FTC: Consumer Privacy Comments Concerning The Dun & Bradstreet Corporation --P974806 Federal Trade Commission Request for Comments Database Study -- Comment: P974806 Consumer Privacy 1997 -- Comment: P954807 Case Study of Dun &
Bradstreet's The Dun & Bradstreet
Corporation May 29, 1997 Table of Contents
"At least one company, Dun & Bradstreet, does maintain significant data protection for the information it collects about business principals in its business reporting activities."(1) I. Introduction and Overview of The Dun & Bradstreet Corporation The underlying philosophy of The Dun & Bradstreet Corporation, "Man's Trust in Man," is at the heart of the company's activities, especially in its handling of information. A statue bearing the quotation sits in the lobby of the company's headquarters, underscoring a principle of its founding in 1841 -- created for the purpose of providing accurate, impartial and trusted information about businesses to facilitate commerce. While the companies of the corporation include Dun & Bradstreet, Moody's Investors Service and Reuben H. Donnelley, the focus of this paper will be Dun & Bradstreet. Dun & Bradstreet collects information on over 44 million business establishments from 217 countries, investing $360 million annually in these data collection activities. Up to 1,500 data items are collected on each business, drawn from sources ranging from the owners or principals of the business itself to public records. Attachment 1 contains the company's Business Information Report product, which provides an example of the business data collected. While all are business related, some are specifically identifiable to the individual owners or principals of the business entity. Data that are business related, such as those collected by Dun & Bradstreet, are limited to information about the business principals deemed relevant and necessary for business credit decisions. Such business uses represent non-personal interests, pertaining to a business enterprise for business-to-business commerce decisions, not the individual personally. The distinction between personally identifiable information that is of a business nature and information that is of a consumer or personal nature is a meaningful one as data protection issues are directed typically to the latter. Such data include personally identifiable information about individuals in their personal capacity as opposed to business capacity, if any. Despite the absence of an omnibus regulatory regime in the United States, Dun & Bradstreet is nonetheless comprehensive in the application of data protection practices, as noted by the authors quoted in the opening of this paper. II. Core Issues for Self-Imposed Action Dun & Bradstreet has offices in 37 countries, of which 26 have some level of existing national data protection laws, enacted for the purpose of providing guidelines on the collection, processing and dissemination of information about individuals (see Table 1). Table 1 Countries of Operation and Presence of National Data Protection Laws
The presence of these laws, however, is not the principal reason why Dun & Bradstreet applies data protection practices proactively in all its countries of operations, including the United States. National laws, while specific in their direction, are not the bases for action. Rather, the bases for action are the benefits to the company, to the businesses it serves and to the individuals upon whom we depend upon for the provision of information. III. Examples of Dun & Bradstreet's Data Protection Practices Through detailed written documents, comprehensive employee training and careful auditing, Dun & Bradstreet aggressively promotes data protection practices throughout its business activities. The commitment carries to shareholders, who see the company's general statement on data privacy in the annual report (See Attachment 2). The following highlight several of the more visible practices in the context of traditional data protection instruments, such as the European Union Data Protection Directive adopted October 1995. A. Dissemination Controls Controlling access benefits Dun & Bradstreet, as a provider of information, and the data subject at issue. Controls are applied over those D&B employees, and within a customer site, who may have access to certain data systems. And, restrictions are imposed on the uses of the attendant data, discussed later in Section III.D. Dun & Bradstreet protects the confidentiality of the data it collects through strict contractual processes that stipulate valid/authorized uses of the data supplied to users. For example, the company does not provide reports or information to third-parties without a contractual relationship. The standard contract binds customers to relevant US and foreign laws by specifically stating: "Customer agrees to comply with any applicable requirements imposed by US or foreign law, or, if unable to comply, to refuse the Information, Software or other service subject to the foreign law." B. Data quality Data quality is at the heart and soul of any successful information company. Insuring that data are as up-to-date and accurate as practicable benefits the data subject and Dun & Bradstreet. Exhaustive measures are applied to this goal where, in the US alone, there are over 17 million direct business contacts per year, including in-person, telephone and mail interviews that generate 