Privacy a hot topic for privacy tsar

NCR's privacy tsar travels the globe advising not only on his company's privacy-related products, but on the principles companies need to grasp if they are to stay in step with legislation - and in favour with consumers.

Even before privacy crashed on to the scene as a US consumer issue last year, NCR - which provides the infrastructure for most of the world's largest customer databases - was targeting it. It even employs a privacy tsar, Peter Reid, to travel the world and advise on privacy issues and solutions. Reid talks to Russell Brown about why he believes companies that are not ethical in their use of personal information will not survive.

I'm interested in how you came into your job. Did you have a pre-existing interest in the issues?

I took the job just before the end of last year, but I've been involved in the NCR privacy initiative for about 18 months. Currently I'm in our Teradata Solutions Group and prior to that I was vice-president of architecture in our financial solutions group.

The company had established a privacy steering committee with representatives from different parts of the company - and I was the person who was representing all the groups that develop financial solutions. The job became open and I thought it would be a very interesting challenge, because it's a very hot topic.

The US in particular has seen some very high-profile privacy stories in the past year, hasn't it?

DoubleClick, Chase Bank, US Bank Corp and Yahoo ... yes.

Is it the case that business is keen to get some sort of self-regulation on board as an alternative to government regulation?

My view is that industry self-regulation would over time work, because it would weed out the companies that were protecting customers' information. Consumers would soon find out, through activist groups, which companies were protecting their information and which weren't. Natural market forces would over time drive the companies that were not acting in an ethical fashion completely out of business.

The Europeans have legislated - they have very strong feelings about data protection. A lot of the ethnic cleansing and the atrocities that have taken place in the former Yugoslavia and even during the last war were facilitated by the fact that the administrations were keeping very good records of who was Bosnian, Serbian, ethnic Albanians, Jews.

So the European directive has some fairly strong provisions in terms of protecting sensitive data - religious background, racial background, sexual orientation and so on. If a company is going to foster that information, it has to be very clear how it's going to be used. And it must at all costs give the person who's providing that information the option of saying 'okay, you can collect it for that purpose and that purpose only, but you cannot under any circumstances share it with anyone else'.

That's what the New Zealand Privacy Act says - information taken for one purpose cannot be used for another purpose. What's the general rule in other countries which have privacy legislation?

It's essentially the same. In Europe, essentially the default is opt-in, but you must give customers the very clear option to opt out. There are various legislative initiatives that have gone through Congress in the US - one for the healthcare industry, one recently for financial services. The default there is opt-in, but customers must be given a very clear option of opting out.

Clinton in fact made a speech two weeks ago where he specifically targeted the Financial Services Modernisation Act, suggesting that that should be extended to include sharing information with affiliates. And also that the default should be opt-out.

So insurance company customers should have to specifically opt in to have information shared even across different groups within the same enterprise.

A ban on sharing information with affiliates is going to have serious implications for dot-coms, isn't it?

Absolutely.

Are smaller Website the worst offenders on privacy issues?

Some of them are. But some of them are not. I believe some of the dot-com start-ups have adopted the right attitude, which is making it very clear up front that the information they're collecting will be used for marketing purposes. And if you don't want your information shared, don't sign up.

They can't be more upfront and honest than that. And in spite of that, people are prepared to sign up. Richard Branson's Virgin organisation recently launched a portal in the US, and you can log onto their site and they make it very clear that if you sign up with them they will use your information to send targeted banner ads and they will share that information with affiliates they think can offer you relevant promotions.

The enticement for signing up to his portal is that they'll provide you with a PC. It's a PC that's loaded with software that forces you to go to his portal all the time. I suspect the uptake of that will be fairly significant.

But there has to be a what's-in-it-for-me for the customer.

That's right.

I've been interested lately in the idea of co-operative information societies - where consumers get together and sell their information on their own terms. Are you aware of any initiatives like that?

It's a good idea. I haven't seen any groups who've got together on that basis. But it may come.

