|
Privacy Laws, Regulations, and Guidelines
Privacy Is a Risk Management Issue
Designing a Privacy Program
Road Map for Protecting the Privacy of Personal Information
Privacy Laws, Regulations, and Guidelines
For the many reasons set out in the section, Understanding Privacy, protecting the privacy of personal information is crucial! In the United States, that protection is afforded by privacy laws, such as the Gramm-Leach-Bliley Act (GLBA) for the financial services industry, the Health Insurance Portability and Accountability Act (HIPAA) for the health care industry, and the Children's Online Privacy Protection Act (COPPA) for protecting minors on the Internet.
Other important laws and guidelines include:
· The OECD's Guidelines on the Protection of Privacy and Transborder Flows of Personal Data
· The EU's Data Protection Directive
· The U.S. Department of Commerce's Safe Harbor Agreement
· Canada's Personal Information Protection and Electronic Documents Act (PIPEDA)
· The United Kingdom's Data Protection Act
The recent activities of regulatory bodies indicate a growing trend to publish actions taken against organizations that misuse personal information. For example, the Web sites of the U.S. Federal Trade Commission (FTC) and the Canadian Federal Privacy Commissioner both provide details of corporate privacy violations; findings of regulators; and fines, penalties, or other retribution. In this respect, the FTC reports that fines for privacy violations can easily reach the seven-figure range. As a result, entities that treat consumer data with nonchalance can incur huge legal headaches and public relations nightmares. Such regulatory activities provide evidence of the increasing risk to organizations that choose to ignore personal information privacy.
Back to top
Privacy Is a Risk Management Issue
Information privacy is a significant concern to many individuals. Numerous surveys and polls in the United States have identified fears about the security and privacy of personal information as a major factor in limiting the growth of commerce on and off the Internet. As such, privacy is a risk management issue for all organizations today—whether online or offline.
Management has always been responsible for managing risk. Information privacy adds to those risks and must be addressed in a timely and complete manner to ensure the requirements of laws, regulations, and industry practices are included in the solution.
Protecting the privacy of personal information presents management with a number of risks to be addressed, including:
· Image and Branding. Breaches in privacy protection have the potential to negatively affect an organization’s image and brand, and hence how it is perceived in the marketplace.
· Financial Loss. Significant financial losses may result from breaches of privacy protection, either directly (for example, the cost of reissuing credit cards) or indirectly (for example, lost customer loyalty and sales).
· Investor Loss. The marketplace may react to breaches in privacy protection by driving down share prices, resulting in a loss of market capitalization.
· Regulatory Compliance. Failing to comply with regulatory requirements may result in poor public relations, as well as fines or other penalties.
· Business Partner Confidence. Business partners that share personal information but fail to adequately protect that information may suffer a loss of confidence and trust.
· International Agreements. When an organization cannot meet established privacy standards, certain international privacy laws may restrict or prohibit the export of personal information to that organization.
To determine the significance of privacy-related business risks, it is important for every organization to conduct a risk assessment of its information-handling practices. The results of that assessment will dictate whether and to what extent a privacy program should be implemented. Prudent business practices call for a privacy risk assessment either as part of an initial privacy review or when major changes are being proposed to existing business activities.
Generally, activities that involve the significant collection, use, or disclosure of personal information should include such an assessment and the results should be reflected in the organization’s business plan. The questionnaire found under Checklists & Worksheets titled "Privacy Risk Assessment Questionnaire," sets out key questions that should be addressed as part of an initial privacy risk assessment.
An effective privacy program requires clear leadership and a commitment by business owner/managers or senior management to prevent, detect, and address noncompliance. Accordingly, those assigned responsibility for privacy compliance must be given the decision-making authority to oversee the organization’s privacy practices, including the implementation of policies and procedures, staff training, allocation of resources, dissemination of information, and response to and resolution of inquiries and complaints. Business owner/managers or senior management must also ensure that adequate resources are available for designing the privacy program, and the time frame for implementation should be realistic.
Back to top
Designing a Privacy Program
Any organization that has a well-designed, well-implemented, and well-monitored privacy program will not only respond to the concerns of consumers but will also comply with the applicable privacy laws. Because the nature, size, and complexity
of operations will vary from one organization to another, a privacy program should be tailored to meet the needs of the particular organization. In most cases, this means using the following road map for protecting the privacy of personal information.
