommendations, but no actual policies. The U.S. Department of
Education’s Privacy Technical Assistance Center (PTAC) has a detailed guidelines
document that distinguishes among various levels of information sensitivity and
recognizes the difficulty of identifying specific destruction techniques in an
evolving, cloud-based, multi-backup system (PTAC 2014). The document focuses on
the responsibility that schools have for caring for students’ personally
identifiable information (PII) and includes recommendations for data destruction
specifically as part of the lifecycle of collected data. There are also efforts
by the U.S. Department of Commerce’s National Institute of Standards and
Technology to set standards for the collection of PII (McCallister, Grance & Kent, 2010). This document recommends
the use of strict standards of necessity in the collection of data, but offers
less specific information about getting rid of collected data once it is no
longer needed.
Heider, Don & Massanaal, Adreienne, L. (Eds.). (2012).
Digital Ethics Research & Practice. New York, NY: Peter Lang Publishing
Inc.
Jaeger, J. (2015). Managing Data Security and Privacy Risks
2.0. Compliance Week, 12(136), 56-59.
McCallister, E., Grance, T., & Kent, K. (2010). Guide
to protecting the confidentiality of Personally Identifiable Information (PII)
[electronic resource] : recommendations of the National Institute of Standards
and Technology / Erika McCallister, Tim Grance, Karen Scarfone.
Gaithersburg, MD : U.S. Dept. of Commerce, National Institute of Standards and
Technology, [2010].
Privacy Technical Assistance Center, U.S. Department of
Education, Best Practices for Data Destruction. (2014). Retrieved from:
http://ptac.ed.gov/sites/default/files/Best%20Practices%20for%20Data%20Destruction%20%282014-05-06%29%20%5BFinal%5D.pdf
Great points, Anne. It is pretty scary that in all cases, you are really at the mercy of the person possessing the data or having access to it. Even something innocent like paying by credit card at a restaurant or making a purchase online, you open yourself up to privacy issues. In all companies, industries, fields, etc, data is collected and stored. You are right not much is stated or promised in terms of data security.
ReplyDeleteI recently traded in my car. The car shopping process scared me. I had to provide my license for a test drive. They photo copied it and left the copy on the desk - not good. Also, when running my credit report, they left that on a desk as well. I think the level of security concern is not as heightened as it should be considering the risk.
In the end, I always worry about banking online (which I do anyway), shopping online (which I definitely do anyway), etc, BUT the element of human error or the lack on concern is also a big worry for sure.
Cathy
I also meant to mention that I also tried to fine policies but came up pretty empty. There are lots of best practice like you mentioned but nothing consistent.
ReplyDeleteGreat point!
Cathy
Thanks for information i also interested in learning for your blog.
ReplyDeleteData Destruction