670,000 updates per day. A Dun & Bradstreet quality review program, as one example, is maintained in the local office where data about a business entity are first collected. Applying this measure at the point of data collection engineers quality into the collection process. The approach is superior to addressing quality exclusively at the end of a process (traditional quality control), whereby more errors can enter a system and, potentially, increase the errors being communicated externally. C. Purpose and Notification The purposes associated with the data Dun & Bradstreet collects bridge to an earlier stated mission -- providing accurate, impartial and trusted information about businesses to facilitate commerce. To that end, careful attention is paid to insuring clarity for data providers and employees. The most "personally identifiable" data captured and reported by Dun & Bradstreet are antecedent information about the principals or owners of a business entity. The stated purposes behind capturing this information, as an example, are that it gives trading partners a sense of who is responsible for the decisions that drive that business, provides the business qualifications of the managers and serves as a resource to assess the likelihood of the business' success. First and foremost, the owners or officers of a company are approached as the best source of such information and, therefore, are immediately aware of its existence. Notification of the existence of or change in information about a business is addressed proactively elsewhere in Dun & Bradstreet's practices. For example, each time a business report undergoes a full revision, a post card notification is sent to the primary contact at the business entity, alerting him or her to the update and providing a toll-free number to contact to receive a complimentary copy of their Business Information Report. D. Rights of Data Subjects -- Access, Correction and Limiting Uses Dun & Bradstreet provides data subjects specific rights to insure that data are reported fairly, objectively, accurately and completely. Failure to empower a data subject will, in the long-run, temper that individual's or organization's willingness to volunteer information, thereby, compromising the completeness of the data sought. Our goal is to have the best data possible for our customers, which is feasible only if data providers support that goal. We provide a business entity access to the information we capture about it, procedures for initiating a correction process for errors and the ability to limit uses of certain data. For example, when the business owner or principal contacts Dun & Bradstreet with information about a potential error, we "act promptly to correct errors or misleading information, whenever we learn of it."(3) Depending upon the matter raised by the business management, a "Stop Distribution" can be applied to the relevant business report until resolved. Dun & Bradstreet's dedication to reporting facts accurately and fairly necessitate having no hesitation in stopping the distribution of a report and issuing a correction notice. When it has been brought to our attention that information issued in a report is erroneous or is asserted to be erroneous, we not only seek to stop the distribution of the report in question but also the distribution of ancillary products affected by the error. A correction notice is then sent to those known to have received the erroneous data. A detailed control sheet for managing corrections contains over 30 steps, each dated, to address distribution stoppage, corrective action, report/product revision and correction notices. Access to Dun & Bradstreet information is restricted or restrictable from several vantage points. Two examples include restrictions we apply unilaterally and restriction options we make available to data subjects (the business entities). Uses prohibited unilaterally are those uses that conflict with the stated purpose for which information is collected. Concurrently, a business may have its information removed from business marketing lists published by Dun & Bradstreet. The "de-listing" can be requested orally or in writing by an authorized representative of the business, resulting in its removal from marketing directories, publications and/or mailing lists. Every effort is made to discuss the de-listing process with the business to both understand the reason for their request and to insure that the request may not be misdirected (e.g., business principal, receiving direct marketing material, was selected from a list not belonging directly or indirectly to Dun & Bradstreet). E. Documentation and Training Internally developed documents span volumes exceeding 1,000 pages total and address over 1,000 instruction sets on more than 350 topics, including guidelines for data collection, accuracy, quality control, updating, notification, disclosure and more. Examples of the relevant reference material include: The Manual and Guide for Dun & Bradstreet Analysts
