Home	InfoCenter	Salary Info	Publications & Services	Conferences & Events	Membership	Store	Advertising	Index

The Growing Concern for Privacy Online

by Judy Applebaum, Shirley Marciniak, and Paula Quenoy
Members of NACE Technology Committee—White Papers Subcommittee (2004)

Introduction

The issue of privacy and technology is foremost in the minds of today's technological society. Our charge was to learn as much as possible about privacy policies and how to protect an individual's privacy online. Our goal for this white paper was to formulate "how-tos" for preparing a privacy policy for a career services or employer web site. We quickly discovered that the complexities and legalities surrounding this topic would prevent us from doing so.

Thus, this paper evolved into an overview of privacy issues with the following three sections:

1. The first section introduces the concept of the privacy policy and contains important information to assist in beginning its development.
2. The second section addresses educating job seekers to protect their privacy.
3. The third section provides valuable resources to support and assist with the important areas referred to above.

Our investigation into the issue of privacy was greatly enhanced by reviewing a great deal of research and writings on privacy and the job search,and speaking with Pam Dixon, one of the founders of the World Privacy Forum and a journalist who has written on technology, the workplace, and privacy.

Through the Technology Committee's research on this complex topic, we quickly came to the conclusion that:

1. It is vital for career services offices and employers to have appropriate privacy policies and properly adhere to them.
2. It is a necessity to consult legal counsel while developing your web site's privacy policy and prior to posting it.

This touches the surface of the journey you will take as you develop your privacy policy, but we hope it will point out some important considerations as well as save you time and effort.

Privacy Policies and Data Security

Privacy of an individual's personal information is an important and widely discussed technological issue facing society today. With the rampant development and use of various sources of technology, security of our personal data is more important than ever.

Online technology has allowed organizations to provide users with more meaningful, customized, and personal services than ever before. However, along with these advances has come the potential for misuse of the personal data collected. Thus, technology users have become increasingly interested in protecting their privacy online. This has caused many individuals to be reluctant to provide identifying information when using the Internet. This means, in order to attract, serve, and protect users, it is very important that web sites that gather identifiable information clearly spell out how personal information will be used and what steps web site owners have taken to protect it. The document that spells out how this information is used is called an organization's "privacy policy." All web sites gathering personal information have a responsibility, and in many cases, a legal requirement, to develop one.

Privacy policies are unique to each web site. Since privacy policies are based on each organization's individual practices regarding the collection, use, and sharing of personal information, one cannot take the cookie-cutter or cut-and-paste approach to developing a privacy policy for a web site. Within a given organization it may be necessary for various departments to have their own web site privacy policies.

Creating Your Web Site's Policy

If you are not familiar with privacy policies, a good starting place is to look at privacy statements posted by organizations similar to your own. From these statements you can gather ideas about key elements to consider including in your policy. Professional organizations related to your business may also provide information regarding best practices for creating and maintaining a privacy policy. Knowing what the privacy standards are for your business is important and may save you from having to make changes in the future.

When creating your policy statement, we suggest keeping the following criteria in mind:

• Why and how you collect certain information;
• How the user can view and edit personal information; and
• How and to whom you disclose personally identifiable information.

Based on your research and organization's needs, you might consider developing a vision for what you would like your policy statement to be. With this vision in mind, your organization's practices and policies, and the resources you have accumulated, you are ready to create a draft.

We also encourage you to try one of the privacy policy generators available on the Internet. These generators ask leading questions about your Internet web site that address specific privacy policy elements. Your answers are tabulated and a privacy policy draft is created for you. The draft can be edited to fit your needs and business. One of the major benefits of using a generator is that it addresses operational issues you may not have thought about. The Technology—White Papers Subcommittee found the generator to be a real eye-opener regarding the specific points that need to be considered in developing and writing a privacy statement.

Other Considerations

One area that is often overlooked in privacy policies is spelling out how you collect data from your users. Be sure to include what data collection features you are using. For example, if you use cookies, state this and clearly describe how cookies are being used, what information you are capturing, and how it will be used.

We recommend you include an opt-in/opt-out opportunity if you distribute personally identifiable information to third parties and/or use it for a purpose unrelated to the stated reason it was collected. This means, site users can choose whether their information may be distributed to a third party or used for a purpose unrelated to the reason for which it was collected.

