Many organizations strive to protect the confidentiality of prospects and clients. In this column and the next three, I want to explore issues relating to privacy policies and the sometimes problematic relations between legitimate, well-meaning institutions and the commercial organizations with which they do business - and the criminal organizations which abuse their good names and reputations.

Norwich University’s Privacy Policy stands as an excellent example of a clear, well-written and comprehensive document - an example that could usefully be considered by readers of this column who may need a sample policy for their own organization’s use.

Links to the policy are available where visitors may enter personally identifiable information (PII); for example, the admissions-related pages have links at the bottom of every page with a data-entry form. Specifically, the policy makes the following essential points (quoting with added commentary in square brackets):

• “Norwich University requests a certain amount of information from our clients in order to provide the online experience.” [A privacy policy should begin with a statement of the purpose of data collection.]

• “Although we gather names, e-mail addresses, locations and other personal information (dependent on the platform being used), all information is kept confidential.” [The introduction makes the intent of the policy clear.]

• “Information is used for course registration, billing purposes, providing knowledge about our client base, managing our services and to assist us in making the online experience the best possible.” [These are useful clarifications of the intended applications for the collected data.]

• “Information about who may log in from time to time is analyzed in order to allow us to monitor and maintain our network. Information about our clients may also be used to provide feedback to our institutional clients; at no time do we share this information with an outside source. We may, from time to time, examine a platform for statistical purposes, but we will not identify any individual in doing so.” [These are specific constraints on how the data are to be used.]

• “Information placed on our systems may be available to others on our various platforms, depending on the platform chosen. This information is used strictly to allow a client to participate in their individual course(s) and is kept confidential. We will not divulge private information to any unauthorized person.” [These sentences add some more well-defined constraints.]

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services. CV online.