The Information Commissioner's Office is urging organisations to put a financial value on protecting personal information.
In The Privacy Dividend, a report published on 4 March, it said public and private sector organisations can use business cases to justify spending on privacy protection.
It says the benefits of protecting privacy derive from four areas in which information has value. First, protecting personal information as an asset can help to make an organisation's operations efficient, agile and attractive to the public.
Second, respecting people's privacy helps to win their trust, and can enhance an organisation's reputation.
Third, protecting information from other parties can save people from the harm associated with privacy violations.
Finally, winning people's trust will support working with other organisations. "Enhanced public trust in one central government department could encourage citizen engagement with all departments," the report says.
It recommends that any business case should include an executive summary, the background and reasons for the case, a list of objectives and options, an assessment of benefits and costs, the identification of critical success factors and an investment appraisal. These should be followed by implementation, operation and business engagement.
The report also advocates the use of calculation sheets to assess the value of personal information and put figures to the business case.
Information commissioner Christopher Graham said: "No organisation can neglect to protect people's privacy. Not only is it the law, but there is also a hard-headed business imperative. This report provides organisations with the tools to produce a financial business case for data protection ensuring privacy protection is hardwired into organisational culture and governance."
Talkback
This is good news for organizations and individuals--requiring companies to really consider their policies--and what they stand to lose if policies are not followed. This is particularly important in light of the recent leaks of personal data at firms like Shell and even at universities. A Data Leakage Prevention solution is so important, and more than that, should enable highly-specific policy implementation, based on group or level of employee, as well as on individual level, so that data like this cannot be leaked via email or other online sources. (Defining strategies with respect to high-level executives is an especially tricky issue, and should be approached carefully, making sure even they know the importance of restrictions.) Such policy definition is available in solutions like PineApp's SoHo (email and web proxy security) http://tiny.cc/gen4s. Hopefully ICO's role will bring these issues to the forefront.