Back to top
Road Map for Protecting the Privacy of Personal Information
- Appoint an individual to be responsible for privacy compliance throughout the organization and managing personal information shared with business partners.
- Inventory current privacy practices, identifying all sources, uses, locations, sharing, disclosure, archiving, and destruction of personal information.
- Assess the gaps between the organization's current privacy practices and fair information practices, including pertinent privacy laws, regulations, and guidelines.
- Prepare privacy policies and procedures to effectively address all fair information practices and pertinent legal requirements.
- Appoint a cross-functional team, as needed, to develop a detailed change management plan and make the required changes.
- Implement the privacy program with respect to policies, procedures, information systems, contracts, and other privacy-related materials.
- Monitor and report on compliance with the organization’s privacy policies and procedures in accordance with fair information practices.
Step 1 in the preceding road map is to delegate the responsibility for the protection of personal information to one individual—often called a privacy officer. This step is crucial because it formally establishes a "custodian" or "trustee" to serve as the intermediary between individuals who provide personal information and those who use that information, whether they are internal staff or third parties. Assigning responsibility to a privacy officer provides a means for building expertise in effectively managing privacy issues relating to any of an organization's operations.
According to a study undertaken jointly by Privacy & American Business and the Association of Corporate Privacy Officers, 82 percent of privacy officers report directly to senior officials and 78 percent have backgrounds in privacy-related functions, such as legal, public, or government affairs; marketing; information technology; or management. Whatever the size of the organization, the privacy officer should have an understanding of people, processes, and technology that must include the following:
· A broad understanding of how the organization works and its corporate culture
· A positive track record of working with cross-functional teams
· Strong interpersonal, communications, and leadership skills
· Technical savvy about data management and computer systems
It is important to communicate the name, title, and responsibilities of the privacy officer, both internally and externally, for example, in published materials, such as privacy manuals and brochures, and on Web sites. The responsibilities will differ from one organization to another but, at a minimum, the privacy officer will need to determine whether the systems that store personal information have the capacity to track and record who has access to that information, and for what purpose and under what conditions the information is used. As well as ensuring that the staff is adequately trained, the privacy officer should determine whether personal information is disclosed to third parties, and how they are contractually bound to protect privacy.
Step 2 of the preceding road map is to inventory current privacy practices. In this regard, the privacy officer should identify all personal information-handling practices, including ongoing activities and new initiatives. A checklist may help to create the inventory by asking questions such as:
· What personal information is collected?
· Why is it collected?
· How is it collected?
· What is it used for?
· Where is it kept?
· Who has access?
· What security measures are used?
· To whom is it disclosed?
· When and how is it disposed of?
After completing the inventory, the privacy officer follows step 3 of the road map, which it to assess the gaps between the organization’s current privacy practices and fair information practices, including pertinent privacy laws, regulations, and guidelines. In step 4, he or she prepares privacy policies and procedures in accordance with internationally recognized fair information practices.
Upon the completion of the preparation of policies and procedures, step 5 is carried out, as needed. A cross-functional team is appointed to develop a detailed change management plan and make the required changes.
Steps 6 and 7 of the road map to compliance address risk management—implementation and monitoring of the privacy program with respect to policies, procedures, information systems, contracts, and other privacy-related materials. In this regard, it is important to understand that privacy risk management is a continuous, evolving process that is relevant to all facets of the business. That process encompasses the following approach:
· Identify the pertinent fair information practices.
· Establish specific objectives.
· Identify and assess risks of not meeting the objectives.
· Identify and implement appropriate control measures.
· Assess the effectiveness of control measures.
An organization should establish specific objectives with respect to each fair information practice. Risk identification and assessment will provide a basis for understanding the risks that may prevent those objectives from being met. Control identification and assessment will provide the means for mitigating risks, achieving the objectives and in turn complying with the fair information practices. In this regard, it is crucial for management to identify the consequences of not meeting the established objectives and specify the control measures needed to prevent unacceptable risks, manage and monitor acceptable risks, and mitigate unexpected risks.
Back to top
|