|
Introduction
International Privacy Considerations
Outsourcing and Privacy
What Is Privacy?
Introduction
Many organizations find challenges in managing privacy on local, national, or international bases. Most are faced with a number of differing privacy laws and regulations whose requirements need to be operationalized.
Generally Accepted Privacy Principles (GAPP) has been developed from a business perspective, referencing some, but by no means all, significant local, national, and international privacy regulations. GAPP operationalizes complex privacy requirements into a single privacy objective that is supported by 10 privacy principles. Each principle is supported by objective, measurable criteria that form the basis for effective management of privacy risk and compliance in an organization. Illustrative policy requirements, communications, and controls, including monitoring controls, are provided as support for the criteria.
GAPP can be used by any organization as part of its privacy program. GAPP has been developed to help management create an effective privacy program that addresses privacy risks and obligations, and business opportunities. It can also be a useful tool to boards and others charged with governance and providing oversight. This introduction includes a definition of privacy and an explanation of why privacy is a business issue and not solely a compliance issue. Also illustrated is how these principles can be applied to outsourcing scenarios and the potential types of privacy initiatives that can be undertaken for the benefit of organizations and their customers.
This introduction and the set of privacy principles and related criteria that follow will be useful to those who
- oversee and monitor privacy and security programs.
- implement and manage privacy in an organization.
- implement and manage security in an organization.
- oversee and manage risks and compliance in an organization.
- assess compliance and audit privacy and security programs.
- regulate privacy.
Good privacy is good business. Good privacy practices are a key part of corporate governance and accountability. One of today’s key business imperatives is maintaining the privacy of personal information. As business systems and processes become increasingly complex and sophisticated, organizations are collecting growing amounts of personal information. As a result, personal information is vulnerable to a variety of risks, including loss, misuse, unauthorized access, and unauthorized disclosure. Those vulnerabilities raise concerns for organizations, governments, and the public in general.
Organizations are trying to strike a balance between the proper collection and use of their customers’ personal information. Governments are trying to protect the public interest and, at the same time, manage their cache of personal information gathered from citizens. Consumers are very concerned about their personal information, and many believe they have lost control of it. Furthermore, the public has a significant concern about identity theft and inappropriate access to personal information, especially financial and medical records, and information about children.
Individuals expect their privacy to be respected and their personal information to be protected by the organizations with which they do business. They are no longer willing to overlook an organization’s failure to protect their privacy. Therefore, all businesses need to effectively address privacy as a risk management issue. The following are specific risks of having inadequate privacy policies and procedures:
- Damage to the organization’s reputation, brand, or business relationships
- Legal liability and industry or regulatory sanctions
- Charges of deceptive business practices
- Customer or employee distrust
- Denial of consent by individuals to have their personal information used for business purposes
- Lost business and consequential reduction in revenue and market share
- Disruption of international business operations
- Liability resulting from identity theft
Back to Top
International Privacy Considerations
For organizations operating in more than one country, the management of their privacy risk can be a significant challenge.
For example, the global nature of the Internet and business means regulatory actions in one country may affect the rights and obligations of individual users and customers around the world. Many countries have laws regulating transborder data flow, including the European Union's (EU) directives on data protection and privacy, with which an organization must comply if it wants to do business in those countries. Therefore, organizations need to comply with changing privacy requirements around the world. Further, different jurisdictions have different privacy philosophies, making international compliance a complex task. To illustrate this, some countries view personal information as belonging to the individual and take the position that the enterprise has a fiduciary-like relationship when collecting and maintaining such information. Alternatively, other countries view personal information as belonging to the enterprise that collects it.
In addition, organizations are challenged to try and stay up to date with the requirements for each country in which they do business. By adhering to a high global standard, such as those set out in this document, compliance with many regulations will be facilitated.
Even organizations with limited international exposure often face issues of compliance with privacy requirements in other countries. Many of these organizations are unsure how to address often stricter overseas regulations. This increases the risk that an organization inadvertently could commit a breach that becomes an example to be publicized by the offended host country.
Furthermore, many local jurisdictions (such as states or provinces) and certain industries, such as healthcare or banking, have specific requirements related to privacy.
Back to Top
Outsourcing and Privacy
Outsourcing increases the complexity for dealing with privacy. An organization may outsource a part of its business process and, with it, some responsibility for privacy; however, the organization cannot outsource its ultimate responsibility for privacy for its business processes. Complexity increases when the entity that performs the outsourced service is in a different country and may be subject to different privacy laws or perhaps no privacy requirements at all. In such circumstances, the organization that outsources a business process will need to ensure it manages its privacy responsibilities appropriately.
GAPP and its supporting criteria can assist an organization in completing assessments (including independent examinations) about the privacy policies, procedures, and practices of the third party providing the outsourced services.
The fact that these principles and criteria have global application can provide comfort to an outsourcer that privacy assessments can be undertaken using a consistent measurement based on internationally known fair information practices.
Back to Top
What Is Privacy?
Privacy is defined in Generally Accepted Privacy Principles as “the rights and obligations of individuals and organizations with respect to the collection, use, retention, disclosure, and disposal of personal information.”
Personal information (sometimes referred to as personally identifiable information) is information that is about, or can be related to, an identifiable individual. It includes any information that can be linked to an individual or used to directly or indirectly identify an individual. Individuals, for this purpose, include prospective, current, and former customers, employees, and others with whom the entity has a relationship. Most information collected by an organization about an individual is likely to be considered personal information if it can be attributed to an identified individual. Some examples of personal information are as follows:
· Name
· Home or e-mail address
· Identification number (for example, a Social Security or Social Insurance Number)
· Physical characteristics
· Consumer purchase history
Some personal information is considered sensitive. Some laws and regulations define the following to be sensitive personal information:
· Information on medical or health conditions
· Financial information
· Racial or ethnic origin
· Political opinions
· Religious or philosophical beliefs
· Trade union membership
· Sexual preferences
· Information related to offenses or criminal convictions
Sensitive personal information generally requires an extra level of protection and a higher duty of care. For example, some jurisdictions may require explicit consent rather than implicit consent for the collection and use of sensitive information.
Some information about or related to people cannot be associated with specific individuals. Such information is referred to as nonpersonal information. This includes statistical or summarized personal information for which the identity of the individual is unknown or linkage to the individual has been removed. In such cases, the individual’s identity cannot be determined from the information that remains because the information is deidentified or anonymized. Nonpersonal information ordinarily is not subject to privacy protection because it cannot be linked to an individual. However, some organizations may still have obligations over nonpersonal information due to other regulations and agreements (for example, clinical research and market research).
Unlike personal information, which is often defined by law or regulation, no single definition of confidential information exists that is widely recognized. In the course of communicating and transacting business, partners often exchange information or data that one or the other party requires be maintained on a “need to know” basis. Examples of the kinds of information that may be subject to a confidentiality requirement include the following:
· Transaction details
· Engineering drawings
· Business plans
· Banking information about businesses
· Inventory availability
· Bid or ask prices
· Price lists
· Legal documents
· Revenue by client and industry
Also, unlike personal information, rights of access to confidential information to ensure its accuracy and completeness are not clearly defined. As a result, interpretations of what is considered to be confidential information can vary significantly from organization to organization and, in most cases, are driven by contractual arrangements. For additional information on criteria for confidentiality, refer to the AICPA and CICA Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy (see www.aicpa.org/TrustServices or www.webtrust.org).
Back to top
|