personal information Archives - Zasio

Privacy and Confidentiality — a Sound Investment for Any Business

Zasio — Tue, 20 Jul 2021 19:41:12 +0000

How an organization handles data matters. While records management covers many tenets of data collection, one particular area deserves exploration–privacy: what is it? How is it different from confidentiality? And why does this distinction matter?

While privacy and confidentiality may seem interchangeable, both terms refer to different points in the data lifecycle. Let’s start with how these concepts overlap. Both privacy and confidentiality pertain to how, when, and why information is stored or collected. However, privacy allows an individual to control what of their personal information an organization may collect, maintain, and share.[i] Confidentiality on the other hand protects personal and sensitive information, once collected, from unauthorized use, access, or disclosure.[ii] This means, to maintain confidentiality for both client and employee information, a business must identify both the information it needs to carry out certain tasks, as well as what it will do with that information once collected.

Data Privacy

Implementing privacy control measures requires a company to be very intentional about the data it collects, and ultimately, how it integrates that data into the records it retains. A company should have a clear, articulated purpose for each bit of data it collects, and appropriate permissions from the data’s owner to carry out how it is used.[iii] Legislation in the United States governing personal data has become more common, following the data privacy trend set by the European Union’s General Data Protection Regulation (GDPR).[iv] While a federal general privacy law has not been enacted in the United States, various industry-specific federal laws contain privacy principles that apply to personal data. Privacy-specific laws are a growing trend, with many states seeing bill proposals at various stages of the legislative cycle (such as recent enactments in California and Virginia)[v].

A solid institutional plan for what data an organization collects, as well as how and why it uses that data, are all great first steps towards operationalizing good data management.

Data Confidentiality

Once privacy boundaries are established by controlling what data an organization collects and why, that data must be managed and protected. This is where confidentiality comes in. One of the most common examples of a confidentiality law is the Health Insurance Portability and Accounting Act (HIPAA), which governs, for example, personal health information (PHI). Looking at HIPAA, confidentiality can be achieved when a business limits access to a patient’s hospital records to only those employees or data processors with a legitimate business need to access this information. This happens through a variety of different recording mechanisms, including access permissions, handling requirements, and retention requirements. For example, a records handling requirement may state geographically where the records containing PHI will be stored (at a principal place of business, perhaps), or what format the records will be stored in (electronic files or hard copy). Additionally, security measures are necessary (and increasingly, are legally and contractually required) to prevent damage, theft, or unauthorized access of a business’s records. All of these various measures, when implemented correctly and thoughtfully, protect data confidentiality and help insulate a business from expensive risks such as litigation, monetary penalties, and reputational damage.

Privacy and Confidentiality is Not the End of the Records Management Journey

Once data is collected and procedures are put in place to protect it, privacy and confidentiality requirements are not over. After a business has gathered the data and determined that it has a business or legal value, it then often gets preserved in a record. These records are subject to a variety of regulations and laws, as well as principles of records and information management (RIM). Sometimes, depending on the record type and jurisdiction, certain records must be destroyed in a certain way (for example, by shredding). How a record must be destroyed though, doesn’t paint the whole picture of a record’s retention lifecycle. A mandatory destruction requirement typically states the maximum time period the record should be kept before destroying it. This handling requirement represents a ceiling, as the record can be destroyed at any point before the maximum period. Retention requirements can also create the opposite, as a floor or bare minimum time period a record must be retained for before destruction can even be considered. For example, a regulation may require a business to maintain a given record for a minimum of three years after a triggering event. How a record is handled, and for how long it is retained, protects the data that is preserved in that record.

Proper RIM procedures and schedules create enormous value for a business. Data management and records retention policies, when implemented correctly and thoughtfully, protect the confidentiality of retained data and insulate a business from expensive risks such as litigation, monetary penalties, or even a damaged reputation in its industry. Having a records retention schedule tailored to individual business needs that recognizes the relationship between data and records takes the guesswork out of information governance and reduces a host of risks caused by improper data management and collection.

