I was asked a most intriguing question the other day. How would I describe privacy concepts…to a four year old?
Why intriguing? Privacy is a hard concept to describe. What is or should be private information is invariably contextual. Some information may be considered “private” in one set of circumstances but perfectly acceptable for public release in another. In some respects, one could easily invoke the “I know it when I see it” test, perhaps most famously remembered from Mr. Justice Stewart’s opinion in Jacobellis v. Ohio, 378 U.S. 184 (1964):
“I shall not today attempt further to define the kinds of material I understand to be embraced within that shorthand description; and perhaps I could never succeed in intelligibly doing so. But I know it when I see it…”
If one wants to delve further into the topic of describing the complexity of privacy, I recommend Dan Solove’s book, Understanding Privacy.
So, how would one begin to explain privacy and personal information protection to a four year old?
Robert Fulghum’s 1986 book of essays All I Really Need To Know I Learned in Kindergarten brought home the point that the world would be a better place if we remembered to act according to the same rules children learn in their first days of schooling – look at everything around us and live by core principles involving balance and mutual respect. Since its publication, it has been parodied as well as used as the framework for communicating any number of concepts – both simple and complex. In trying to understand privacy, especially international privacy where the rules vary in scope and application across a number of countries, Mr. Fulghum’s “framework” – with suitable apologies – just might come in handy.
In the context of sharing toys between playmates, some of the basic concepts could be explained as follows:
If you want to play with someone else’s toys, you should ask first and explain what you want to do with them. In personal information protection terms, this means notice and consent. And, just as in wanting to play with someone else’s toys, be reasonable.
“Tell Them Who Is Going To Take Care Of The Toys”
“Only Do What You Said You’d Do”.
“Take Care of Them While You Have Them”
Safeguards or security. It doesn’t matter what term is used. Just don’t lose the toys or leave them somewhere where someone could take them. Or, in privacy terms, don’t be reckless or negligent so as to lose personal information.
“Don’t Keep The Toys Forever”
The concept of limiting retention: most, if not all, privacy statutes do not specify retention periods – only that organizations should establish them. Record retention policies, coupled with secure destruction policies, crystallize retention periods for all the information held by the organization and should force an organization to think in terms of the “lifecycle” for their information holdings.
“If They Ask to See Their Toys, Let Them”
Think of this as an expression of the concept of access in the plainest of terms. An important point to note is that it is not just the information provided by the individual concerned but also whatever the organization generated about the person. The exceptions to the rules become important here, especially in healthcare.
“If You Do Something Bad, They Can Tell Mom”
That’s not, in any way, shape of form, a reference to Jennifer Stoddard! Just a statement that there is someone to whom they can complain. Keep in mind, in Canada, people can challenge the compliance of organizations by reference to data protection authorities.
Maybe privacy can be reduced to kindergarten terms. Anything that might represent a simple and easy way to let people understand the basic concepts of privacy is helpful. In one sense, privacy is about respecting personal dignity and we can all use more of that in this world. After all, it’s really people who protect privacy not policies or technology.