In terms of NCR's position, it struck me as ironic that your privacy solution - using data warehousing to have one, consistent version of the truth which can be managed and protected - is precisely what some people are most afraid of. Some people would see it as safer to keep the system broken.

Yes. Certainly there is some potential risk to consolidating all of the information on a central warehouse. Our view is that what has to be weighed against that is the business benefits that can be achieved through CRM or some of the other capabilities that a single version of the truth can offer.

So what we've been very sensitive to is to ensure that as we talk to our customers about implementing data warehouses, we have thought through what is required to extend a traditional warehouse so that you can add the privacy preferences of individual customers whose information you're storing.

One of the requirements of a privacy solution is access. You'll find those elements in countries where there is legislation. Once you have the single version of the truth, then access is much easier. There's now a single point where customers can come and see exactly what information is stored about them - taken from mortgage systems, from credit card systems - and if there is something wrong they can change it.

We think over time that the market's going to resolve itself and that the companies that aren't ethical in their use of personal information will not survive.

Privacy is a competitive issue ...

We believe that. A lot of the customers that I talk to think of privacy like Y2K. They've gone through a very expensive exercise to make sure their systems were compliant and there was no return. And many of them on first sight think regarding privacy that they're being forced to comply and they have to go back through all of those systems and upgrade them.

Our position is that rather than going through the process of updating all of your legacy systems, which will be an expensive exercise, if you consolidate that on one system you can add the privacy there. The customer information still exists on all those existing systems so you just need to ensure there are processes in place that limit access, say, from your marketing department to those other systems.

This approach has in fact been endorsed by some of the data protection commissioners in Europe. We have contact with all of them and they've said yes, this is a very viable approach.

How long have you offered a privacy solution as such?

We realised before even the legislation started to arise that because we were in the forefront of providing the largest data warehouses in the world and many of our customers were storing huge amounts of transactional and personal data - and now clickstream data - that it was absolutely contingent on us to ensure that we could provide privacy.

So we've actually had a team in place since the beginning of 1997. We have industry data models and they include all of the privacy extensions. We have some utilities that can help facilitate managing access into Teradata.

Is that privacy solution actually winning you new business in and of itself?

Nearly all the proposals we're making now have privacy in them and I think customers are seeing that as a differentiator. We have one customer in the US in the healthcare industry which implemented its own privacy solution and we're now working with them to add some of our extensions. There are two or three other companies in the dot-com and financial industry space where we're providing consulting services which will lead up to them implementing a solution.

Are there many public sector customers for the solution?

Not so far.

Why is that?

The main targets for NCR historically have been the retail industry, the financial industry, the telco industry, the airline industry. We haven't had a big focus on the public sector, but there are a few installations.

What the New Zealand government's talking about at the moment, as part of its whole e-government vision, is a single point of contact with government agencies. Which is great, but then you have to address privacy. There would seem to be room for a privacy solution or two there.

Absolutely. One of the other things we provide is the ability to keep a very comprehensive audit trail. So we can know after the fact who accessed exactly what information from what table. So if someone does call up and say, I told you not to send any mailshots to me but I got one today, the administrator can go back see which individual access the information and find out whether it was justified.

I was interested in the public sector angle on that because last year we had people from the welfare agency selling information to debt collectors.

The same thing's happening in the US. The audit trail would capture and extract all that information. The other thing I would add is that some of the businesses I'm dealing with are realising that you have to go through an education process for everyone that works for the company - from the CEO down to the lowest level that has contact with the customers.

There's a major bank in the US which is putting together a self-teach manual which will be very simple - and at the end of it there'll be a statement to sign to say that you've gone through it. They're going to make every employee go through this training on their own and sign off on it. And they'll publicise it.

The basis of commerce and e-commerce is trust. Without any trust, no customer will sign up with any business. I think what we've seen recently, with the DoubleClick scenario in the US is that nobody has any trust in DoubleClick, therefore no one will use them.

The other point is that privacy and security are not the same. You do need security for privacy but you don't need privacy for security. There was an incident recently at CD Universe, where a hacker got in and downloaded a file containing 300,000 credit card numbers. So the impact of that security lapse was to destroy trust in CD Universe. They've now almost disappeared from the e-commerce scene.

