Academic journal article JITTA : Journal of Information Technology Theory and Application

Gaps between Policy and Practice in the Protection of Data Privacy

Academic journal article JITTA : Journal of Information Technology Theory and Application

Gaps between Policy and Practice in the Protection of Data Privacy

Article excerpt


A common casualty of poor information security is the privacy of the individual. Much has been written about formulating privacy policies, and there has been some work in identifying privacy abuses. This paper brings the two areas together by reviewing some of the key aspects of privacy policy. It presents a taxonomy of privacy abuses distilled from publicly available online reports issued during 2001. The gaps between policy and practice are identified and some solutions put forward to fill those gaps.


Poor information security can have a severe impact on an organisation. The major risk in consumer to business e-commerce is that security concerns will result in a lack of consumer confidence resulting in a loss of business. Information security is defined by Parker (2001) as: "The preservation of confidentiality and possession, integrity and validity, and availability and utility of information".

With reference to the definition above, privacy is incorporated in the first two items; confidentiality and possession. A recent report suggested that only one in three businesses implement formal privacy policies (Computer Economics 2001). Even when policies are in place they are often not rigorously applied until a significant security breach forces management to focus on them (Fonseca 2000; Milberg, Smith et al. 2000).

This study is confined to privacy abuses relating to computerised data assets of an organisation or an individual, and any channels through which this data is transmitted.

Before any meaningful discussion of privacy abuses and their remedies can occur, it is necessary to acknowledge the complex backdrop against which such a discussion takes place. There are three dimensions to the space in which privacy policy and safeguards are developed; first, a plethora of regulatory approaches to assuring privacy exist worldwide. These approaches stem at least in part from the culture of the country in which they are developed. Second, new technologies are changing the landscape of privacy, but also the way organisations function, and third, organizational issues, including the structure of the organisation itself and the policies that evolve within it. This conceptual space is illustrated in Figure 1.

The paper is organised into four sections. First a review of the current research into the regulatory, technological and organisational policy aspects of privacy is given. The purpose of this review is to develop an understanding of how privacy policy evolves within an organisation. In the second section a content analysis of a cross section of news stories is carried out. From this, a taxonomy of privacy abuses is distilled, these are compared to the results of existing studies. Third, using the taxonomy and guidelines for managing information security from section 1, gaps or representational deficiencies are identified which suggest where the weaknesses in current thinking on information privacy exist. Each of these abuses is discussed in turn. Finally some technical data management solutions are put forward.

Laws, regulations and ethics

Laws and regulations

Balancing different privacy perspectives within the realm of increasingly connected global e-commerce presents a significant challenge to managers. Whilst privacy as an individual right is a very old concept, the information age has brought confusion about what is ethically right or wrong in the realm of privacy. Many privacy abuses do not break any law - it depends under which jurisdiction they occur. Even at the ethical level, opinions differ about what constitutes an abuse of privacy. Henderson (1999) gave the example of mailbox clutter or spam as something that could be seen as merely inconvenient rather than damaging to an individuals privacy. Eliminating spam was, however identified as one of the top five objectives for assuring privacy in a recent study (Dhillon and Moores 2001). …

Author Advanced search


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.