Administrative measures are also necessary to support enforcement. For example, administrative actions are needed to promulgate codes of behavior and procedures that govern access to stored personal information. Penalties for violating such codes or procedures are also needed, as technological enforcement measures sometimes fail or do not cover certain eventualities.

Recommendation 3. Organizations should routinely test whether their stated privacy policies are being fully implemented.

Because automated privacy audits are rarely comprehensive (except at great expense), red-teaming of an organization’s privacy policy and its implementation is often in order. In the security domain, red-teaming refers to the practice of testing an organization’s operational security posture through the use of an independent adversary team whose job it is to penetrate the defenses of the organization. Red-teaming in a privacy context refers to efforts undertaken to compare an organization’s stated privacy policy to its practices. In general, red-teaming for privacy will require considerable “insider” access—the ability to trace data flows containing personal information. As in the case of security red-teaming, results of a privacy red-teaming exercise need to be reported to senior management, with a high-level executive in place with responsibility for ensuring and acting as an advocate for privacy as an individual and a collective good.

Recommendation 4. Organizations should produce privacy impact assessments when they are appropriate.

It is often the case that information practices—adopted entirely for non-privacy-related reasons—have unforeseen or surprising impacts on privacy that may not even have been considered in the adoption of those practices. Inadvertent effects on privacy could be reduced if privacy were systematically considered before adopting new information practices or changing existing practices. Privacy impact assessments—analogous to environmental impact assessments—can be established as a regular part of project planning for electronic information systems. Explicit attention to privacy issues can be valuable even if these assessments remain internal to the organization. However, public review can encourage consideration from other perspectives and perhaps reduce unintended consequences that could generate additional rounds of feedback, costly retrofitting, and/or unnecessary erosion of privacy.

Federal agencies are already required to produce privacy impact assessments (PIAs) under the E-Government Act of 2002. Illustrative PIAs

The National Academies of Sciences, Engineering, and Medicine
500 Fifth St. N.W. | Washington, D.C. 20001

Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement