People care about their privacy. Government services are meant to be consistent and safe. Unsolicited marketing and scams make people very upset.
When companies don’t keep data private, there can be real consequences. Technology companies must be extra vigilant with privacy, and government agencies must pay attention to vendor privacy policies. Unfortunately, procurement processes don’t always cover it. Here, we will explore the basics of technology privacy.
There are three main ways a software provider can commit to privacy. First, they have to go beyond paying lip service and actually commit: their standards for privacy should be high. The company should be willing to go above and beyond keeping users’ data private. Second, they should organize their business operations to constantly ensure privacy. This might include, for instance, deleting data as soon as it is no longer needed. Data that is unnecessarily stored can be forgotten and left vulnerable. The third way is actually a different subject: keeping private data secure.
Look for High Privacy Standards
Set the bar high from the start!
How can you tell if a company is committed to data privacy? In privacy, the biggest signal is the business model of the company. If their products are free or very low cost, they may be subsidizing access to the product in exchange for selling or monetizing the content later.
We put a great deal of thought into privacy. Our development team puts aside resources every quarter to ensure high privacy standards. For a quick summary of some of the best privacy advice we’ve heard, we recommend Maciej Ceglowski’s philosophy. Maciej is a data expert, and he’s influenced our development processes. His advice for an ideal data privacy policy is simply this:
- Ideally, Don’t Collect it!
- If you have to collect it, don’t store it!
- If you have to store it, don’t keep it!
ReCollect has been built with these principles in mind. ReCollect intentionally collects as little Personally Identifiable Information (PII) as possible to provide the service. Our team has also put a lot of effort into discarding and deleting data as soon as is practical – so that we are not storing PII more than absolutely necessary (We have an industry-leading privacy policy of deleting all unused sensitive data after 90 days).
Having high privacy standards often also includes regular third-party security audits, these help to enforce good privacy. If your software provider can provide certification of recent audits, that’s a good sign that they care about data privacy. We highly suggest you ask for privacy guidelines, and ask for third party audits!
To help navigate privacy, there’s also this important question…
Who Owns “Your” Data?
Every app collects data about its users. This data may include street addresses, emails, and phone numbers and other service details. Whoever owns this data determines the privacy policy. Some software providers will keep ownership of the data, and some will defer ownership to their client. Whatever their policy, you can discuss this with them.
Whoever owns the data can do three things that could affect you: (1) they can change the privacy policy, (2) they can sell data to third parties, and (3) they can use the data for their own purposes, counter to your interests. These are common enough that they should cause concern.
There are three main types of data to maintain ownership over:
Operational data: In a software relationship, this is the data that the city provides. It might include data like waste collection schedules, geospatial data like parcel address maps, or educational materials like recycling guides. What happens to this data when you move software vendors? At a minimum, it should be deleted from the software vendor servers.
User information: This data comes from residents who sign up for the software program. It is the most valuable type of data, and is the stuff you’d want to export when parting ways with a vendor. If you don’t own this data, you could lose it, it could be sold to third parties, or it could be used in ways you do not control. Ask: Does the vendor expect to retain a copy of user info?
“Exhaust” data: These are the analytics that accompany the software (number of pageviews, for instance). This is harder to transport between systems because every app is architected differently. But these are the operational statistics that you can use to guide future use of the app. You should expect a vendor to export and delete that data at termination. It’s worth having this conversation before you start the relationship.
Will you get your data back? Will the vendor delete data you own when you terminate? Ask! It’s the only way to find out.
How To Keep Private Data Secure
It’s one thing to be conscientious of privacy, and it’s quite another to uphold your privacy policy. This is where great security comes in. To learn more about if a software program has robust security, read our Security Blog!