In recent years, advances in information technology and the ‘digitalization’ of everyday activities has brought into the limelight a paradigm shift where huge amounts of personal data about people, their personally identifiable information, opinions, values, and attitudes are generated and stored in databases and data warehouses of service providers offering online services.
The mere existence of these data pools has motivated Information Systems researchers and other mainstream commentators to explore information privacy issues due to the vast amount of personal information being collected, stored, transmitted and shared over the Internet.
The present paper purposes of demonstrating that organizations should be given the leeway to police themselves with respect to providing access to such personal information, rather than having the government imposing blanket privacy legislation.
Information privacy can be defined as the capacity and desire of people to control or have some influence over when, how, and to what extent their personally identifiable information is acquired and communicated to other individuals.
From a business perspective, contemporary organizations are keen to exploit personal data for commercial gain by profiling customer information with the view to improving marketing of their products/services and retaining their customer base.
Consequently, these companies must win the confidence of customers by demonstrating the benefits of information disclosure and availing assurances that disclosure of personal data is a low-risk proposition.
To avoid risks to personal data, these companies must adopt fair information practices, privacy impact assessment programs, and stringent privacy policies.
The pure market approach to personal information protection demonstrates that customers will always prefer to conduct business with organizations that have designed and implemented strong privacy policies and avoid organizations that have breached privacy.
It should also be the primary function of the organization to provide adequate privacy protections to employee information shared within the entity.
Organizations can appreciably reduce risk to breaches and losses of sensitive employee information by using passwords, access programs and company codes of conduct/policies.
Recent trends demonstrate that many organizations are employing the self-regulation approach (legislation, enforcement, and adjudication) to guarantee the privacy of critical employee information and personal data shared within the entity.
While legislation defines the appropriate rules and codes of conduct, enforcement relates to the initiation of an enforceable action when the rules and codes of conduct are broken, and adjudication implies whether or not a particular organization has violated the privacy rules.
Instead of imposing blanket privacy legislation, the government should allow organizations to design, develop and implement unified and comprehensive codes of conduct and privacy policies with the view to protecting sensitive employee information.
Using the market-based approach, organizations should be allowed a free hand to set their own privacy rules and regulations when publishing and disseminating business information to customers as long as there is sufficient demand for their product or service offerings.
One of the underlying assumptions of the market-based approach is that if there is adequate demand for business information on goods and services, organizations can compete with each other to avail technology that protects privacy.
Of course, the government must intervene to ensure that business information available to customers is objective, valid and is not purposefully intended to deceive consumers.
One way of intervening is by imposing privacy legislation protecting customers from wrong or deceitful business information, but organizations are better placed to provide the correct business information by always adhering to the set codes of conduct and privacy policies.
In such a situation, the role of the government becomes secondary as competent organizations eager to attract a wide base of customers will always stick to their codes of conduct to provide correct business information to customers.
Public education is also necessary to ensure organizations always provide appropriate business information.
The government, in my view, should play an oversight role to ensure each organization designs and implements these practices, programs and policies, and also to ensure that customer/employee information shared by organizations is used for the intended purposes.
While organizations should be given the leeway to provide access to personally identifiable information as a means of spurring competition and productivity, it should be the oversight role of the government to hold them to account for the number and magnitude of breaches, intrusions and other privacy risks.
Additionally, it should be the role of government to guide and adjudicate in cases where organizations have acted in a way likely to cause a breach in databases and data warehouses holding sensitive personally identifiable information.
To conclude, it is imperative to mention that organizations still do not provide appropriate and stringent privacy protection for personally identifiable information going by the many breaches in databases and losses of personal information held by these entities.
Still, other companies are yet to design and implement privacy policies.
Even so, the most effective way to protect personally identifiable information is for the organizations to employ a combination of tools, policies, and strategies which include complying with privacy legislation as set out in various legal statutes, using privacy-enhancing technologies and architectures such as access codes, passwords and facial recognition systems, and engaging in public education as well as initiating and enforcing privacy impact assessment programs.