Normally we try operate all transfer of personal identifiable information by the principle of informed consent.  In the discussions on privacy at the NORDUnet conference, Andrew Cormack pointed out that in practice the guiding principle for services may well be necessity to transfer and process personal identifiable information. Privacy guidelines explicitly allow processing when there is necessity, as illustrated in the figure below.

Informed consent and necessity

One example of necessity is if my hospital need to notify my family physician that the xray pictures show a rampant pneumonia.  Not notifying the person responsible for prescribing antibiotics may harm my health, and in this situation the necessity is easy to understand.

In the EU regulations, the necessity part seems to be interpreted differently from country to country.  Denmark has legislation allowing parts of the public sector to exchange information according to necessity.  In Norway this is put into some specific laws, but is not an overall guiding principle with a carte blanche.

There is discussion on what constitutes similar services, and if informed consent to transfer information needed for exam registration is really voluntary when the alternative may be to travel for 20 minutes and spend an hour in an office to complete the same transaction on paper.  If the prior procedure was all on paper, and the web self service interface was introduced as a complement to standing in line, the answer may be that it is voluntary.  If the procedure was on the web, and the paper procedure was added as a fall back, then it may not be voluntary enough.

This then raises the question of who gets to impose what costs.  May I as a user impose the cost of a paper procedure to may university, but gain the feeling of online privacy?  If this is only a feeling, and the university processes my PII data together with everyone else, the only gain for me was avoiding Internet transfer.  Does that make sense?  Does it make sense for stuff that must be conducted online?  Or does it only make sense in those situations where I do not trust the service provider?  If I have to trust the service provider to handle exams, I may have to trust them with information in order for them to provide my credentials.

I am not sure what to think about the necessity part of privacy.  But I do know that keeping users informed is polite, and politeness is necessary.

Advertisements