If Jane Doe registers online for your meeting and she provides an e-mail address to receive updates, will she also receive solicitations from the hotel to join a frequent-guest program? Does she know that the credit card number she supplied to reserve her room could end up on a rooming list fax? And would she be concerned to learn that her private information is still filed in a box five years later?

Lax practices can cause an attendee's personal information to be used in unexpected ways or, worse, be exposed to theft. In the meetings and hospitality industry, data passes like a hot potato from meeting planner to registration contractor to housing bureau to hotelier. Privacy policies and practices are not enough to reduce your exposure to risk. When you contract with third parties, include a contract clause that passes along the responsibility for safeguarding confidential information.

“Data collected about attendees ought to be treated as confidential information,” says James M. Goldberg of Goldberg & Associates PLLC, a Washington, D.C., law firm serving associations and nonprofits. “I put in a confidentiality clause that says anything we give you belongs to us, is confidential, and you can't use it for any purpose other than the purpose for which we're giving it to you. When the contract is over, you have to give us the data back.”

If the contract is with Starwood Hotels and Resorts, that clause might not fly. As Dave Scypinski, Starwood's senior vice president of industry relations in Washington, D.C., explains, confidentiality clauses are too broad because they don't distinguish confidential information, such as e-mail addresses, from nonconfidential information, such as room setup plans. The solution: If it's confidential, don't share it.

“We want the minimum amount of information we need to do our jobs,” Scypinski says. “We don't need a rooming list with addresses, credit card numbers, and phone numbers. We would rather not have that, because we become responsible for it.” If a meeting planner does pass along such information, there's a clause to cover it. Starwood's group booking contract states that, to the extent that planners provide personally identifiable information, then they represent that they have the right to do that, he says.

Therein lies the sticky issue for privacy protection. When you collect information from attendees, you must advise them that their information may be shared and get their permission to do so. Under online privacy protection laws now or soon to be in effect in 23 states, anyone who collects personal information online must state and enforce a privacy policy. If that information is compromised by a security breach — or carelessness — they must notify the people whose information was exposed.

Since California enacted the first online privacy protection act in 2003, more than a dozen bills have been introduced in Congress that would supersede existing state laws. Soon, online privacy protection may be a federal mandate. Here are some steps you can take to protect the privacy of your meeting participants.

At Collection Points

The California Online Privacy Protection Act defines “personally identifiable information” (known as PII) as including:

  • first and last name

  • physical address with city and street

  • e-mail address

  • phone number

  • Social Security number

  • any other identifier that permits a person to be contacted in person or online — such as credit card number and driver's license number.

If you collect any of this information from your attendees, then you must protect it.

TRUSTe, an independent nonprofit organization dedicated to online privacy protection, recommends sketching a personal information flow chart to determine who comes into contact with the data, how it is shared outside your organization, how it is stored, and how it is archived or destroyed. Then you can be sure that you have data-handling policies in place to keep that information safe.

Posting your privacy policy on the meeting registration Web site is the first step to getting informed consent from attendees to collect, share, and save their personal information. When attendees register for the Computer Security Institute's annual conference, a privacy policy is disclosed through a link at the bottom of the page, as well as on the registration form. In addition to their billing information, registrants can choose to provide information that helps CSI to plan programming. By opting in, they give explicit permission for CSI to save this information for future use, including communicating with them by e-mail.

“When you collect information from customers, the baseline expectation is that you'll be responsible about the information they shared with you,” says Robert Richardson, editorial director for CSI, Manhasset, N.Y.

Entrusted to Third Parties

From the time a member of the Chicago-based American Health Information Management Association pre-registers for the annual meeting to the time the registration database is disposed of seven years later, not even an e-mail address is shared without that member's permission. Members have password-protected access to their profiles and control what data is saved and shared.

“It's my responsibility to make sure we're not transferring confidential information to anyone,” says Kelly Fox, director of meetings and exhibits. When AHIMA works with suppliers, “we contractually tell them they can't share any member information in any way without our prior approval.” (Fox has since joined the Academy of General Dentistry.)

Review supplier contracts for clauses that expose your organization to risk, should personally identifiable information be compromised. For example, Starwood Hotels' group booking contract includes a “content clause” covering anything a customer gives the hotel to promote and manage a meeting. Starwood's Scypinski says it's intended to ensure that logos, music, photos, and other information is owned by the group and may be used by the hotel.

“Our clause says the information the group provides to the hotel is free and clear, and they have the rights and permissions to use that information,” Scypinski says. “The clause grants the right to use data for any lawful purpose, such as setting up registration.” Once an attendee checks in, the hotel then has the right to use their PII for business-related purposes such as marketing to Starwood preferred guests. Contrary to popular belief, “We don't sell that information or give it to someone for marketing purposes outside the hotel,” he says.

As Goldberg points out, the Starwood contract also includes an indemnification clause stating that the group will hold the hotel harmless for any claims that arise from the use of that information. If you're uncomfortable with that, he advises, “my first preference is to take out the whole provision. The next step would be to delete the indemnification part. An alternative is to modify it to say you can't share the data unless it's covered under a confidentiality agreement.”

After registration and attendance have been reconciled, and room-block pickup has been confirmed, collect the data from third parties and save only the information you need to plan future meetings. Archived information should be stored in a safe place, preferably off site.

“Data is active in our system for a time after the event for reconciliation activities and the historical reporting that needs to be done. After that, the database will be emptied and the historical data stored in managed, secure environments,” says Scott Tallarida, vice president of information technology for Travel Technology Group, a housing, registration, and event management company.

If privacy protection is expected, then higher level security standards are required. This creates a new perspective on security, says Tallarida. “It helps get employees in the mind-set that every piece of customer data is a privacy concern.”

Editor's Note: Part II of this series will appear in our October issue.

What's Your Privacy Policy?

A privacy policy tells people how you use their information. According to TRUSTe, the Federal Trade Commission's Fair Information Practices are the closest thing to a standard for online privacy protection. Based on the principle of full disclosure, they include:

NOTICE. Disclose what personal information is collected and how it is used.

CHOICE. Allow people to choose how their information is used.

ACCESS. Give people access to the information once they have disclosed it.

SECURITY. Secure personal information so it stays private.

REDRESS. Enable people to resolve any problems that arise.

For more information, download “Your Online Privacy Policy” from TRUSTe.com. For a complete list of states with online privacy and/or security breach laws, contact Consumers Union (www.consumersunion.org).