Everyone seems to be concerned about personal privacy and the use of identifying personal data. Consumers' fears are not allayed when they learn that 99% of Web sites are not secure (see issue 97:06:03 "State of Web Commerce") or when they hear horror stories of private information becoming public knowledge (see issue 97:08:02, "Personal Data and the Law").
In an effort to comfort consumers (and protect them) 14 information industry companies have adopted self-regulatory principles governing the use of personal data. The group is the Individual Reference Services Group (IRSO) and their principles were developed in conjunction with the Federal Trade Commission (FTC) during its examination of privacy concerns and personal information uses.
But, will consumers really be swayed by self-policing? We already know that information companies do infringe on privacy rights either intentionally or due to computer bugs. Will consumers believe them simply because they say they won't do it anymore?
Furthermore, it seems the group has convinced the FTC (and therefore Congress) that since the groups are policing themselves, the government doesn't need to do it. After reviewing the final draft of self-regulatory operating principles, the FTC has not recommended to Congress any privacy legislation to regulate the Individual Reference Services Industry. The FTC report even commends the IRSO for its self-regulatory efforts.
The principles impose restrictions on the access and distribution of non-public information, such as the non-financial identifying information in a credit report. For example, IRSO companies may not display social security numbers obtained from non-public sources to the general public on the Internet. Also, information from non-public sources about minors will not be available to the public.
There is some enforcement, albeit weak. Each IRSO member has pledged to be in compliance with the principles within 12 months. After the initial compliance period, companies will be subject to yearly audits by a qualified independent auditor. Also, companies who obtain information from suppliers and fail to comply with the principles risk losing access to the data.
Tim Davies, of LEXIS-NEXIS, commented on the influence the group's principles may have. "The primary goal of the group was to put together a set of principles that would address the privacy concerns of individuals while preserving the right to use information for legitimate and beneficial purposes like fraud prevention, witness location, and child support collection," said Davies.
Since the FTC workshop in June, the IRSO has expanded its membership from nine to 14 companies. The companies now include: Acxiom Corporation; CDB Infotek; DEC Information Systems; Database Technologies, Inc.; Equifax; Experian; First Data Solutions, Inc.; Information American, Inc.; LEXIS-NEXIS; Metromail Corp.; National Fraud Center; On-line Professional Electronic Network; and Trans Union Corp.
