Skip to Content

College of Information and Communications


PR Prose: PR ethics questions about privacy and security policy

Posted September 8, 2017
By Dr. Shannon Bowen, professor in the public relations sequence
Reprinted with permission from PRWeek


There is an ethical responsibility in the digital arena involving the protection and use of private data and records.

When asked to explain your organization’s policy about the protection of privacy rights, what would you say? Perhaps there is no policy, or it has not even been discussed at the highest levels of your company. In that case, you might be opening the door to a crisis. Some companies sell customer data, but is that ethical? And do the customers agree to that use? Even worse, what is your security policy in case of a data breach? And if a breach occurred, what would the organization’s responsibility be?

No policy or a weak policy is a particular danger if you are in the retail sector where thousands of customer contacts, credit card records, and employee data are stored. Think of Target, in the news not long ago when customer records were hacked. What if you work for a bank, mortgage, or other financial company? Are your privacy policies in place? Healthcare data is another area of danger because it involves so much confidential information. Government PR pros are not immune to these concerns either; the South Carolina Department of Revenue was hacked nearly five years ago, revealing the sensitive finance records of thousands of citizens. Have you considered the privacy and security policy of organizations you might do business with or contractors for your client? Are their records secure? What would the PR responsibility be if a data breach did occur through your agency?

What if you work for a cellular phone company and the police want to access your security code to unlock the phone, as was the case with Apple? Is there a policy in your company to require a court order in such a situation? If you think this cannot happen, consider that a terrorist attack could happen at any time and your customer data could be involved in a court case. As a PR professional helping to identify the issues facing your company, you would have to consider the "what ifs" as well as the ethical responsibilities to both customers and law enforcement. Which should take precedent?

Perhaps the most obvious security issue is employee email; Who has access to them and "owns" the content? Further complicating matters are social media postings by employees about your company. Has management in your organization addressed these issues with a fair and clear social media and digital use policy? Is it a policy that a PR professional can make public without fear of backlash from stakeholders? Has your upper management addressed this issue in a participatory meeting, encouraging all views to be expressed?

The ethical issue of data privacy is complicated and serious. All the questions above and more should be considered logically and addressed with policy or directions.

Points to consider:

1. What is your duty to stakeholders inside and outside your organization? First ask what your ethical responsibility to customers and employees is? What do they expect of you in terms of privacy? Protection? Respect? Confidentiality? Intention to do the right thing?

2. Disclosure is key. You have the ethical responsibility to tell people how their information is being used. Selling customer data to market research firms or others is not suggested, but if you do, you make sure that customers have the opportunity to easily opt out of such lists. Then follow through and make certain that the opt out is working and easy to complete. Selling aggregate, non-identifiable data does not require disclosure since people cannot be contacted. If you do not sell personal data, customers will appreciate your making public the fact that you do not share their information.

3. Work with information systems experts who can help you understand your strong points on security and data use. Control customer information inside your organization on closely monitored systems. Do not rely on remote "cloud" database systems for your customer data. In "cloud" systems, you shift the responsibility of security to someone else. If there is a data breach, your customers will still blame you, and they should, yet you have little control over security.

4. Consider communicating about the fact that you control customer data and how strongly you believe in your protection systems.

5. Set up a system to routinely purge customer records and data. Also, do not keep active files on customers who no longer do business with you. You can archive these records in a different inactive database for retrieval if needed.

6. Work with your legal counsel. Be sure your security policy includes a clause or direction that customer private information can only be shared with proper authorities with a warrant or judge's order.

7. Consider a digital policy and a social media policy, and include employees in its drafting so that their perspectives are represented.

The digital world is fraught with ethical challenges and technological pitfalls. The list of discussion points above is not all-inclusive, but should give PR professionals talking points to discuss with senior management. Acting as an ethics counselor includes not only resolving challenges such as those presented in the digital world, but also early identification of these potential problems so they can be successfully managed in advance of any crisis.