In their research, the authors find that organizations increasingly collect sensitive electronic information. Currently, they do not have a unified way of defining or implementing privacy or security access control policies for such information. This makes it difficult for the organizations to put in place proper management and control of sensitive information or to verify that required or intended regulations for the use of information are met by the organization. Examinations of privacy policy implementations within organizations have not changed the picture much in the past 20 years. Although there has been considerable attention to the development and posting of privacy policies, these policies are generally vague and lack connections to technology that might implement them. Closing the gap between the high-level policies to which organizations strive to adhere and the low-level actions carried out within their IT systems is an important topic for research and development.
Read full abstract