Safeguarding, Processing, and Storing Privacy Data

Controls must be rigidly applied to the enterprise's data center, affecting employees with legitimate data access and those who would attempt unauthorized access. Information privacy procedures should include access to those individuals about whom the data is relevant. These are a few best practices relevant to data privacy:

  • Data collection must be lawful and fair. Information collected from individuals and business entities must be lawful in purpose and relevant to the function for which it is being collected.

  • There should be an established mechanism for individuals and organizations to discover what information is in the record, how it is being used, to whom it is being disclosed, and the ability to limit that disclosure and use. This process does not mean how it is intended to be used, rather it means how it is actually being used and distributed. There should be a mechanism for an individual to prevent information that was obtained for one purpose from being used or made available for other purposes without her informed consent. Also, there must be an avenue allowing individuals and organizations to correct, amend, or modify all relevant records. Any organization collecting, maintaining, storing, using, or disclosing records of personal data should ensure the reliability of data for their intended use and ensure adequate due diligence preventing misuse.

  • Consent. At the time data is being collected from persons and organizations, they should be advised about the purposes for which the data is being collected, the conditions under which the data is collected, and which other parties will have access to the data.

  • Quality. Organizations must take reasonable steps to ensure that collected data are accurate, relevant, and do not intrude into areas outside their stated purposes. In essence, it is a restatement of the "least privilege" concept. Organizations must not collect more information than is absolutely necessary to deliver their goods or services and this should be clearly stated in their privacy policy. Persons and entities providing data should be advised under which provisions they might access their data for the purposes of limiting access, uses, or making corrections.

  • Data disclosure. Organizations must not use personal or other proprietary data for purposes other than those stated in their policy. Organizations must not divulge protected information without the consent of the person/organization or authorized by law.

  • Privacy enforcement. Data being collected and transmitted to relevant entities must be constrained by stated policies and procedures. There must be vigorous steps to ensure that data are used in the fashion it is stated, and nothing more. Auditing steps should be taken ensuring compliance with these policies.

Nonconsent Information Use

Using or disclosing information about someone without their consent or knowledge is not necessarily a violation of their privacy. For example, if Alice buys a new car, a brand name 4×4 Zoomie, she registers the car at the Department of Motor Vehicles knowing those records are publicly available. Publicly, she is seen driving this 4×4 Zoomie on a daily basis. Does she have a reasonable expectation of privacy when the Zoomie dealership sells her name to advertisers targeting consumers of this genre of vehicles? No, she does not. However, if the dealership disclosed the financial data Alice provided in her credit application, then that would be a potentially unlawful act because she does have an expectation of privacy in her financial dealings. They are not public information. She does not display her financial status for public review; it is her business and she is entitled to keep her information private.

Using information that is public does not grant its use to others to inflict or threaten harm. Information use and disclosure can proceed to civil liability regarding its use. If Alice discovers facts about Bob, these facts do not grant her the right to know all facts. When individuals or organizations provide information to third parties in confidence, they have a right to expect that it be protected as private information.

In this vein, it is the responsibility of data receivers to determine which information is private and which is not. There may be facts that are available to the public or a significantly large portion of the public that preclude the need of privacy. Organizations can use and transmit information of this nature without the individual's consent or knowledge. In most settings, individuals have the right to know why their information is collected, how it is going to be used, make corrections, and limit to whom it is going to be disseminated. However, the property rights extended to this data may limit the owner's right to confidentiality depending on how much of the information is already in the public domain.

Employee Privacy Training

Training employees in the nature and risks surrounding privacy is critical to all organizations. Training programs targeting end users about existing policies and procedures will go a long way to providing a sound basis of understanding before granting them access to sensitive information. Refresher training serves to update employees, who already have access, with changes in policies, procedures, and the law. Such training provides the opportunity for situational role playing where they learn to deal with real-life problems in a controlled setting. Employees transferring to a new business unit should receive proper training before data access is granted ensuring continuity in privacy. Challenges facing trainers rest in the fashion they deliver their message. Using tired handouts and boring formal presentations and lectures to teach privacy policies can be tedious and unproductive. Educators should be innovative in their approaches by reaching and involving their audiences. Using case studies, group participation, and practical exercises can go a long way to holding trainees' attention while delivering the message.

Training can also take the form of informal or spontaneous chats between employees. Many organizations have initiated and developed training programs based on mentors and other knowledgeable persons who, through a process of socialization, share their experiences. There are a few pitfalls in this approach, although it is a gentler and kinder way to impart knowledge. Problems exist in documenting the fact that training has actually taken place, attendance at training sessions and the effectiveness of such training.

Another area of concern in the informal training arena is that of bad habits being passed from senior employees to others. Because there is not a test for the correctness of information being disseminated, it is possible that misinformation and poor policy understanding are made part of a new employee's orientation.

