Pushing for Privacy in Your Organization
If other units, such as information technology services or legal counsel, have a say in your acquisition process, learn their policies and standards around privacy. They might cover only a legal minimum (legal compliance) or they might only be concerned about privacy protections for the data that the institution has to provide for the product. They might not be concerned about data the user can additionally provide, leaving that user data vulnerable to possibly harmful vendor data practices.
If you’re part of a larger organization, find out if it has a privacy officer or someone with privacy in their job responsibilities. In academic institutions, these people may be focused on course management software or early warning student monitoring, and library databases and other resources might not be on their privacy radar.
If you find negotiating on your own stressful, find privacy advocates and allies from your organization to help. For example, the IT department might have strong data privacy and security standards that you can refer to if another department pushes for a privacy-violating vendor resource.
Pick a vendor product; electronic resource, database, or system.
- What is the minimum amount of information a user must provide to use the basic version of this product?
- What additional information does a vendor require to use all the product features?
- How much additional user data is collected if the user decides to use the additional functions and services?
- Does the product encourage users to provide personally identifying data for personalized services?