Controls must be rigidly applied to the enterprise's data center, affecting employees with legitimate data access and those who would attempt unauthorized access. Information privacy procedures should include access to those individuals about whom the data is relevant. These are a few best practices relevant to data privacy:
-
Data collection must be lawful and fair. Information collected from individuals and business entities must be lawful in purpose and relevant to the function for which it is being collected.
-
There should be an established mechanism for individuals and organizations to discover what information is in the record, how it is being used, to whom it is being disclosed, and the ability to limit that disclosure and use. This process does not mean how it is intended to be used, rather it means how it is actually being used and distributed. There should be a mechanism for an individual to prevent information that was obtained for one purpose from being used or made available for other purposes without her informed consent. Also, there must be an avenue allowing individuals and organizations to correct, amend, or modify all relevant records. Any organization collecting, maintaining, storing, using, or disclosing records of personal data should ensure the reliability of data for their intended use and ensure adequate due diligence preventing misuse.
-
Consent. At the time data is being collected from persons and organizations, they should be advised about the purposes for which the data is being collected, the conditions under which the data is collected, and which other parties will have access to the data.
-
Quality. Organizations must take reasonable steps to ensure that collected data are accurate, relevant, and do not intrude into areas outside their stated purposes. In essence, it is a restatement of the "least privilege" concept. Organizations must not collect more information than is absolutely necessary to deliver their goods or services and this should be clearly stated in their privacy policy. Persons and entities providing data should be advised under which provisions they might access their data for the purposes of limiting access, uses, or making corrections.
-
Data disclosure. Organizations must not use personal or other proprietary data for purposes other than those stated in their policy. Organizations must not divulge protected information without the consent of the person/organization or authorized by law.
-
Privacy enforcement. Data being collected and transmitted to relevant entities must be constrained by stated policies and procedures. There must be vigorous steps to ensure that data are used in the fashion it is stated, and nothing more. Auditing steps should be taken ensuring compliance with these policies.
Nonconsent Information Use
Using or disclosing information about someone without their consent or knowledge is not necessarily a violation of their privacy. For example, if Alice buys a new car, a brand name 4×4 Zoomie, she registers the car at the Department of Motor Vehicles knowing those records are publicly available. Publicly, she is seen driving this 4×4 Zoomie on a daily basis. Does she have a reasonable expectation of privacy when the Zoomie dealership sells her name to advertisers targeting consumers of this genre of vehicles? No, she does not. However, if the dealership disclosed the financial data Alice provided in her credit application, then that would be a potentially unlawful act because she does have an expectation of privacy in her financial dealings. They are not public information. She does not display her financial status for public review; it is her business and she is entitled to keep her information private.
Using information that is public does not grant its use to others to inflict or threaten harm. Information use and disclosure can proceed to civil liability regarding its use. If Alice discovers facts about Bob, these facts do not grant her the right to know all facts. When individuals or organizations provide information to third parties in confidence, they have a right to expect that it be protected as private information.
In this vein, it is the responsibility of data receivers to determine which information is private and which is not. There may be facts that are available to the public or a significantly large portion of the public that preclude the need of privacy. Organizations can use and transmit information of this nature without the individual's consent or knowledge. In most settings, individuals have the right to know why their information is collected, how it is going to be used, make corrections, and limit to whom it is going to be disseminated. However, the property rights extended to this data may limit the owner's right to confidentiality depending on how much of the information is already in the public domain.
Employee Privacy Training
Training employees in the nature and risks surrounding privacy is critical to all organizations. Training programs targeting end users about existing policies and procedures will go a long way to providing a sound basis of understanding before granting them access to sensitive information. Refresher training serves to update employees, who already have access, with changes in policies, procedures, and the law. Such training provides the opportunity for situational role playing where they learn to deal with real-life problems in a controlled setting. Employees transferring to a new business unit should receive proper training before data access is granted ensuring continuity in privacy. Challenges facing trainers rest in the fashion they deliver their message. Using tired handouts and boring formal presentations and lectures to teach privacy policies can be tedious and unproductive. Educators should be innovative in their approaches by reaching and involving their audiences. Using case studies, group participation, and practical exercises can go a long way to holding trainees' attention while delivering the message.
Training can also take the form of informal or spontaneous chats between employees. Many organizations have initiated and developed training programs based on mentors and other knowledgeable persons who, through a process of socialization, share their experiences. There are a few pitfalls in this approach, although it is a gentler and kinder way to impart knowledge. Problems exist in documenting the fact that training has actually taken place, attendance at training sessions and the effectiveness of such training.
Another area of concern in the informal training arena is that of bad habits being passed from senior employees to others. Because there is not a test for the correctness of information being disseminated, it is possible that misinformation and poor policy understanding are made part of a new employee's orientation.
