Privacy Statement

Definition

A privacy statement is the security work product that is a legally-binding document that describes the personal information gathering, usage, and dissemination practices of a single application (e.g., website).

Objectives

The typical objectives of a privacy statement are to document:

• What personal information is being collected by the application
• How this personal information will be used
• What choices, if any, are available about how the personal information will be collected, used, and distributed
• With whom, if anyone, the personal information will be shared
• Safeguards to protect the personal information from loss, misuse, or alteration
• How one can update or correct inaccuracies in one’s personal information

Benefits

The typical benefits of a privacy statement include:

• It helps to establish a trusting relationship between the customer organization and the user organization based on respect for personal identity and information.

Contents

The typical contents of a privacy statement include:

• Introduction
  • Scope
  • Privacy Principles
• Information Collection
• Supplimentary Information Sources
• Information Usage
• Information Sharing
• Information Security
• Information Correction
• Change Notification
• Contact Information

Stakeholders

The typical stakeholders of a privacy statement include:

• Producers:
  • Security Team
• Evaluators:
  • Management Inspection Team
• Approvers:
  • Project Manager
  • Technical Leader
  • Customer Representative
• Maintainers:
  • Security Team
• Users:
  • The user uses the privacy statement to understand the privacy aspects of the application.

Phases

• Business Strategy: Not Applicable
• Business Optimization: Not Applicable
• Initiation: Started
• Construction: Completed
• Delivery: Maintained
• Usage: Maintained
• Retirment: Archived

Preconditions

Privacy statements can typically be started if the following preconditions hold:

• The initiation phase is started.
• The security policy has been largely completed.
• The security team has been adequately staffed and trained in security policy production.

Inputs

Privacy statements typically have the following inputs:

• Work Products:
  • Security Policy
  • System Requirments Specification
• Stakeholders:
  • Domain Expert (security)
  • Domain Expert (lawyer)

Guidelines

• More detailed information about website privacy statements can be found at TRUSTe.
• More guidelines can be found at TRUSTe Protection Guidelines.

Conventions

Privacy statements are typically constrained by the following conventions:

• Content and Format Standard
• HTML Template
• TRUSTe MS Word Template
• XML DTD Template
• Inspection Checklist

Examples

• Example Privacy Statement