It is best to involve senior management and staff/employees responsible for key operational functions in the development of your privacy policy. It is also wise to consider your organization's long-term business plan. This will allow you to draft your policy to cover changes in procedures you may be implementing and avoid jeopardizing users' trust.

When writing your policy, it is also critical to use language that is easily understood by the reader. Read the statement as if you were a first-time visitor to your web site. Ask yourself, what is the intent of your statement and do you trust the statement. The purpose of your policy should be

• to be informative and clear about your intent,
• to develop trust with your users, and
• to create a policy that is likely to be read.

Further, remember that your privacy policy must be kept current with technological advances and changes in practices your organization implements after it is written. It is important to mark the text so these changes are easily recognized. Remember, to maintain your users' confidence in your policy, you should change it only when absolutely necessary. Prior to releasing your web site privacy policy, it is essential to have your management and legal counsel review it.

You may also want to contact one of the organizations that can brand your site with a seal of approval.

We advise your privacy policy be posted on your web site's main menu and/or navigation bar so it is available to users prior to the collection of personally identifiable information. In addition, you should include a link to the policy in multiple locations and provide links to your privacy policy from any page where users enter personal information.

Educating Staff on Privacy

Just as important as your web site having a privacy policy is how your organization implements and staff adhere to the policy. You may wish to develop an implementation strategy to teach and inform all staff when the new policy is in place. It is crucial to make sure the organization's procedures and employees are compliant with your policy. This means educating/training staff regarding all aspects of practices described in the policy and keeping them informed as changes are made.

• Let all staff know when the policy is in place and review it with them.
• Educate employees regarding the importance of privacy to your business and the necessity of complying with the privacy policy in the day-to-day performance of their jobs.
• Instruct employees that have access to personally identifiable information how and when this information may be used.
• You may choose to appoint an individual or team to "champion" the privacy policy to be sure it is in sync with your current practices and review compliance by staff.
• We suggest you establish a way to track inquiries and complaints. Then, you will be able to respond to users concerns/questions and make changes to policies or procedures as necessary.

There are a tremendous number of resources available to help you learn more about and how to write a privacy policy. In the third section of this paper you will find resources the Technology—White Papers Subcommittee think you may find helpful.

The Career Services' Role in Teaching Privacy Protection

Career services professionals are consistently encouraging students and alumni to use online data bases and partnering with vendors to "push" opportunities and content electronically to interested clients. For most career centers, the web site is just as important or even more important than the front door to the physical office.

This shift continues to be driven by students and alumni who are accustomed to having what they need available on the web when they need it. As career services centers rush to provide web content and services, and students become more reliant on the Internet, students have neglected to pay attention to protecting their privacy online. As career centers are charged with the education of students in the job-search process, it is important that career centers incorporate online privacy protection as an integral part of teaching the job-search process.

Teaching the Risks of Online Job Searches

Many students and alumni have become so accustomed to providing information on the web that they may be unaware of the risks they take in the process of looking for a job. It is important that career centers provide information on some of the risks associated with an online job search.

Some of those dangers include:

Spam (junk e-mail): While junk e-mail may seem like more of an inconvenience than a risk, an e-mail box full of spam makes it difficult for a job seeker to maintain effective communication with potential employers. New legislation and software products have begun to address this problem; however, simple measures taken by the job seeker are much more effective in fighting spam.

For example, it is a good idea for job seekers to set up an e-mail account specifically for the job search. This allows for better tracking of e-mail correspondence by the job seeker.

Carefully reading and completing registration forms on job-search sites will also cut down on spam. On most sites, the registrant has the option of asking to not receive offers and mailings from "partners" of the web site. The default for this option is usually in favor of receiving these offers; opting out of the offers is typically as simple as unchecking a box. If this option is not provided, a job seeker should think twice about giving a web site a personal e-mail address.

In addition, the job seeker should provide detailed information about the type of job that he or she is seeking and the experience the job seeker can offer in order to allow the site to properly target and send "job-alert" messages.

In addition to these precautions, job seekers should use some type of spam-blocking technology. Many Internet service providers and companies providing free e-mail accounts have built-in spam blocking.

Identity theft: Many job seekers are unaware of the dangers of giving out their Social Security numbers during a job search. All a thief needs is a Social Security number and a resume to steal a job seeker's identity. A Social Security number is the key to getting credit cards, loans, and fake identification.