Privacy Training Best Practices
Here are some suggestions for privacy training best practices:
-
Deliver a basic summary of the organization's vision and mission. Include relevant but not overly detailed explanations of how privacy forms part of the organization's critical asset protection.
-
Provide succinct summaries of applicable laws, regulations, and the organization's policies and procedures. It is suggested that much of this material can be made available on the business' internal network (Intranet) that may be browsed by employees at their leisure. Acknowledgements are a good idea to collect from participating employees for future audits.
-
Provide training about the data's life cycle: why specific data is collected, its processing, its storage, and its disposal.
-
Provide a relevant contact list so attendees know who to contact if they have a question.
Handling Privacy in Supply Chains
E-commerce companies frequently offer what appears to be one-stop shopping with ordering, shipping, and billing services. From the outside, the world sees that the Web site provides all these features, when in fact, many of these services may be actually performed by other companies under contract. For the purpose of understanding, networks of business that participate in such relationships are termed supply chains. In order to do business, companies are often required to pass along a customer's information to suppliers of goods or services so that orders can be placed and filled. Providers of those contracted goods and services are in turn responsible for the protection and security of information they receive during the course of business.
Good privacy procedures require organizations to ensure they collect only the minimum amount of information necessary to process transactions. Receivers of a customer's information are responsible to see how that information is transmitted to third parties and to ensure those third parties handle that data consistent with the original business' policies and procedures. Businesses that transmit client data to their partners must take appropriate steps ensuring that third parties take reasonable precautions to safeguard that data from misuse, unauthorized access, disclosure, modification, and destruction.
Sound business privacy practices will disclose to customers the types of information that are going to be disclosed to third parties and how that it is going to be used by them. In most cases, disclosing how the information will flow from one business to another in the supply chain would be considered prudent. As part of the working relationship between partners, an agreement is made ensuring that the data receivers will provide the same levels of privacy that the original receiver had. Of course, these agreements must be in the form of a contract and must be executed by the appropriate levels of senior management.
There are several areas of concern when making such agreements:
-
Within the participating business entities, what is the actual level of data privacy protection?
-
How are levels of privacy protection going to be audited? Who is going to conduct the audits? Are the results of these audits going to be made available to the other partners? What is the frequency of such audits?
-
Which of the business partners is going to bear the expense of legal action?
-
When a new supply chain participant enters, which of the partners is required to approve their admission to the supply chain?
Individual business partners should have the same levels of scrutiny that are applied to large supply chain systems regardless of the size and sponsorship. Agreements and contracts must detail a set of mutually agreed policies and procedures where the collection, processing, storage, and distribution of data are established. Each supply chain affiliate should provide a comprehensive report on data usage and data flow to all additional parties. Reports of data collection and distribution should be collected from all parties in the supply, even those that do not have a direct relationship with one another. This report becomes particularly important should a supply chain member use contractors. Tracking and documenting how all parties treat data might provide the basis for strong defense should legal action be pursued.
Ownership of business partners change often with mergers, acquisitions, closures, and bankruptcies. Supply chain members changing ownership or going out of business can have serious consequences on your ability to deliver goods and services and should be addressed by contingency plans. However, there are potential disasters when a company's structure changes and due diligence in handling data privacy is jeopardized. At this moment, financial risks, affecting all members of the supply chain, escalated. It should be the combined responsibility of the supply chain members to monitor ownership and the status of lawsuits, as these events may affect data privacy. For these reasons, data privacy agreements must be in the form of enforceable contracts applicable to all relevant third parties.
Auditing privacy management procedures might be accomplished by creating ghost personalities and accounts and placing orders that are going to be handled by the supply chain. Experienced auditors will direct their efforts to test goods and services that are delivered by all members of the supply chain and their subcontractors. Steps such as these will test and assess the internal processes and business practices. If an audit account is established and there is an increase of spam or unsolicited junk mail at the address designated as the receiver, it is likely that the account's data has been compromised. Using a bit of detective work and depending on the length of the supply chain, it is possible to locate a "leak."
Another audit technique employs social engineering; the audit contacts members of the supply chain and attempts to buy the customer list or other information. In order to ensure the integrity of data privacy, auditors should regularly test each member of the supply chain to determine if it will sell, rent, or trade data that should be kept private.
If problems are identified with supply chain members disclosing information, they should be immediately addressed in the manner detailed in the agreement or contract. Not surprisingly, it will likely be a matter for the legal unit to handle in consultation with other senior managers. Removing someone from the supply chain can have far reaching ramifications with risk management programs addressing such contingencies. However, if a customer files a legal action as a result of a violation of privacy, the potential results can devastate all members of the business chain.