Privacy Training Best Practices

Here are some suggestions for privacy training best practices:

  • Deliver a basic summary of the organization's vision and mission. Include relevant but not overly detailed explanations of how privacy forms part of the organization's critical asset protection.

  • Provide succinct summaries of applicable laws, regulations, and the organization's policies and procedures. It is suggested that much of this material can be made available on the business' internal network (Intranet) that may be browsed by employees at their leisure. Acknowledgements are a good idea to collect from participating employees for future audits.

  • Provide training about the data's life cycle: why specific data is collected, its processing, its storage, and its disposal.

  • Provide a relevant contact list so attendees know who to contact if they have a question.

Handling Privacy in Supply Chains

E-commerce companies frequently offer what appears to be one-stop shopping with ordering, shipping, and billing services. From the outside, the world sees that the Web site provides all these features, when in fact, many of these services may be actually performed by other companies under contract. For the purpose of understanding, networks of business that participate in such relationships are termed supply chains. In order to do business, companies are often required to pass along a customer's information to suppliers of goods or services so that orders can be placed and filled. Providers of those contracted goods and services are in turn responsible for the protection and security of information they receive during the course of business.

Good privacy procedures require organizations to ensure they collect only the minimum amount of information necessary to process transactions. Receivers of a customer's information are responsible to see how that information is transmitted to third parties and to ensure those third parties handle that data consistent with the original business' policies and procedures. Businesses that transmit client data to their partners must take appropriate steps ensuring that third parties take reasonable precautions to safeguard that data from misuse, unauthorized access, disclosure, modification, and destruction.

Sound business privacy practices will disclose to customers the types of information that are going to be disclosed to third parties and how that it is going to be used by them. In most cases, disclosing how the information will flow from one business to another in the supply chain would be considered prudent. As part of the working relationship between partners, an agreement is made ensuring that the data receivers will provide the same levels of privacy that the original receiver had. Of course, these agreements must be in the form of a contract and must be executed by the appropriate levels of senior management.

There are several areas of concern when making such agreements:

  • Within the participating business entities, what is the actual level of data privacy protection?

  • How are levels of privacy protection going to be audited? Who is going to conduct the audits? Are the results of these audits going to be made available to the other partners? What is the frequency of such audits?

  • Which of the business partners is going to bear the expense of legal action?

  • When a new supply chain participant enters, which of the partners is required to approve their admission to the supply chain?

Individual business partners should have the same levels of scrutiny that are applied to large supply chain systems regardless of the size and sponsorship. Agreements and contracts must detail a set of mutually agreed policies and procedures where the collection, processing, storage, and distribution of data are established. Each supply chain affiliate should provide a comprehensive report on data usage and data flow to all additional parties. Reports of data collection and distribution should be collected from all parties in the supply, even those that do not have a direct relationship with one another. This report becomes particularly important should a supply chain member use contractors. Tracking and documenting how all parties treat data might provide the basis for strong defense should legal action be pursued.

Ownership of business partners change often with mergers, acquisitions, closures, and bankruptcies. Supply chain members changing ownership or going out of business can have serious consequences on your ability to deliver goods and services and should be addressed by contingency plans. However, there are potential disasters when a company's structure changes and due diligence in handling data privacy is jeopardized. At this moment, financial risks, affecting all members of the supply chain, escalated. It should be the combined responsibility of the supply chain members to monitor ownership and the status of lawsuits, as these events may affect data privacy. For these reasons, data privacy agreements must be in the form of enforceable contracts applicable to all relevant third parties.

Auditing privacy management procedures might be accomplished by creating ghost personalities and accounts and placing orders that are going to be handled by the supply chain. Experienced auditors will direct their efforts to test goods and services that are delivered by all members of the supply chain and their subcontractors. Steps such as these will test and assess the internal processes and business practices. If an audit account is established and there is an increase of spam or unsolicited junk mail at the address designated as the receiver, it is likely that the account's data has been compromised. Using a bit of detective work and depending on the length of the supply chain, it is possible to locate a "leak."

Another audit technique employs social engineering; the audit contacts members of the supply chain and attempts to buy the customer list or other information. In order to ensure the integrity of data privacy, auditors should regularly test each member of the supply chain to determine if it will sell, rent, or trade data that should be kept private.

If problems are identified with supply chain members disclosing information, they should be immediately addressed in the manner detailed in the agreement or contract. Not surprisingly, it will likely be a matter for the legal unit to handle in consultation with other senior managers. Removing someone from the supply chain can have far reaching ramifications with risk management programs addressing such contingencies. However, if a customer files a legal action as a result of a violation of privacy, the potential results can devastate all members of the business chain.

