Privacy...What does it mean to you?

One of the first things you learn as a lawyer is that a "rose" may not always mean the same thing to everyone. "Privacy" is one of those words.

Several years ago, Microsoft held the first cybersecurity and privacy summit, inviting the top 100 experts from around the world to two days of discussions, policy-debate and playing with slinkies and playdough with other high-powered experts.

I was asked to pull together a powerpoint on the definitions of privacy, the language of privacy. I thought it was one of the easier tasks being delegated. Until I started pulling it together. As privacy lawyer and Internet security expert, I thought everyone understood the meaning of the familiar terms the same way. Until I started asking them.

One of the biggest problems we face as privacy professionals is that we hang out together too often. Maybe only online, or at conferences we are running or keynoting or when we are speaking at panels, but we tend to hang out together. And like all cliques, have our own private language that all insiders understand.

Toss in the security people, and you lose most privacy professionals. I was able to hold my own because of the unique work I do with cybercrime fighting and prevention as the head of a large charity, wiredsafety.org. So, I could handle most translations for our group. Most, but not all.

As a consultant, workshop leader and lawyer, I am generally contacted these days to help create policy that complies with laws, rules and best practices. I am brought in after the company has decided what it needs. And, while i am happy to do that, the real problem is helping companies figure out what they need, and why. Figuring out how to deliver it is much easier.

I recently wrote an article about RFID for information week's new rfid website. I cautioned early adopters of this technology to figure out why they want or need it. The problems they face by adopting it must be outweighed by the benefits. And problems include customer perceptions, fears and opinions.

When I first heard about the Albertson's case brought by The Privacy Rights Clearinghouse (which I keep in high regard), my first reaction was shock. How dare a trusted pharmacy allow drug manufacturers to pay them to send out marketing in the pharmacists' name? I was convinced that HIPAA precluded that kind of marketing. But I was wrong.

HIPAA allows it. As long as you don't share the personal information about your healthcare customers and patients with the manufacturer or health care services company that is looking to market their goods and services, and only use a middleman contractually bound to keep the personal information separate, you're okay. It's only when the personal information goes to the manufacturer or services company itself that the law requires prior consent from the patient.

When I first read the complain filed by the privacy rights clearinghouse, I misunderstood the charges, It appeared to me on a quick read that Albertsons had shared the patient information with the manufacturers. They apparently hadn't, since if they had a violation under HIPAA would have been part of the claims.

The Albertsons case became a case because California's state HIPAA equivalent was amended in January 2004 to preclude the use of any personal information for any marketing, even those marketing practices permitted by HIPAA. While their practices may violate that state law, we should all step back and ask ourselves...do we care?

I asked one of my important focus-group members, my 25-year old daughter. She told me that she wouldn't pay any attention to anything she got from her pharmacist. She had no idea who they were. She used a location of a national chain, had her prescriptions called in and she picked them up at a drive-through window. The daughter of a pharmacist (turned doctor) and the granddaughter and also niece of a pharmacist didn't consider pharmacists healthcare professionals, but rather considered them to be business men and women.

She couldn't understand why everyone was so upset about the marketing practices where prescription refill reminders and new alternative therapies and healthcare practices were being sent to her under her pharmacists name, even if they were being paid to do so by the drug manufacturers.

When I took it a step further and asked her how she would feel about her doctor (not her dad), sending her a letter that appeared to be signed by him or her, recommending a drug or alternative therapy for which they had been paid. That got her attention. She (and others I have polled) are concerned that their doctors may be selling out for much needed supplemental incomes.

so, what can we learn from this?

we need to figure out what people care about, what they know about and how we can improve the information we have about these two factors.

As a product of the 60's, I care more than my adult kids do. My 29-year old advertising executive son cares more about security than what he considers elusive issues of privacy. My daughter thinks that she has nothing to hide, so why worry?

when we step back from frightening claims, slippery slope arguments and hype, when we have a moment to consider without being bombarded with others' agendas, what do we care about? Why? And how can we share that with the legislators who matter and companies who need to think about why they are doing something and the eventual impact.

when I say "privacy" what does that mean to you? And what do you really care about?

think about it.

Parry