In today's computerized world we cannot expect others to protect our privacy. In order to protect privacy, we must operate under the following assumptions:
(Persistence) Whenever data about certificate holders can be collected, it will be collected and stored indefinitely (if only because not collecting data that can so easily be collected must be considered a waste of resources). Every piece of information that is electronically submitted is there for the public record, even though the sender rarely intends the data to endure forever.
(Loss of Control) Once made available, disclosed data will inevitably be used for purposes (not necessarily known at the time of the collection) beyond the purpose for which it was disclosed. Underlying this assumption is the premise that the mere existence of something is sufficient to tempt people to use it in whatever way they see fit to suit their needs and desires. The public and private sector will inevitably find new uses to improve the efficiency, security, or reach of their operations; foregoing opportunities can easily result in a loss of competitive edge. Law enforcement agencies will inevitably seek access to the data in the belief that it will help their investigative practices.
(Linkability) Data disclosed in one transaction will inevitably be linked to data disclosed in other transactions (if not for reasons related to security then for marketing, inventory management, or efficiency purposes), unless the cost of linking outweighs the benefits. With the trend or at least the capability of organizations to merge their databases at ever decreasing cost, it is naive to believe that linkable data that is submitted to different locations will remain unlinked.