Imbibing the ethic of responsible stewardship requires a shift in thought for organizations, as it involves “choosing service over self-interest”[1]
Drawing from The Bible the words “For we are taking pains to do what is right, not only in the eyes of the Lord but also in the eyes of man.”[2] expresses the idea of “responsible stewardship” [3] and brings to the table values such as integrity, credibility and accountability.
An organization deals with a database of personal information of people in various roles – employees, benefactors, shareholders, and clients.
Each person who is involved with the organization, in whatever role, deals with it with a level of trust. Trust that any information that the person voluntarily discloses to the organization, will be valued, respected, safeguarded, and used only for the purpose it was intended for, and only by those who are authorized to do so and only for the time-span necessary.
When an organization takes into consideration the ethic of responsible stewardship they humble themselves enough to know that they have been privileged to be trusted with personal information, and with this, they have also taken on a huge responsibility of doing “what is right” with it, and are accountable. They will take “pain” in going the extra mile in ensuring its safety and integrity, and make building their credibility and trustworthiness a priority.
Such an organization may further cement its relationship with “responsible stewardship” by being part of the dialogues initiated by non-profit organizations like the Information Accountability Foundation (IAF), who look to “push information accountability and data stewardship as the key components of organizational information policy”[4]
The organization will have to deal with personal information in three key functions – collection, maintenance, and distribution.
Collection of Personal Information:
Minimal Information – The organization will ensure that it collects as less personal information as is essential for processing the necessary tasks.
Safety of collection – The mode of collection, if on paper will be done in confidentiality (and disposed of carefully, without giving rise to dumpster diving), and if online will be done through secured network protocols and encryption standards.
Awareness – The organization will take on the responsibility of educating and making aware the person who divulges his information, about best practices in doing so safely.
Transparency – The organization will be open to revealing why they require the information that they have asked for, so as to assure the person involved that no unnecessary and indiscriminate information is being collected.
They should also be transparent of the information distribution policy.
Confirmation – The organization will ask the person involved to confirm that the personal information that they are collecting has been divulged voluntarily.
Receipt – The organization will maintain written records and communication with the person involved and provide acknowledgments on receipt of the personal information.
Accountability – The organization will commit to be accountable and liable.
Although in the US “there is no single, comprehensive federal (national) law regulating the collection and use of personal data” [5], there are laws which “apply to particular categories of information, such as financial or health information, or electronic communications” [5]
Maintenance:
Database Security – The organizations need to invest in its technology and personnel and ensure database and information security. This includes design, encryptions, firewalls, updates, patches and maintenance of the systems and software.
They need to ensure the “C-I-A triad” of information confidentiality, integrity and availability at all and any given point in time.
Policies – The organization should have clear and transparent policies with regard to the maintenance of data, security compliance, audits, and data breach response.
These policies should be crafted keeping in mind the concepts of “service” and “responsibility” that go with the ethic of stewardship.
Access – Only authorized personnel have access to the limited subset of personal information they require for doing the necessary operations, and for the only for the time-frame they need it for.
Distribution:
Minimal to zero – An organization which holds high its core value of stewardship will act with integrity with the personal information entrusted to it. The distribution of such information will be minimal and ideally non-existent with third-parties.
Consent – When a person’s information is to be distributed beyond the boundaries of what was disclosed when it was collected, it will need to be explicitly communicated to the person and their consent will be necessary.
Selective Distribution – The information when distributed (after being deemed necessary and after consent), will be shared with similar organizations which uphold the ethic of responsible stewardship. This is necessary in order to prevent information misuse after distribution.
References-
- Block, P. (1993).Stewardship: Choosing service over self-interest. San Francisco: Berrett-Koehler.
- The Bible. 2 Corinthians 8:21. New International Version
- Seven Standards of Responsible Stewardship™. (n.d.). Retrieved from http://www.ecfa.org/content/standards
- Welcome to the Information Accountability Foundation. (n.d.). Retrieved from http://informationaccountability.org/
- Data protection in United States: Overview. (n.d.). Retrieved from http://us.practicallaw.com/6-502-0467