I recently wrote an article titled “Essential Privacy Principles” which was published in the “ India Law And Technology Blog”. Here is the link for it along with a repost (below).
Privacy whether mobile or web based is a serious concern in the current technologically dependent environment. With multiple government as well as non-government bodies proposing varied policies and regulations for privacy and data protection, it is easy to lose track of fundamental privacy principles.
The following are some of the essential privacy principles that are applicable across platforms, regions and industries. They form the core framework for the development and implementation of any robust privacy regime.
- Openness, Transparency & Notice: Users should to be informed about (i) the types of data being collected (ii) the purpose for which it is being collected (iii) whether there are any third parties with whom this data will be shared and (iv) clear contact information regarding who to contact with any complaints or inquiries.
- Choice & consent: (i) Users should be provided the option of “opting in” to submit information (ii) They must also be provided with the choice to “opt out” of the service or data collection (iii) No data should be collected without the clear explicit consent of the user.
- Access: Users should have access to their own personal information, if in case they want to correct, amend or delete it.
- Purpose & use: The collection, sharing and disclosure of any information should be related to a legitimate business purpose. In short – don’t collect more data than what you need.
- Data Integrity & Security: Reasonable industry specific safe guards should be used to protect sensitive personal information.
- Retention & disposal: Service providers should set a reasonable time frame within their data structure and policies,defining clearly, how long data collected, is stored. Additionally adequate safety procedures must be used for disposal of data.
- Children: Ideally data should not be collected from children younger than 18 years of age. You should provide notice and create checks within the data collection mechanism to disallow children younger than 18 from submitting any personal information unless explicit consent from the parents has been received.
- Accountable and enforcement: (i) All service providers are responsible for the data they collect (ii) for ensuring that basic privacy principles are met at all times (iii) Additionally service providers should try and participate in a third party certification and dispute resolution program.