The Policy-Making Process
With issues of information privacy making front-page news, with the U.S. public indicating very high levels of concern, and with legislators debating new and more restrictive laws on data flow, corporations are increasingly occupying the "hot seat" regarding their privacy management processes. It is important that both corporate executives and members of the privacy coalition understand how corporations approach privacy issues in their own management processes. To the extent that executives wish, of their own accord, to correct any deficiencies and make their privacy approaches more acceptable, they need a careful understanding of the existing approaches. To the extent that the privacy coalition wishes to motivate executives to take a different approach, the existing process must be considered as input in the crafting of a new incentive system.
Therefore, we now consider a fundamental question: how are policies and practices regarding the use of personal information developing within organizations? A naive view might suggest that the process would be an overtly rational and proactive one, in which executives of the organizations meet regularly to consider the salient privacy issues in their organizations, debate alternative proposals for addressing the issues, choose the most appropriate one, and then communicate the policy downward into the organization, where it is translated into effective practices. It turns out, however, that such a view is more wishful thinking than reality, if the seven organizations in this study are any indication. Despite their differences in some areas, all seven organizations exhibited a remarkably similar approach: the policy-making process, which occurred over time, was a wandering and reactive one. Because of these characteristics, the process lent it-