JCIT
– Judicial Standards for
Website
Presentation and Content
III.
Website Privacy
The
classic definition of privacy comes from Alan Westin's work "Privacy and
Freedom," in which it was defined as "the claim of individuals,
groups or institutions to determine for themselves when, how and to what extent
information about them is communicated to others." Gartner defines
"providing consumer privacy" as limiting the dissemination of
personally identifiable information that an individual or enterprise may have
about a consumer. Privacy policies are the frameworks that permit an enterprise
to provide privacy in a uniformly reliable manner.[1]
The Platform for Privacy Preferences Project (P3P) is an emerging industry standard that enables Websites to express their privacy practices in a standardized format that can be automatically retrieved and interpreted by user agents. The goal is to help users be informed about Website practices by simplifying the process of reading privacy policies. With P3P, users need not read the privacy policies at every Website they visit; instead, key information about what data is collected by a Website can be automatically conveyed to a user, and discrepancies between a Website's practices and the user's preferences could be automatically flagged. The goal of P3P is to increase user trust and confidence in the Web. P3P is an activity of the World Wide Web Consortium (W3C).
Associations and business are also addressing the privacy issue. TRUSTe, CPA Web Trust and BBB Online are new programs to ensure that an individual's privacy is protected. The TRUSTe principles include: "Adoption and implementation of a privacy policy that takes into account consumer anxiety over sharing personal information online. Notice and disclosure of information collection and use practices." The WebTrust program was established by the American Institute of Certified Public Accountants and addresses "business practices, transaction integrity and information protection." The Council of Better Business Bureaus (CBBB) has established a self regulatory online privacy program through its subsidiary BBBOnline. In 1999, the Office of Management and Budget (OMB) published a requirement that all federal agency Websites have a privacy policy, or a link to the policy on their main home page.
Website Privacy Standards
|
|
Alternative 1 – Basic Privacy |
Alternative 2 – Advanced Privacy |
|
Description |
The
Basic Privacy alternative requires that all privacy requirements identified
by DIR be addressed. |
In
addition to the Basic Privacy requirements, P3P coding is required for all Web
pages and must cover all
relevant data elements and practices.
|
|
Benefits |
The advantage to this approach is that it achieves basic privacy. |
The advantage to this approach is that it includes the newly emerging P3P capabilities. |
|
Disadvantages |
The emerging P3P capabilities will not be supported. |
The time and cost to develop and maintain the P3P labels is greater. In addition, the Internet community has not yet readily embraced P3P. |
Basic Privacy Standards Alternative
DIR’s SRRPUB11 includes privacy guidelines for State of Texas agencies. These DIR privacy standards will be used as the framework for the Basic Privacy Alternative.
Privacy Policy
Notice
A Privacy Policy will be published on every court Website, even if the site does not collect any information that results in creating a record. This statement tells the visitors to your Website how you handle any information you get from them. Court Websites are highly diverse, and provide different levels of functionality. The privacy policies that courts write for those Websites are also diverse. Courts must tailor their statements to the information practices of each individual Website. It is important to post your Website's policy promptly, so site visitors know the Website's information practices.
Choice
Specific Web-based forms that require personal information from a visitor shall post a privacy policy, or a link to the policy, at the top of the page or form indicating how the information will be used, and under what conditions the information may be shared or released to another party. The form will include a notice that the information may be a public record and, therefore, subject to the Rule 12 of the Rules of Judicial Administration.
Access
Citizens shall be able to view and contest the accuracy and completeness of data collected about them.
Security
Agencies that collect data must take reasonable steps to ensure that information collected from citizens is accurate and secure from unauthorized use. Web server security standards are addressed in the Security and Protection standards.
Cookies &
Web Bugs
A “cookie” file contains unique information that a Website can use to track visitor information such as passwords, lists of pages visited, and the date when they last looked at a specific page or to identify a session at a particular Website. Cookies come in several types, primarily session or persistent, and may be set and controlled, where the cookie information is sent, by the site itself or another site, or by a third-party in a different domain.
A new technology called a “Web bug” is being used by some Websites to track and report information about a visitor to a Web page. Web bugs are also called Web Beacons or Clear GIFs.
Courts that are providing access to information and services may have a valid requirement to use session cookies, providing that the use is disclosed in the associated privacy policy. In order for visitors to make informed decisions about the privacy practices of courts, the visitor shall be able to access the home page and Privacy Policy page without the site setting a cookie or using a Web bug to track the visitor. Courts will not use third-party cookies, persistent cookies, or Web bugs.
Advanced
Privacy Alternative
In addition to the Basic Privacy requirements, P3P coding is required for all Web pages and must cover all relevant data elements and practices.
P3P coding is required for all Web pages and must cover all relevant data elements and practices. P3P declarations are positive, meaning that sites state what they do, rather than what they do not do.
P3P policies represent the practices of the Website. Intermediaries such as telecommunication providers, Internet service providers, proxies and others may be privy to the exchange of data between a Website and a user, but their practices may not be governed by the Website's policies.
Websites can
implement P3P1.0 on their servers by translating their human-readable privacy
policies into P3P syntax and then publishing the resulting files along with a
policy reference file that indicates the parts of the Website to which the
policy applies. Automated tools can assist site operators in performing this
translation. P3P1.0 can be implemented on existing HTTP/1.1-compliant Web
servers without requiring additional or upgraded software. Servers may publish
their policy reference files at a well-known location, or they may
reference their P3P policy reference files in HTML content using a link tag. Alternatively, compatible servers may be configured to insert a
P3P extension header into all HTTP responses that indicates the location of a
Website's P3P policy reference file.
A P3P policy MUST cover all data generated or exchanged as part of a Website's HTTP interactions with visitors. In addition, some courts may wish to write policies that cover all data an entity collects, regardless of how the data is collected.