What about the Intel PR debacle, over the ID on the Pentium III? Should they have approached that differently or not done it at all?

They shouldn't have done it. And now with the latest version of the chip they've taken it off. I think people have every good intention when they do things like this but what they don't appreciate are the privacy implications.

Going back to the online world, what about a free ISP's privacy policy that says 'We won't sell your information to anyone else - but we reserve the right to change that policy without notice'? Is that acceptable?

That was probably drafted by a lawyer. That's one of the problems - a lot of the privacy policies are drafted up by lawyers and therefore are incomprehensible to the common Web user. Most free ISPs' business is based on selling information about their customers, and if they're upfront about that when people sign up, then the individual makes the choice. Do I give my personal information knowing this company has told me it's going to sell it?

So what should a good privacy policy say?

It needs to say what information is being collected. Not only what information they're collecting from you but are there other sources - do they go off to another company to get your credit record? Do they go off to government systems to get other information?

So it's: what do we collect about you? How do we use it? If we take a scenario with a bank which make be affiliated with an insurance company and a brokerage house. They may then say, 'As you may know we're part of the XYZ financial empire and one of our affiliates is the ABC insurance company and the DEF brokerage company and our standard policy is to share information with those. We also share information with third parties.' They should make that clear, and they should show you how to opt out of that.

They should also identify an individual who can be contacted in a situation where the customer perceives there has been an abuse of their information. In the European Directive there's a requirement for companies to appoint a data protection officer.

Then they need to provide access to the information. I talked to a customer this week whose immediate thought was, well, if I have to provide access to this information, I've got information on 15 different systems, it's going to be very expensive. And I said, well, we can make it very inexpensive!

There's a debate about what access should be provided. We've just been participating in the US with the Federal Trade Commission advisory committee, which has been running for the last four months, with 40 companies involved.

We debated long and hard about access. And we decided that you've got to provide access to any information that the customer has provided you directly. The issue is that, say, for the banking industry we can provide algorithms to the banks that helps them understand who are their most profitable customers. Should access extend to providing that profitability number? Should it extend to credit report information?

In other words, should information that you've generated on the basis of information you've been given be included?

The consensus on derived data was that that shouldn't be provided back to customers. The basis of that was that the algorithms used to compute that are a competitive advantage for the business. So all of the senior executives of one bank can take out an account at a competing bank and find out how that competing bank is rating them and what factors they use. So we decided that you should not be required to divulge anything that revealed your proprietary algorithms.

The FTC panel came up with a list of options rather than a finding, didn't it? Was it just too hard?

The groups going in there all had vested interests that were widely divergent from day one. I think it was obvious from the first meeting that there was never going to be consensus. So what was debated was what were the options in access - what information should be provided?

There were the consumer advocates who said "absolutely everything" and then there were the realists who were saying if we have to provide absolutely everything then we'll shut up shop because it'll be so expensive. So somewhere in the middle is the answer.

My view, again, is that without regulation market forces would pretty well resolve that. Some business will provide more than others and there will be a natural tendency for consumers to find that and to whoever they believe is more trustworthy.

You are depending on an increasingly well-informed consumer though, aren't you?

Absolutely. And that's going to happen over time. An analogy I like to use is another key business for us - ATMs. When ATMs started appearing in high streets, people didn't want to use them because they didn't trust them. Then they started getting used to taking money out of them. For 20 years I've been depositing cash and cheques, but there were people who wouldn't deposit cash in an ATM.

Over the course of the last 30 years, people have taken to this device they had no trust in. Once in a while, I might count the cash I get, but usually I just stick it in my wallet.

There's an initiative going on in the US at the moment, which NCR is part of, to educate consumers. To provide ads on television or simple brochures that say "this is what's happening - this is how your information is being used."

Join the newsletter!

Error: Please check your email address.

Tags securityPeter Reidprivacy

Show Comments

Market Place

[]