HiSPEC

1. HiSPEC Key Outcomes to date The take-up of e-Commerce is being adversely affected by concerns about Privacy and Security • An assessment of Privacy and UK Websites • E-protection: Use and Attitudes throughout the UK • Promoting e-Protection through Social Marketing • Best Practice Guidance Publications & Reports

2. ‘Best Practice Guidance for System Designers’ is available for public consultation on www.dataprotection.gov.uk HiSPEC Best Practice Guidance • Problem • There is lack of understanding among Designers of their role in privacy protection • The challenge is to develop best practice guidance for System Designers • Solution • Easy to remember acronym: F A R S T A R S • Fair • Adequate • Rights • Specific Purpose • Transfer • Accuracy • Retention • Security • Benefits • Can be applied at each stage of the design life cycle: • Example: Accuracy • Requirements: identify ‘check by date’ for each data item • Design and Build: include an auditable mechanism for ‘signing-off’ data accuracy • Evaluation: include a clear process for Data Subjects to correct inaccurate data • Use and Monitoring: regularly review data validation procedures

3. HiSPEC Publications & Reports Enabling Environment for e-Commerce • Devices, Desires or Distrust: encouraging the use of e-commerce. Workshop: e-2003 e-challenges conference, Bologna, Italy,Oct, 2003 • E-Protection Solutions: Use and attitudes amongst UK Internet user population, Report on NOP study • Stories, Myths and Metaphors: Understanding Internet self-exclusion, HOIT 2003, University of California, Irvine, April, 2003 Design for Trust • Multi-Story Trust and Online Retailer Strategies, International Review of Retail and Distribution Research, forthcoming • Study ofCompliance with the Data Protection act 1998 by UK based websites, Report to OIC, November, 2002 Social Marketing • Social Marketing and the Application of Decisional Balance in the Context of Online Privacy Protection, Global Business & Technology Association Intl Conf., Budapest, July, 2003 • The Application of the Transtheoretical Model to the Adoption of Self-Protection Methods for Online Privacy and Security,European Association for Education and Research in Commercial Distribution, 12th International Conference, July, 2003 • Using the Transtheoretical Model to Understand and to Influence Consumer Adoption of Security and Privacy Enhancing Technologies,E-Factors, University of Surrey, April, 2003 Best Practice Guidelines • Overview of P3P; The dangers of P3P, Reports, March, 2003 • Privacy Enhancing Technologies - State of the Art review, Dec, 2002 • FARSTARS Best Practise Guidance on Data Protection for Systems Designers, 2002

4. Ag r e e D i s a g r e e Decisional BalanceChanges with Stage of Adoption Pros Cons Adoption HiSPEC Promoting e-Protection Problem • There is significant lack of awareness and lack of use of e-protective solutions. • The challenge is to promote self-protection amongst all Internet users. • Solution • Social Marketing - a tool to produce positive behaviour change. • Change seen as a process of ‘stages of change’ towards adoption. • Adoption associated with a positive“decisional balance” comparing gains and losses. • Helps identify who to target with what type of message, e.g., high-low threat. • Uses many strategies - education, promotions, advertising, community mobilisation. • Examples • Promoting more secure passwords: intranet education/cartoon scenarios/quizzes • Checking for https: posters/leaflets/community activation/web-based examples • Benefits • Greater ownership of privacy and security by Internet users. • Encourages self-confidence in use of e-commerce • Improved knowledge and awareness of privacy and security for Internet users.

5. HiSPEC E-protection: Use and Attitudes • Problem • The rapid spread of viruses and continuing ‘spam’ troubles suggest that many Internet users are not fully implementing e-protection. Which people are using what precautions? If they are not, is this because they are unaware of what is available; is ease of use holding them back or are there other reasons for not using? Description • NOP online survey obtained weighted data from 1,100 UK weekly users of the Internet aged 16+ about awareness, use and attitudes towards 5 solutions chosen to represent low (privacy policies) to high (encryption) technical requirements. Outcome • Problem of non-use is pervasive - at best just over 50% are using a simple e-protection solution, e.g., checking for HTTPS - just 9% using encryption software. Lack of awareness prominent - particularly amongst less experienced users. Perceived difficulty, extra hassles, techno-phobia and fear of social disapproval are all significant attitudes preventing adoption of e-protection solutions. Benefits • The survey indicates strategies for encouraging adoption of individual solutions. • Low levels of awareness suggests education campaigns. • Poor attitudes suggest social marketing and community based promotional campaigns • Usability problems suggest adjustments to existing solutions. • Data also suggest specifications for next generation privacy enhancing technologies.

6. HiSPEC Privacy and UK Websites • Problem • To assess the degree of compliance to the 1998 Data Protection Act by UK websites • To unveil to reality behind the promise: what is promised on the site versus reality • Method • Independent analyst assessment of a representative sample of UK websites • In-depth interviews by telephone and face-to-face • Post visit assessments • Key Results (full report available) • Large or regulated companies show a high level of compliance • Small or unregulated companies typically show a low level of compliance • 25% of sites provide no contact details • Only 5% of Privacy Statements reached the recommended readability score • Security and Retention are the greatest cause for concern • Only 45% sites have a data security policy related to Data Protection • Many companies do not have a retention policy or procedures for removing data • Recommendations • Small companies need more support and freely available education • Web site developers need a greater understanding of the implications for site design and database design of security and retention requirements Security Retention