ETHICAL ISSUES RELATED TO DATA COLLECTION AND STORAGE (STUDY OBJECTIVE 11)

There are many ethical issues related to the collection, storage, and protection of data in databases. Companies collect and store a wealth of information about customers in their databases. These ethical issues related to such data in databases can be examined from three perspectives:

1. Ethical responsibilities of a company to its customers
2. Ethical responsibilities of employees to the company and its customers
3. Ethical responsibilities of customers to the company

The ethical responsibilities that companies have to customers revolve around collecting only necessary data from customers, properly protecting customer data, limiting the sharing of customer data, and correcting errors in customer data. The ethical responsibilities of employees is to avoid browsing through data or customer records unless necessity dictates, not selling customer data to competitors, and not disclosing customer data to related parties. Customers also have ethical responsibilities related to their providing data to companies that they deal with. These would include providing accurate and complete data when those data are necessary, and upholding the obligation not to disclose or use company data that they may have access to. Each of these types of responsibilities is discussed in detail in the sections that follow. This discussion of ethical issues is not intended to list and describe all ethical issues related to databases, but to describe many of the important ethical considerations.

ETHICAL RESPONSIBILITIES OF THE COMPANY

The data collected and stored in databases in many instances consist of information that is private between the company and its customer. For example, your bank has your Social Security number in customer records, as well as the Social Security numbers of all its customers. This is an example of nonpublic data that your bank should not share with anyone else. The bank has an ethical obligation to maintain the privacy of your data, such as your Social Security number, account balance, and telephone number. All companies collect at least some private data from customers. The sensitivity and privacy of that data depend on the nature of the business and the type of services or products sold. For example, a medical office has very private and confidential files on each patient. The medical office has an extremely high level of responsibility to protect the privacy of client information. On the other hand, a bookstore has very few pieces of private or confidential information from customers. However, a bookstore may have some data that are private, such as credit card numbers and data on buying habits and types of books purchased. Even companies that do not sell to end consumers collect and store private data. For example, Anheuser-Busch sells beer to convenience store chains and grocery store chains. Each chain it sells to has data that it wishes to keep from competitors, such as data on credit limits, prices paid, and quantities purchased.

Online companies that sell via websites have an even higher duty to maintain customer privacy and confidentiality. In fact, the AICPA Trust Services Principles (described in Chapter 4) have an entire section devoted to online privacy. Within the Trust Services Principles, the privacy framework lists ten privacy practices that should be adhered to by online companies:

1. Management. The responsibility for an organization's privacy practices should be assigned to a specific person or persons. That responsible person should ensure that the organization has defined and documented its privacy practices, and that they have been communicated to both employees and customers. Management would also include the responsibility to ensure that privacy practices are followed by employees.
2. Notice. The organization should have policies and practices to maintain privacy of customer data. Notice implies that the company provides the privacy practices to customers in some form. At the time that data is to be collected, a notice should be available to the customer that describes the privacy policies and practices. Many e-commerce organizations accomplish this by providing a link on their website to privacy policies. Notice should include information regarding the purpose of collecting the information, and how that information will be used.
3. Choice and consent. The organization should provide choice to its customers regarding the collection of data, and also should ask for consent to collect, retain, and use the data. The customer should be informed of any choices that the customer may have to opt out of providing information. The customer should have access to descriptions about the choices available. The customer should also be able to read policies about how the data will be used. As in “notice” above, these descriptions usually are in the form of a link to privacy policies.
4. Collection. The organization should collect only the data that are necessary for the purpose of conducting the transaction. In addition, the customer should have provided implicit or explicit consent before data are collected. Explicit consent might be in the form of placing a check mark by a box indicating consent. Implicit consent occurs when the customer provides data that are clearly marked as voluntary, or when the customer has provided data and has not clearly stated that it can not be used.
5. Use and retention. The organization uses customers' personal data only in the manner described in “notice” from part 3. The use of this data occurs only after the customer has given implicit or explicit consent to use the data. Such personal data is retained only as long as necessary.
6. Access. Every customer should have access to the data provided so that the customer can view, change, delete, or block further use of the data provided.
7. Disclosure to third parties. In some cases, e-commerce organizations forward customer information to third parties. Before this forwarding of data occurs, the organization should receive explicit or implicit consent of the customer. Personal data should only be forwarded to third parties that have equivalent privacy protections.
8. Security for privacy. The organization has necessary protections to try to ensure that customer data are not lost, destroyed, altered, or subject to unauthorized access. The organization should put internal controls in place that prevent hackers and unauthorized employees from accessing customer data.
9. Quality. The organization should institute procedures to insure that all customer data collected retains quality. Data quality means that the data remains “accurate, complete, current, relevant, and reliable.”
10. Monitoring and enforcement. The organization should continually monitor to insure that its privacy practices are followed. The organization should have procedures to address privacy related inquiries or disputes.

In addition to these ethical obligations to customers, companies have an ethical obligation to shareholders to ensure that company data are properly protected. For example, competitors may try to gain access to company data through what is generally called industrial espionage. Data are a valuable commodity, and the company value to shareholders can be harmed if sensitive data fall into the hands of competitors.

To properly protect data, companies should have appropriate internal controls as described in Chapter 4. These controls help prevent unauthorized access and browsing of data. Controls, including log-in procedures, passwords, smart cards, biometric controls, encryption of data, and firewalls, can provide some protection from unauthorized access to data.

THE REAL WORLD

ETHICAL RESPONSIBILITIES OF EMPLOYEES

Within organizations, many employees must have access to private data about clients and customers. These employees have an ethical obligation to avoid misuse of any private or personal data about customers. Three examples may help illustrate this ethical responsibility. Internal Revenue Service (IRS) employees regularly must see and work with tax returns. However, they should never browse through, disclose, or improperly use tax return data. This is a legal duty, as well as an ethical duty, in the case of the IRS. Medical offices also maintain very private data about personal medical histories. The protection of those data from improper use is both an ethical and a legal responsibility. In the third case, the duty to avoid misuse of customer data is an ethical duty, but not necessarily a legal obligation. For example, a payroll clerk in a company may have access to employee pay rates. While it may not be illegal for the clerk to disclose these pay rates to others, it is certainly unethical to do so.

In addition, some employees have access to proprietary data that would be harmful to the company if disclosed. An example would be sales information by product. Competitors such as Pepsico, Inc., and Coca-Cola Co. could gain competitive advantage if one of them acquired detailed knowledge about the other's sales data. Employees should never disclose proprietary or confidential data about their company to outsiders.

There are no specific IT controls that would always prevent authorized employees from disclosing private information, but having and enforcing a code of ethics within the organization can reduce the chances of such disclosure. Proper IT controls, such as log-in procedures, passwords, smart cards, biometric controls, encryption of data, and firewalls, can help reduce unauthorized access by employees.

ETHICAL RESPONSIBILITIES OF CUSTOMERS

Certainly, customers have an obligation to provide accurate and complete information to companies that they deal with when the requests for such data are legitimate business needs. For example, when you apply for a new credit card, the issuing company deserves full and complete disclosure of your credit history. In addition to this obligation, customers in some cases may have access to company data that should be kept confidential. Customers have an ethical obligation to avoid the improper use of data that they gain from accessing a database as a customer.

THE REAL WORLD