The worst part about identity theft in relation to new graduates is, it may take them a long time to realize that they have been victimized. It is only when an application for credit or a job is denied due to a bad credit history that a new graduate will realize the extent of the problem. Many of the same people who shred all of the credit card offers they receive in the mail might not think twice about entering their Social Security number when registering on a job-search site. In fact, they shouldn't. An employer should only require a Social Security number pre-hire if it is absolutely necessary. The job seeker has the right to ask if and why the information is required.

Resume shopping: Many job-web sites allow anyone who can pay a fee to search the resumes on the site. Some less than ethical commission-based recruiters shop these web sites for candidates to pitch to employers, which makes the resumes of job seekers less credible to employers. If job seekers know what to look out for, they can learn safer resume-posting habits that get their resumes to the employers that interest them or to ethical third-party recruiters that work in their best interests.

Perceived disloyalty: Currently employed individuals who are looking for work may be labeled as disloyal employees and miss opportunities at their current workplaces if their employers find their resumes online or intercept job-search related e-mail sent from the office.

Important Points to Cover

Career services professionals as the on-campus job-search experts are in the right place to teach the skills necessary to fight these risks. In fact, career professionals were teaching privacy long before the Internet appeared. Most, if not all, resume workshops have covered the need to limit the personal information provided on a resume.

When the career center served as a physical intermediary between employers and job seekers, the career professionals took most of the responsibility for protecting the privacy of job seekers. Career services staffs have some methods of ensuring that information is only released to employers who may interest the job seeker and protecting an employed job seeker from having information sent to their present employer.

Even as web-based services have given job seekers more control of their information online, many continue to falsely assume that any vendor or link represented on a career center web site is "safe."

It is important that career professionals remind job seekers that they are responsible for taking some, if not all, of the following precautions to protect their own privacy:

1. Limit access to personal information:

Limiting access to personal information is still the best way to protect an individual's privacy. Job seekers are in full control of the amount of information they share in a job search. Career professionals should remind job seekers at every opportunity to think twice before they provide information on the web.

This is especially true of the Social Security number. There are very few times when an employer has the need for a Social Security number prior to hiring an individual.

Unfortunately, many job seekers ignore privacy policies and end up with unwanted e-mail and phone calls because they've offered too much personal information online.

Encourage job seekers to ask job-search web sites questions about what requested information is used for and why. It is also important that career services professionals encourage job seekers to notify them of any information request that sounds out of line. This allows the career center to verify the requests with an employer or to remove offending links from their career center web sites.

2. Evaluate job listing sites:

The most important section of a job listing web site is the privacy policy. Job seekers should be reminded to read each site's privacy policy carefully and to move on if it is not comprehensive. There are organizations (including BBBonline and TRUSTe) that provide "privacy seals" to web sites with policies that meet specific criteria. While a privacy seal is a good indication that a web site's privacy policy is all right, the seal is not a guarantee.

In addition to a solid privacy policy, a job listing site should include an instant means to "opt out" of any direct or indirect contact from the web site owner or from web site partners as a result of registration. The ease of including this option gives legitimate job-listing sites no excuse for requiring job seekers to call or write a letter to get off mailing lists. However, this option is of no consequence if job seekers do not take advantage of it. Career professionals should remind job seekers to check privacy and "opt-out" policies often as these policies are often subject to change without notice.

It is also important to remind job seekers to post their resumes only on the sites they find valuable. "More" is definitely not "better" when posting resumes online. Job seekers should keep track of where they have posted their resumes, allowing them to know where any unwanted solicitations may originate. In addition, keeping track of where their resumes are posted will allow job seekers to remove their resumes when they have secured positions. Job seekers should also be encouraged to limit access to their resume when it is an option. This affirms their control of their information.

3. Take action:

Provide constant reminders: One of the most important things career professionals can do is to remind job seekers of the importance of protecting their privacy. Simply including the information above in your job-search materials and presentations and/or adding a section on privacy in the job search to your web site will make a difference.

Practice what you preach: Check the privacy policy and "opt-out" procedures on a job site before you add the link to your web site. If you would suggest that a job seeker think twice before registering, don't link to the site. Check web-site policies annually for changes and don't be afraid to let a vendor know why you think an organization's policy is suspect.

