Home Opinion The Conflict Between Data Governance and Customer Privacy

The Conflict Between Data Governance and Customer Privacy


With the explosion of data available to organizations, data governance is more important than ever. Data governance is the approach organizations use to manage data as an asset and covers four areas:

  • Data quality – focuses on how organizations use data for its intended purposes
  • Data privacy – the public’s expectation of how an organization handles customer data and legal issues surrounding how organizations manage and use data
  • Data security – protecting the data from abuse and unwanted activity
  • Data compliance data management practices adhering to organizational and legal policies

Data Ethics Impact Data Governance

Data ethics has a direct relationship to data governance, specifically on security and privacy. Ethics are a concern because the legalities surrounding new data sources from which organizations derive individual identities and behaviors have not been able to keep up with current applications of the data.

Data science and analytics enable organizations to determine the online behavior of clusters of individuals based on observation. Data science and analytics can also be used to understand customer patterns. Organizations use customers’ data to target individuals for special marketing campaigns and offers.

Although this use of customer information seems harmless, it raises important privacy concerns and questions.

Ethical Dilemmas Arise with Potential Misuse of Customer Information

In future, organizations will need to pay careful attention to the ethics of using customer data in marketing campaigns.

In 2012, for example, national retailer Target used the purchasing patterns of an underage female near Minneapolis to determine she was pregnant even before her father knew. Target created a “pregnancy score” based on customers’ buying patterns of about 25 products that signaled a possible pregnancy. Target would then send customers who had a high pregnancy score offers for merchandise. Target sent the girl offers for baby clothes and diapers after she earned a high pregnancy score; her father intercepted these offers. The father went to the Target manager to find out why Target sent this inappropriate material to his daughter. It turned out the daughter was indeed pregnant. This new information derived from data patterns created an ethical dilemma for Target.

Is it okay to use data to derive personal information that should be considered private? The Health Insurance Portability and Accountability Act of 1996 (HIPAA) includes data privacy and security provisions for safeguarding medical information under which a woman’s pregnancy status or anything related to it would be covered. However, Target didn’t gain the girl’s pregnancy information from health records, but from her buying patterns.

Will Other Retailers Violate Your Privacy for Marketing Purposes?

The Target incident is only one case that pertains to ethical dilemmas about data privacy. Think about the information that can be derived from your data available today. If you are a major retailer’s customer and signed up for a frequent buying card or joined a customer program, the retailer collects quite a bit of data about you.

If you have a card at Safeway, for example, this grocery chain knows what you buy, when you buy it and where you buy it. Other information Safeway knows about you is the locations where you shop, the time of day you shop and what products you buy. Safeway also knows how often you purchase certain products and which member of your family purchases those products.

Personal health issues too can be exposed if you purchase medicines, vitamins or other products from major retailers. This type of information is not off limits to retailer and is not governed by HIPAA regulations. Providing you with coupons and offers to increase your purchases is good for Safeway’s profits. However, the data retailers collect about you becomes a privacy issue when other people are exposed to details about your behavior.

Personally Identifiable Information and Derived Information Not Equal

Organizations need to consider ethical, privacy and security issues that come with what is called “derived information.” This type of information is not specifically classified as private or personally identifiable information (PII), which is governed by law. When does derived information, which tracks and profiles the public, become a problem?

The situations where it’s okay to use this information is one of the ongoing debates in government today. Separately, retailers’ data about you may not provide that much information about you, but when all that information from retail stores is pooled together, the collected data becomes very powerful. Phone calls, text messages, social media posts and GPS information can be used collectively as a powerful tool to find out your personal information.

Derived Information Not Governed by Current Laws

Most data privacy and security laws focus on individual data points such as birth dates, Social Security numbers or other PII. Because current laws do not govern derived data, forward-thinking organizations should implement policies and procedures governing their use of derived data.

Organizations need to consider the ethical issues arising from this new type of information. Otherwise, companies may face negative publicity and public relations disasters in the future.