WattsSEL7007-8-6
0
Expecting Privacy in the Digital Age
Stephen W. Watts
Northcentral University
WattsSEL7007-8-6
1
Expecting Privacy in the Digital Age
In the United States certain expectations of privacy exist for most citizens. For the most
part, each person is entitled to privacy if they are not in a public setting and if they are not
participating in an action that could impinge upon another person or group. These expectations,
however, can change when technology is introduced. Since the Internet is part of the worldwide
web, an argument could be made that when you enter, you are no longer in a private setting
regardless of your physical location or setting. Laws in the United States protect and espouse the
expectation of privacy unless there is a countervailing rationale to justify encroaching upon it.
These laws enforce a privacy balance that weighs the needs of the many against the rights of the
one. Outstanding intro
Balancing Privacy
In the United States, privacy is a basic human right afforded by the U.S. Constitution and
many other laws (Lim, Cho, & Sanchez, 2009). From the public’s perspective, however, it is
almost universally believed that people have less privacy than they used to and this is a bad thing
(Langenderfer & Miyazaki, 2009). Belanger and Crossler (2011) reported that 17 of 20 adults
believe controlling access to personal and private information is very important. Sometimes the
need to protect, maintain order, or ensure the safety of many outweighs the privacy expectations
of individuals (Burgunder, 2011). The law will generally uphold an intrusion into privacy for
these reasons as long as the encroachment is neither unreasonable nor highly offensive
(Burgunder, 2011). Unreasonable intrusions into individual online privacy are normally of three
forms; privacy invasion, improper use of information, or improper acquisition of information
(Lim et al., 2009). Impressive APA and content
Privacy and Technology
WattsSEL7007-8-6
2
Technology provides any number of convenient ways to gather information about
individuals that may be considered private. Technological privacy used to be primarily
concerned with keeping intruders from accessing computers or systems, but is now primarily
focused on controlling personal information (Langenderfer & Miyazaki, 2009). Privacy
considerations in organizations deal with two factors: How is personal information used or
reused, and is permission gained from the people that the information is about (Culnan & Carlin,
2009; Tang, Hu, & Smith, 2008)? According to Belanger and Crossler (2011) information
privacy is “the interest an individual has in controlling, or at least significantly influencing, the
handling of data about themselves” (p. 1018). Information privacy consists in the right to
privacy in personal communication and to data privacy and comprises four dimensions;
“collection, unauthorized secondary use, improper access, and errors” (Belanger & Crossler,
2011, p. 1018). Burgunder (2011) mentioned several technologies that might be used to or
considered an invasion of privacy including; biometic scanning, radio frequency identification,
global positioning system, cell phones, MySpace, Facebook, and Google Street View. Along
these lines, the Children’s Online Privacy Protection Act (COPPA) requires parental consent
before collecting personal information from children under 13 and applies certain restrictions on
the data that is collected (Burgunder, 2011). Some claim, however, that COPPA is outdated in
that it does not address privacy concerns with regards to social media or smart phones (FTC to
Update, 2012) and lacks meaningful enforcement standards (Langenderfer & Miyazaki, 2009).
Although the U.S. government has legislated laws regarding the privacy of data in the
educational, health, and credit data fields (Tang et al., 2008) it has “adopted, in the main, a
hands-off approach with respect to private data collection and exchange, . . . [making it]
increasingly incumbent upon individuals to take an active role in the ways they safeguard their
WattsSEL7007-8-6
3
own personal information” (Langenderfer & Miyazaki, 2009, p. 383). Combine these findings
with the fact that 85% of business organizations or institutions of higher learning experienced
“some sort of reportable privacy breach during the previous year, [with] 63 percent report[ing]
multiple breaches” (Belanger & Crossler, 2009, p. 1018), and it is apparent that improvements
need to be made.
Fair Information Practices (FIP) have been established to “provide individuals with
control over the disclosure and subsequent use of their personal information, and describes
organizational obligations for data protection” (Culnan & Carlin, 2009, p. 127). FIP are used as
the basis for regulatory programs in many organizations, and for privacy laws. FIP in the United
States have five elements. Individuals have the right to know what data is collected about them
and how it will be used, called notice. Individuals have the right to object or opt out of reuse of
their personal information in ways that are different from the reason it was originally collected,
called choice. Individuals should be provided the ability to see the information collected about
them and be able to correct any errors, called access. Organizations that maintain data stores
have the obligation to provide security, ensuring both data integrity and protection from
unauthorized access. Finally, FIP identifies that policies should be in place to ensure that these
principles are complied with, called accountability (Culnan & Carlin, 2009; Tang et al., 2008).
The ability for organizations to send clear and unambiguous messages regarding their policies
and intentions of protecting privacy engenders and enhances trust (Tang et al., 2008).
Privacy in the Classroom
The privacy issues in higher education are very similar to most commercial
establishments in a number of ways. Educational institutions often engage in commercial
activities in the form of relationship marketing, accepting of donations, selling of school
WattsSEL7007-8-6
4
paraphernalia, textbooks, and athletic tickets; which if not effectively managed pose privacy
risks (Culnan & Carlin, 2009). Also, like commercial establishments, decentralizing computer
environments between departments pose a larger privacy risk without a centralized security
protocol and strategy. A potential breach of security is the large online stores of sensitive
personal information regarding educational institutions students, faculty, and staff (Culnan &
Carlin, 2009).
