Secrecy, privacy, confidentiality -- August 19, 2005

Carlton Vogt's

Enterprise Ethics

Volume 3 Number 22 August 19, 2005

Secrecy, privacy, confidentiality

Three related, but distinct, concepts are often confused

As our privacy erodes and, in some cases is willingly abandoned -- often for an illusion of security -- we hear the word "privacy" thrown around. It's tossed about lightly, and is more often than not used incorrectly.

Someone glibly tells us that we "have no privacy; get used to it." Someone else tells us that we have to "sacrifice our privacy" if we want to get something else. And yet others tell us that we have no right to privacy to begin with. Still others tell us that if we do "X," then we have willingly surrendered our privacy.

The last argument was one I heard frequently when teaching student nurses. They would try to tell me that when you entered a hospital, or submitted to a medical exam, you had surrendered your privacy. They were wrong.

As with anything else, using words incorrectly when talking about privacy results in jumbled arguments and eventually ends in unacceptable conclusions. So, a short primer.

Secrecy, as the name implies, means simply not revealing information. If you know something, and you don't tell anyone at all, then the information is a secret. Once you tell even one person, the secrecy is gone. You'd like to think that you can share the information with a trusted friend -- and perhaps you can -- but technically it's no longer a secret.

Privacy, at least regarding information, means that we maintain control over information about ourselves, whether it's a secret or not. There is another understanding of privacy that involves how we interact with other people, but that's a different issue. I'm talking here primarily about information.

Confidentiality refers to the expectation that those with whom we do share information respect our right and ability to control that information.

Perhaps the biggest misunderstanding comes when we willingly share information, especially sensitive information, with another person. Many people try to say that when we do that, we have forfeited our right to privacy or that we have abandoned our privacy. While under certain circumstances that might be true, most often it's not.

Let me give an example:

Suppose I have an access number for my bank account, a PIN. I can choose the PIN, perhaps online, and no one knows what it is. For the time being it is a secret. That's not to say others can't somehow find it out -- or even guess it -- but it is a secret.

Now, suppose I have some reason to give you, my best friend, my PIN so that you can take some money out of the account for me. Have I surrendered my privacy? Many would try to argue that I had, but that would be incorrect.

I have surrendered the secrecy of my PIN, but in doing so I have actually exercised my privacy. I remained in control of my PIN and determined who besides me would know it. The secrecy may be gone, but my privacy is intact.

Also, since you are my best friend, I gave you the number with a reasonable expectation that you would respect my privacy -- my control over my PIN -- and wouldn't tell other people. In other words, I have a reasonable expectation of confidentiality -- and by accepting the PIN from me as a close friend, you probably have a rather strong obligation of confidentiality.

The same framework exists in the medical field. When I tell my doctor something, or disrobe in front of a technician, I am not surrendering my privacy. My secrecy, maybe, but not my privacy. I am choosing to do this and am maintaining control over access to my person and my information. And I do this with a reasonable expectation that those with whom I share this information will treat it as confidential and not reveal what they find out to those not directly involved in my care.

And we should expect the same in a business situation. For example, I tell my bank certain things about myself because the bank, if it is to do what I want it to do, needs that information. However, I am not surrendering my right to privacy in sharing that information. I am exercising that right. If the bank, for its part, were to share that information with inappropriate people -- perhaps spammers or telemarketers -- then it has violated my right to privacy by taking away from me control over my information.

The three situations I've outlined -- friend, medical provider, and bank -- are easily understood, and the violations of privacy are quite clear to us when they occur. If my doctor reveals information inappropriately, we don't have a lot of trouble determining that he or she has done something wrong. The same with the bank and with a friend.

Privacy has been under assault lately. Legions or people and organizations -- and even the government -- have begun collecting data on us, as well as photographing, filming, and recording us. Sometimes we are willing participants. Sometimes we're not. Sometimes the intrusion is justified. Sometimes it's not.

The trend is disturbing for three reasons. The first is that this is often being done under the guide of "security," when the increase in security isn't large enough to warrant the intrusion into our personal data. The second disturbing trend is that the people or agencies collecting the data don't seem to feel the obligation to treat the information as confidential and often use it for purposes beyond the rationale for collecting it, and often share it inappropriately.

The third, and more disturbing, trend is that we're becoming used to it. We're searched, screened, metal detected, X-rayed, patted down, and sometimes stripped. While sometimes this is warranted, often it's not. We now start youngsters on the path early on by searching them and their possessions in school. The ultimate danger is that it becomes part of the landscape and part of our daily lives.

The bottom line is that we have a right to privacy, no matter what. We have a right to control who has access to personal information about us, how they acquire it, and what they do with it. If someone takes that control away from us, then they have violated our privacy, whether it's someone who finds out our PIN without our consent or who gets it from us, but then shares it with others. It's violated when our medical providers or insurance companies share our personal data with marketers who use it to try to make money. And it's violated when the government collects data under one pretext and then uses it for another.