These documents detail the policies and procedures associated with data collection, quality reviews, responding to inquiries, handling complaints, reporting changes/updates, correcting erroneous files internally and those delivered by third-parties, and excluding certain data. A relevant leading statement in one of the training documents reads "there is a vital need to respect individuals' rights of privacy," and "[employees] will not discuss Business Information Reports or the contents of Business Information Reports with non-business associates or friends." Five groups of "data handlers" are educated on relevant aspects of the above points -- people who provide data, employees in the field who collect data, employees in the operations centers that process and store data, employees who deal with customers, and customers/users of D&B's business data. The successful training of employees depends upon starting with a core skill set and applying a certification process. The company balances the two issues of experience level and existing training of the employee with the type of report or data for which he or she is responsible. For example, the front-line data collectors -- business analysts -- are responsible for gathering facts about a business, understanding and properly weighing the significance of those facts and preparing the initial report or updating an existing one about a business. These data collectors typically possess a degree in accounting or finance, and have relevant core skills and experience to perform their duties successfully. Within their first-year, the training includes a curriculum of over 70 formal courses, tiered into two phases, which conclude with formal certifications. For other employees, such as support personnel or individuals in tele-centers, the training is tailored to their duties and experiences. F. Assignment of Functional Responsibility Relevant functional responsibility exists in all aspects of Dun & Bradstreet's data collection, processing and dissemination activities. For example, within the General Counsel's office is a designated lawyer with global responsibility for the company's data protection policies. This individual's working knowledge of the business, and data protection and its importance are reflected in a broad array of publications, including numerous US and international law journals. Operationally, each issue covered above is overseen by a senior manager and field team, with audit tools to insure full compliance with the practices. IV. Options for Data Protection Practices and Rationale for D&B's Approach Dun & Bradstreet's data protection practices in the US long predate the European Union Data Protection Directive. These practices, as noted previously, exist because "it is good business." We continually evaluate existing and proposed instruments around the world -- those from the countries in which we operate and elsewhere. The complexity of the data we collect, the stated purposes for which they are collected and made available, the existing federal and state laws of the US, the expectations and needs of the US business community and economy, and the resources necessary to fulfill a role first established 155 years ago have been well served by comprehensive self-regulation. Dun & Bradstreet's practices, much as the authors of the EU Directive sought, attempt to draw together provisions that strike a desirable balance between the interests of data subjects and the information needs of society. The data subject here is a business and its owners or principals, and the information user is the business' trading partner. While reasons of confidentiality preclude discussion of the actual cost-benefit analyses associated with the practices chosen, some of the attendant qualitative reasons are noteworthy: Strict controls over the access and dissemination of data increase the ability to protect intellectual property rights. Disclosing to data subjects and other providers of information the purpose for which data are collected maximizes their willingness and desire to provide such data. The cooperation increases data coverage, accuracy and completeness. Insuring employees are knowledgeable about and accountable to strict confidentiality standards maintain the integrity of the systems and trust by data subjects. V. Summary and Conclusions Are data protection practices good for individuals? Yes. Are they good for business? Yes. The data protection practices applied by Dun & Bradstreet on a self-regulatory basis closely parallel the measures sought by national instruments. They address dissemination controls; data accuracy, currency and relevance; notification to data subjects; data subject rights for access, correction and distribution restrictions; training; documentation; management responsibility; and employee accountability. The company benefits enormously from these measures as they facilitate the most complete data possible, superior data accuracy and trusted business relations. We believe that it is the private sector's responsibility to take a leadership role in the application of data protection practices and to work with the government in developing solutions that serve the needs of the US and its trading partners. 1. DATA PRIVACY LAW: A Study of United States Data Protection, Schwartz, Paul M., and Reidenberg, Joel R., Page 287, MICHIE, c.1996. 2. While the United States does not have an omnibus data protection law, it does have a broad portfolio of sectoral laws, including the Fair Credit Reporting Act (15 U.S.C. 1681), which applies to reports on consumers, not reports on businesses, such as those produced by Dun & Bradstreet. 3. This quotation and other similarly noted quotations are taken directly from company documentation referenced in Section III.E, Documentation and Training. |