Lessons on Privacy from Everyday Life

As many readers know, my husband and I volunteer hundreds of hours a year for the National Park Service. What does this have to do with a global screening blog? Plenty.

What we know in our work life can be applied to our private life. When we take training classes on phishing attempts at work, that information can help us make our home computing safer for ourselves and our families. When we volunteer, we often use our work skills to support a specific volunteer need. I have found the benefits do not go just to the volunteer organization, but they circle back to my work life and make me a better global screening practitioner.

At the National Park Service, volunteers do what you would think they do: outdoorsy stuff. We maintain hiking trails, lead groups, and help keep people safe in the water. A significant source of funding for each unit comes from how many work hours are provided by that unit’s volunteers. Collecting hours from hundreds of volunteers is a challenge. Until now, we’ve been emailing in spreadsheets, and the Volunteer Coordinator (VC) enters the information into a database, on a monthly basis. It’s not a great use of an experienced Park Ranger’s time.

We have other communications needs. When trees fall and block hiking paths, we have a team of Sawyers who clear the paths. Reporting the downed trees and getting the Sawyer team together is done by email and sometimes word of mouth. It’s not very efficient and can cause people to hike miles with heavy gear only to find that someone else cleared the tree. (My spouse is a member of the Sawyer team, and I hear him rant about these wasted hikes.)

We are also challenged with keeping volunteers engaged. New ideas are shared at monthly meetings or by email among small groups, but there is no good resource for volunteers to house their information.

One of our more tech-savvy volunteers, Adam, bought a domain name that matched the name of our volunteer group and set up a volunteer website. New volunteers can sign up and we can log our hours, with the information available to the VC. There’s a registration page, a Discussion Group (with a Downed Trees topic), and resources.

Long time readers and attendees at my NAPBS presentations should be able to anticipate the discussions Adam and I have had. “What kind of security do we have on this site? We are collecting names and email addresses, as well as passwords, which are subject to data breaches.” “Do we really need to collect the address and emergency contact, or does the VC capture that information from the intake form?” “How can we delete information upon a user’s request?” “I’ll write the Privacy Notice; please have the privacy@ email address come to me.”

This weekend I spent hours writing the Privacy Notice for the volunteer website. My research showed that few sites of this type (sites set up by small volunteer groups for the benefit of the group) have a Privacy Notice or Policy. Franky, I’ve noticed that even large entities fail to put together a Privacy Notice. Why bother to write a Privacy Notice then?

  • It was the right thing to do. It helps protect the information of the people we serve and provides transparency to our users. If you were one of the volunteers using this website, wouldn’t you want someone taking care of privacy?
  • I had the expertise to do it.
  • It gives our volunteer website more credibility with the Park Service and other organizations we interface with. This last point is very applicable to my work life. Good privacy is good business and it can help obtain and retain good clients.

Writing this Privacy Notice was a valuable experience for me and my employer. In fact, writing a Privacy Notice is a great way to become compliant with the various global privacy regulations. I learned so much from the research, which helps me provide better privacy guidance for my employer and our clients.

When you write a Privacy Notice, you are making a public statement about how your organization handles personal information. It’s a commitment you make to the users of the website. In some countries, such as the U.S., you will be held to your commitments by various government entities. As U.S.-based background screeners know, we are under the enforcement power of the Federal Trade Commission, among other regulators. This means that our statements in the Privacy Notice must be an accurate reflection of how we handle personal information. You will also be held to your commitments by your audience.

One of the early steps that must be taken when writing a Privacy Notice is to understand your organization’s privacy. (Hence, all the questions to Adam.) It requires you to think through what you are collecting, why are you collecting it, and how secure it is. These are all good questions to ask when you are collecting any personal information in any country. It’s a mini data inventory process.

If you write the Privacy Notice while you are in the process of building the website, it can help you build the site using Privacy by Design (PbD) principles. For readers who are subject to the GDPR, you will recall the requirements of Article 25: data protection by design and by default. Writing this Notice also required me to think through the alternatives to collecting information on the site. The Notice I wrote provided information for how the user could get the information directly to the VC, rather than submitting it via the site. Expressing the options to the user gives the user the choice of how their data will be collected and handled. That helps with the Visibility and Transparency as well as Respect for User Privacy principles of PbD.

If you’re interested in seeing what was drafted as part of this project, contact me at kerstinb@clearstar.net and I’ll send you the link.

_____________________________________________________________________________________________________________

Kerstin Bagus – Director, Global Initiatives

Kerstin Bagus supports ClearStar’s Global Screening Program as its Director of Global Initiatives. She has more than 30 years of background screening industry experience, working for a variety of firms, large and small. Kerstin is one of the few individuals in the industry who is privacy-certified through the International Association of Privacy Professionals (IAPP) for Canada, the EU, and the U.S.

Kerstin is a passionate participant in the National Association of Professional Background Screeners (NAPBS) and is a current member of the Board, in addition to participating on several committees. She also participates on IFDAT’s Legal Committee, with a primary focus on global data privacy.

kerstinbagus - Lessons on Privacy from Everyday Life

At ClearStar, we are committed to your success. An important part of your employment screening program involves compliance with various laws and regulations, which is why we are providing information regarding screening requirements in certain countries, region, etc. While we are happy to provide you with this information, it is your responsibility to comply with applicable laws and to understand how such information pertains to your employment screening program. The foregoing information is not offered as legal advice but is instead offered for informational purposes. ClearStar is not a law firm and does not offer legal advice and this communication does not form an attorney client relationship. The foregoing information is therefore not intended as a substitute for the legal advice of a lawyer knowledgeable of the user’s individual circumstances or to provide legal advice. ClearStar makes no assurances regarding the accuracy, completeness, or utility of the information contained in this publication. Legislative, regulatory and case law developments regularly impact on general research and this area is evolving rapidly. ClearStar expressly disclaim any warranties or responsibility or damages associated with or arising out of the information provided herein.

Let’s start a conversation

contact Contact