Respond quickly to job seeker concerns: If a job seeker questions a site or submits an information request, respond quickly. This will encourage job seekers to continue to ask questions.

Resources to Consider When Creating a Privacy Policy

The following resources were mentioned repeatedly while researching the topic of privacy policies. These will be of value when creating your privacy policy, keeping abreast of the issue of privacy, and preparing to educate students about privacy.

Privacy Policy Generator

To gain an understanding of the information needed and complexities of creating a privacy policy, the Technology—White Papers Subcommittee recommends using the Organization for Economic Cooperation and Development (OECD) Privacy Policy Generator.

• Organization for Economic Cooperation and Development

  The OECD describes themselves as: "30-member countries sharing a commitment to democratic government and the market economy. With active relationships with some 70 other countries, NGOs, and civil society, it has a global reach. Best known for its publications and its statistics, the orgainzation's work covers economic and social issues from education, development to science and innovation. This group developed the OECD Privacy Policy Generator which uses a questionnaire to learn about your personal data practices. Answers are then fed into a pre-formatted draft policy statement."

• The World Privacy Forum (WPF)

  The World Privacy Forum's web site says: "The World Privacy Forum is a nonprofit, nonpartisan organization that conducts research, investigates, and documents the state of personal privacy in the Information Age and explores the privacy implications of a range of technologies and policies for the purpose of educating the public and policymakers about these issues."

  Our investigation into the issue of privacy policies was greatly enhanced by speaking with Pam Dixon (one of the WPF's founders) as well as reviewing her research and writings on privacy and the job search. Dixon is an author and journalist and has written on a variety of subjects including technology, the workplace, and privacy.

This site contains an enlightening study: 2003 Job Search Privacy Study: Job Searching in the Networked Environment: Consumer Privacy Benchmarks. This report addresses privacy issues in today's job search. It provides a look at what is happening to applicants' job-search data and resumes. It evaluates leading online job-search sites, resume writing services, employment kiosks, resume data bases, Internet profiling data bases, and resume distribution services. It also includes discussion of privacy issues such as use of Social Security numbers at job sites; resume sharing and cross-posting issues; use of third-party cookies at job/career sites; resume selling and theft; frequency and quality of privacy notices; and trust and seal programs on job sites.

In addition, the study provides consumer tips for use of technology in the job search as well as best practices at career sites.

• The Dixon Report

  Pam Dixon reports on the subjects of technology, the workplace, art and culture, privacy, new media, education, and technology policy.

• Privacy Rights Clearinghouse

  This is the premier consumer resource for identity theft and other consumer privacy issues.

• Privacy & American Business

"Privacy & American Business (P&AB) is an activity of the nonprofit Center for Social & Legal Research, a nonprofit, nonpartisan public policy think tank exploring U.S. and global issues of consumer and employee privacy and data protection. P&AB developed and maintains www.PrivacyExchange.org, a free web site that serves as a global reference resource on privacy. P&AB's research and surveys on key business-privacy issues have made the front pages of the nation's leading dailies, magazines and trade publications."

• Center for Democracy and Technology: Guide to Online Privacy (CDT)

Provides an overview and resources regarding online privacy.

The Center for Democracy and Technology says it "works to promote democratic values and constitutional liberties in the digital age. With expertise in law, technology, and policy, CDT seeks practical solutions to enhance free expression and privacy in global communications technologies. CDT is dedicated to building consensus among all parties interested in the future of the Internet and other new communications media."

Enforcement Programs

The following organizations provide privacy seals for web sites to indicate that privacy standards have met their criteria. It might be helpful to look at the guidelines set by these sites to help write your policy.

• The Better Business Bureau OnLine

  BBB OnLine is the arm of the Council of Better Business Bureaus that specifically deals with web sites. Their Privacy Seal confirms that the company stands behind its online privacy policy and has met the BBB's program requirements regarding the handling of personal information.

• TRUSTe

  TRUSTe is an independent nonprofit organization dedicated to promoting consumer understanding of online privacy issues and equip individuals with the information needed to control one's information online and to protect one's privacy. Web sites that display the TRUSTe privacy seal agree to comply with ongoing TRUSTe oversight and an alternative dispute resolution process

NACE Resources

• NACEWeb

  What Laws Apply to Protecting the Privacy of Job Seekers' Personal Information? by Rochelle Kaplan. Winter 2002 Journal of Career Planning & Employment. This article also includes information on what questions organizations should ask as they develop their own privacy policy or assess vendors' privacy policies.