Privacy Expectations

Privacy is a buzzword tossed around in the news currently, leaving the public and organizations confused and unable to decide whether they are entitled to privacy. Challenges currently face businesses and governments to decide privacy entitlements when weighed on balance with national security concerns.

Free and democratic societies are characterized by full legal privacy protection extended to choices, possessions, and persons. When social expectations rise, personal rights include the right to be "let alone." This right to be let alone is an essential definition of personal privacy and has early expression in an article found in the Harvard Law Review.

The Bill of Rights guarantees, among other things, the rights of expression and association without having to answer to anyone. People have the right to privacy; that is, the right to be left alone in their lawful thoughts, activities, and expressions. Integral to collective freedom is the right to privacy and ownership regarding personal information. People are the owners of their information and only they can determine who has a legal right to see and use their property. For example, a person applying for a library card at a private institution completes a form with his name, date of birth, address, social security number, and e-mail address. Accompanying the application is a statement that states the reasons for collecting this information. This statement does not warn that the collected information is going to be sold. Applicants might expect the institution to treat their information confidentially. However, when the new library cardholder begins to receive unsolicited advertising, he soon realizes his information was sold by the library.

Governments must temper their voracious personal information needs with laws respecting individual privacy. Through individual interaction with government agencies involved with mail, taxes, property ownership, driver licensing, and pet and vehicle registration, governments at all levels are collecting vast amounts of information about their citizens. If not carefully and lawfully used, this information cannot be protected from the bias, scrutiny, and judgment of unqualified officials.

Businesses have been collecting information about their customers, using it for every imaginable purpose. At times, providers of personal information are completely oblivious to its use and dissemination. For example, in the case of customer loyalty cards offered by merchants, persons making purchases are given discounts by showing their membership cards initially obtained by providing personal information. Each time a customer wants a discount, the membership card is shown. All purchases made by that customer are attributed to the name and identification number on the discount card. The merchant sells the collected purchase and customer information to vendors who then target the individual with selected advertising, and the merchant uses the revenue to offset the customer's discount.

With this process in mind, imagine this scenario: a customer is suspected of unethical acts by her employer. Pursuant to legal action by her employer, her membership card purchases, relevant or not, are obtained and made public through legal processes, causing significant embarrassment to her and her family.

Information Ownership

Information privacy is tied to information ownership. In many cases, it is easy to identify information ownership; however, in many cases, information does not belong exclusively to the individual as ownership passes to organizations and government entities.

Information Vulnerability in the Organization

All organizations are vulnerable to threats resulting from the compromise of personal information in their custody, even institutions that think they do not have sensitive information.


Experience Note

While engaged in a practical exercise, student auditors were tasked with performing an audit on a local library in order to gain experience. One of the students, a young woman, could not see the reason for auditing public libraries because she believed they "did not have anything of value that could be exploited." Nevertheless, the instructor urged her to complete the assignment. During the audit, she discovered a spreadsheet on one of the library employee's workstations. She checked with the audit manager and the library's lawyer and determined that employees did not have a reasonable expectation to privacy on their workstations. Workstations were to be used for official use only and the spreadsheet software was not authorized. The student auditor accessed the spreadsheet program and saw an impressive list of books that had been checked out by local dignitaries. Each of the book titles dealt with subjects that, if made public, could possibly embarrass the readers and their families due to local community values. An employee was assigned to this workstation that required login before use. Checking the audit logs determined that only this particular employee had been using the workstation. The audit manager presented the results to the library director who questioned the employee. Subsequently, the employee was dismissed.

Certainly, one of the greatest vulnerabilities within an organization is the lack of understanding of the types of information the organization has collected:

  • Under which circumstances and representations was the information collected?

  • How is that information being used?

  • To whom is that information being transmitted?

  • How is that information being stored?

  • Who has access, authorized or not, to that information?

Many businesses do not have an idea of how much data they collect, nor do they realize the damage that can be done when this information is lost or compromised.

Threats to Information Privacy

In essence, there are three fronts assaulting information privacy:

  1. Willful or negligent misuse or theft of information

  2. Unauthorized information disclosure or dissemination

  3. Interaction of professionals and access to the organization's information assets

In the first case, malicious employees and outsiders target the theft of client lists, intellectual property, trade secrets, etc. In the second case, individuals who have legitimate access to information do not exercise due care and inadvertently share this information with unauthorized individuals that have malicious intentions. In the last case, professionals interested in sharing with others in solving problems can often be compromised into delivering sensitive information.


Experience Note

The question most often asked of privacy professionals is "Isn't it the job of law enforcement authorities to provide information privacy protection?" Law enforcement authorities can do very little, generally, in protecting information privacy. It is outside their legal mandate. They are actually responsible for investigating allegations and collecting evidence of unlawful acts. It is not the responsibility of law enforcement agencies to provide protection for private information, rather these obligations rest at the individual and the organization levels.

Popular Posts