When companies don’t keep data private, there can be real consequences. Technology companies must be extra vigilant with privacy, and government agencies must pay attention to vendor privacy policies. Unfortunately, procurement processes don’t always cover it. Here, we the basics of technology privacy.
There are three main ways a software provider can commit to privacy. First, they have to go beyond paying lip service and actually commit: their standards for privacy should be high. The company should be willing to go above and beyond keeping users’ data private. Second, they should organize their business operations to constantly ensure privacy. This might include, for instance, deleting data as soon as it is no longer needed. Data that is unnecessarily stored can be forgotten and left vulnerable. The third way is actually a different subject: keeping private data secure.
Look for High Privacy Standards
Set the bar high from the start!
How can you tell if a company is committed to data privacy? In privacy, the biggest signal is the business model of the company. If their products are free or very low cost, they may be subsidizing access to the product in exchange for selling or monetizing the content later.
- Ideally, Don’t Collect it!
- If you have to collect it, don’t store it!
- If you have to store it, don’t keep it!
Having high privacy standards often also includes regular third-party security audits, these help to enforce good privacy. If your software provider can provide certification of recent audits, that’s a good sign that they care about data privacy. We highly suggest you ask for privacy guidelines, and ask for third party audits!
To help navigate privacy, there’s also this important question…
Who Owns “Your” Data?
There are three main types of data to maintain ownership over:
Operational data: In a software relationship, this is the data that the city provides. It might include data like waste collection schedules, geospatial data like parcel address maps, or educational materials like recycling guides. What happens to this data when you move software vendors? At a minimum, it should be deleted from the software vendor servers.
User information: This data comes from residents who sign up for the software program. It is the most valuable type of data, and is the stuff you’d want to export when parting ways with a vendor. If you don’t own this data, you could lose it, it could be sold to third parties, or it could be used in ways you do not control. Ask: Does the vendor expect to retain a copy of user info?
“Exhaust” data: These are the analytics that accompany the software (number of pageviews, for instance). This is harder to transport between systems because every app is architected differently. But these are the operational statistics that you can use to guide future use of the app. You should expect a vendor to export and delete that data at termination. It’s worth having this conversation before you start the relationship.
Will you get your data back? Will the vendor delete data you own when you terminate? Ask! It’s the only way to find out.
How To Keep Private Data Secure