  "Federal Agency Recommends Data Privacy Policies for Web Sites" by Rochelle Kaplan. Spotlight (11/10/2001)

Government Resources

Federal, state, and regional legislation must be adhered to when creating a privacy policy. Below you will find government resources that include relevant legislation regarding privacy and privacy policies or the disclosing of student information by schools. We urge you to check with your organization's legal counsel prior to creating and posting your privacy policy.

An excellent source of information on privacy and privacy policies:

• Federal Trade Commission
• FTC Privacy Initiatives
• FTC Commission Act (Section 5)

Good sources of information on maintaining and releasing student information:

• Family Educational Rights and Privacy Act (FERPA) U.S. Department of Education
• Federal Privacy Act of 1974
• Title VII of the Civil Right's Act of 1964
• Americans with Disabilities Act

Federal legislation that protects against the unauthorized and wrongful interception of wire, oral, or electronic communication, and other forms of improper surveillance:

• Electronic Communications Privacy Act of 1986
• Legislation Affecting the Internet: Center for Democracy and Technology
• EPIC Bill Track (Tracking privacy, speech, and cyber-liberties bills in the 108th Congress)
• California Office of Privacy Protection (California OPP has an excellent bill tracker that will help stay up-to-date on privacy legislation, and there is a best practices guide for notification on the data base protection law.)

International Privacy

The European Union's Data Protection Act applies to every citizen of the EU, and is a very stringent law that has been deemed to apply to data flowing into the United States belonging to EU citizens. The EU Data Protection Act was passed in 1995, and is now in full force, and the privacy commissioners are beginning to enforce it. For example, a U.S. company cannot accept phone numbers from an EU subsidiary without explicit consent and contractual agreements in place. The Data Protection act applies to universities accepting information from EU citizens.

In the case of career centers, it applies primarily to those career centers helping EU citizens find jobs or internships in the U.S. This is a very complex law but basically states that entities must have explicit written consent from the data subject before accepting any personally identifiable information. Consent is very tightly defined, so the law is quite challenging to comply with. For example, a career center accepting a resume from an EU citizen for inclusion on the university system will need to get written consent first, plus the entity collecting the information also has to guarantee "adequate safeguards" for the information. Here is the page with the original act, plus all of the recent regulations. http://europa.eu.int/comm/internal_market/privacy/law_en.htm

Articles and Resources to Assist With Online Privacy Issues

• "Resume Database Nightmare: Job Seeker Privacy at Risk"—by Pam Dixon, Online Job Search Privacy Study, February 2003
• "Job Seekers' Guide to Resume Databases"—by Pam Dixon, The Dixon Report, February 2003
• "Tips to Safeguard Your Privacy"—Pam Dixon, November 2003
• Center for Democracy and Technology
• Links to privacy tools—including anonymizers, cookie management, and ad blockers
• EPIC - Online Guide to Practical Privacy Tools—(links to privacy enhancing tools from cookie busters to snoop-proof e-mail)
• GetNet Wise—The GetNetWise coalition wants everyone to be just "one click away" from the resources they need to make informed decisions about their and their family's use of the Internet.
• ConsumerPrivacyGuide.org—Includes articles on "How to Read a Privacy Policy" and "Top Ten Things You Can Do To Protect Your Privacy"
• Privacy Rights Clearinghouse—Consumer resource for identity theft and other consumer privacy issues.
• Book: Internet Privacy for Dummies, John Levine, Gregg Steben, Ray Everett-Church, Wiley Publishing, Inc., July 2002

8/2004

About NACE   Privacy Policy   Copyright   Webmaster
©National Association of Colleges and Employers. All rights reserved.
62 Highland Ave. Bethlehem, PA 18017 • 800/544-5272 or 610/868-1421 • Fax: 610/868-0208

NACE is a founding member of International Network of Graduate Recruitment and Development Associations (INGRADA).

Jobwire

Articles and White Papers

NACE Store

Job Choices

Job Outlook

JobWeb

NACE Journal

Member Directory

Member Tools

NACElink

NACEWeb

Salary Survey

Spotlight Online

Press Releases

Principles for Professional Conduct

Reprint Information

Subscription Information

Search NACEWeb