Policies and Practices
Executives and members of the privacy coalition should all be interested in this important question: how well are current corporate policies and practices meeting societal expectations with respect to uses of personal information? In many areas, the answer appears to be "not very well." This answer should not be surprising, though, given the wandering process through which the policies and practices evolved. The reactive nature of the process provided for drift periods of varying lengths, during which changes in the environment were seldom reflected in new, codified policies. And even when policies were ultimately crafted, they were usually formed in reaction to a particular external threat. Consequently, unless the external threat pointed out a danger in a particular area, there was no guarantee that this area would receive attention even during the reaction period. Furthermore, in the absence of continual vigilance on the part of executives and an infrastructure stronger than any observed at the sites in this study, a "policy/practice gap" can be expected, in which the actual organizational practices are at variance with the official policies.
This chapter evaluates the policies and practices in light of apparent societal expectations for handling personal information. The adequacy of the policies themselves is presented in light of the societal expectations, and differences between policy and practice are described in each situation. To determine the societal expectations, I assessed privacy advocates' writings, the U.S. federal law, and professional codes; I also considered insights gleaned from the interviews with privacy and consumer advocates, executives and managers at the sites, and industry observers, and from the consumer interviews and focus groups (see chapter 2 and the Appendix). This research revealed several areas in which society apparently harbors some expectations regarding corporate policies and prac