Culnan and Carlin (2009) conducted a study in which they compared the security policies
“of the top 236 schools from the US News and World Report 2004 list of best colleges” (p. 127,
emphasis in original) with FIP. The authors found that “higher education lags the private sector
in addressing privacy issues” (Culnan & Carlin, 2009, p. 128). Privacy notices regarding FIP
should be consistent, and should be attached to every page of an organizations web site that
collects data (Culnan & Carlin, 2009). From this study, the authors identified six key elements
for managing privacy; (a) assign responsibility, (b) develop a privacy policy, (c) determine the
laws and regulations that apply, (d) review access of individuals and organizations and make
sure that they comply with policy, (e) ensure staff, faculty, and students receive appropriate
privacy training, and (f) consistently audit to ensure compliance with privacy laws, regulations,
and policies (Culnan & Carlin, 2009).
Privacy in an educational setting also requires a balance. The educational institution has
its own vested interests to protect, but must also protect the interests and rights of its students,
faculty, and staff. In the left column of Table 1 are listed the resources and obligations of each
educational institution in protecting itself and the student body from harm. The right column of
Table 1 alternately identifies actions and obligations that the institution has to ensure that
WattsSEL7007-8-6
5
encroachment into the privacy of each individual student does not exceed what is absolutely
necessary.
Table 1
Relevant Considerations for Privacy in the Classroom
Educational Institution Purposes







To protect institutional assets and resources
To ensure that institutional assets are used
for appropriate purposes
To reduce exposure to sexual harassment
claims
To reduce exposure to defamation claims
To reduce exposure to harmful
consequences to the institution
To confirm reasonable suspicion of
harmful activity
To help create trust
Reasonable Expectations for Privacy










The circumstance of the intrusion
The degree of the intrusion
Existence of an acceptable use policy
Notice of monitoring on all institution
pages
Notice of privacy on all institution pages
where personal information is collected
Consent acquisition on registration or hire
Procedures to minimize privacy intrusions
Procedures to confirm results
Procedures regarding consequences for
harmful activities
Procedures to guard private information
Professional Opinion
In a classroom setting it is expected that certain amounts of privacy will be maintained
and sacrosanct. While the class is a public setting, and the expectations of privacy are
diminished from those one might expect at home, there are some expectations. For example,
each student would have the expectation that topics discussed in the class are germane to the
topic of the class and would not pry into irrelevant details about the student’s life. Students may
have the expectation that papers, tests, and grades will be kept private, or presented in a way that
has no easily identifiable information.
I have not experienced a situation online in which my personal information was
compromised. You shouldn’t! I fall into a category of users that are less concerned about their
online privacy. Research demonstrates that males who are technically savvy are less concerned
WattsSEL7007-8-6
6
than are female users, or those who are less technically competent (Belanger & Crossler, 2011;
Lim et al., 2009). Because of this competence and information gleaned from news articles and
technical journals, I am more likely to recognize the security ramifications of a presentation, and
judge my willingness to divulge information based on those considerations.
Conclusion
Privacy in the digital age is most concerned with the control of personal information.
Personal information on the Internet is not governed by any overarching organization or set of
laws. While some laws apply to certain arenas of information, many instances of personal
information are not covered by law. Honest organizations that rely on the trust and faith of
consumers to purchase their products, generally subscribe to self-regulation and FIP because it is
in their best interests. Institutions of higher learning, however, have not been so circumspect in
their implementation of procedures to protect the personal information of their students, their
faculty, or their staff. Most impressive work Steve!
WattsSEL7007-8-6
7
References
Bélanger, F., & Crossler, R. E. (2011). Privacy in the digital age: A review of information
privacy research in information systems. MIS Quarterly, 35(4), 1017-A36. Retrieved
from http://www.misq.org/
Burgunder, L. B. (2011). Legal aspects of managing technology (5th ed.). Mason, OH: SouthWestern Cengage Learning.
Culnan, M. J., & Carlin, T. J. (2009). Online privacy practices in higher education: Making the
grade? Communications of the ACM, 52(3), 126-130. doi:10.1145/1467247.1467277
FTC to Update. (2012). FTC to update children’s online privacy. Information Management,
46(1), 7. Retrieved from http://content.arma.org/IMM/images/JanuaryFebruary%202012/IMM_0112_full%20issue.pdf
Langenderfer, J., & Miyazaki, A. D. (2009). Privacy in the information economy. Journal Of
Consumer Affairs, 43(3), 380-388. doi:10.1111/j.1745-6606.2009.01152.x
Lim, S. S., Cho, H., & Sanchez, M. (2009). Online privacy, government surveillance and
national ID cards. Communications of the ACM, 52(12), 116-120.
doi:10.1145/1610252.1610283
Tang, Z., Hu, Y., & Smith, M. D. (2008). Gaining trust through online privacy protection: Selfregulation, mandatory standards, or caveat emptor. Journal of Management Information
Systems, 24(4), 153-173. doi:10.2753/MIS0742-1222240406