Conclusion

Data is an incredibly valuable asset to any business. When a business knows what data it collects and why it’s needed, and then applies good RIM policies and procedures to that data, it will achieve better business outcomes. Information governance can ensure privacy and confidentiality when a records retention schedule is built in a way that treats records as consolidated collections of granular data points. If your organization is ready to create a record retention schedule, contact Zasio today to see how our innovative products and services can help meet your record-keeping and information governance needs.

[i] Mike Chapple, Security, Privacy and Confidentiality: What’s the Difference?, EdTech (Oct. 10, 2019), https://edtechmagazine.com/higher/article/2019/10/security-privacy-and-confidentiality-whats-difference#:~:text=Confidentiality%20controls%20protect%20against%20the,maintains%20and%20shares%20with%20others.

[ii] Id.

[iii] Mary T. Costigan, CPRA Series: The Importance of Data Retention Schedules and Records Management, The National Law Review, Dec. 29, 2020. https://www.natlawreview.com/article/cpra-series-importance-data-retention-schedules-and-records-management-policies.

[iv] See generally id. The California Privacy Rights Act of 2020 (CPRA) implements the GDPR’s storage limitation principle, as in, data must be stored only as long as necessary to achieve it’s stated purpose for being collected in the first place.

[v] Sarah Rippy, US State Privacy Legislation Tracker, IAPP (last updated May 26, 2021), https://iapp.org/resources/article/us-state-privacy-legislation-tracker/.

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post Privacy and Confidentiality — a Sound Investment for Any Business appeared first on Zasio.

Sanitize Everything From Your Hands to Your Personal Information

Zasio — Wed, 03 Mar 2021 21:19:19 +0000

If the last year has taught us anything, it is to sanitize, sanitize, sanitize. You are probably sanitizing your hands, your house, everything you touch, but what about the personal information you process?

Laws and regulations increasingly require entities to sanitize, pseudonymize or anonymize the personal information that they collect or process. Other than defining and requiring sanitization, these legal requirements often neglect to inform regulated entities what sanitization encompasses.

Pseudonymization, Anonymization, and Sanitization Defined

The GDPR has introduced a multitude of data protection-related terms. Pseudonymization, anonymization, and sanitization are terms that are often used interchangeably.

According to GDPR Article 4, subsection 5, pseudonymization is “the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information […] to ensure that the personal data are not attributed to an identified or identifiable natural person”[1].

Anonymization relates to “a data processing technique that removes or modifies personally identifiable information; it results in anonymized data that cannot be associated with any one individual.”[2] According to Google’s policies, their anonymization process “use[s] generalization to remove a portion of the data or replace some part of it with a common value.”[3]

Similarly, sanitization relates to “the process of removing sensitive information from a document or other message (or sometimes encrypting it), so that the document may be distributed to a broader audience”[4]. This process irreversibly removes or destroys personal information from a record, database, or memory device.

Each of the above definitions highlights that these processes make personal information unrecognizable. Once the initial purpose for processing is no longer necessary, organizations may continue to need other non-identifying information for other important purposes, such as internal metrics, continuing research, or transfer to other parties. These processes allow organizations to have access to this non-identifying information while minimizing the risk of breaching personal information.

What Must be Sanitized?

Most regulatory requirements relating to sanitization refer to specific regulated parties and specific types of information, typically within the realm of finance, medicine, or employment. As researchers continue to learn about the epidemiology of COVID-19, the next few years may also see an increase in personal information sanitization laws on the collection and transfer of health information. For example, California requires employers to keep a record of all COVID-19 cases. This requirement creates a caveat that personal identifying information be removed when medical information is made available to others.[5]

In contrast, few laws relate to general data processors or categories of data processing. One such example is the Australian state of Victoria’s Privacy and Data Protection Act, which requires organizations to “take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose.”[6]

While current laws and regulations specify what information needs to be sanitized and who needs to sanitize it, organizations are left to determine where this information may be located. Some examples of where personal information requiring sanitization could be lurking are email, which may most easily be sanitized through encryption[7]; personally-owned devices; old systems or databases; or information being transferred to third parties.

Sanitization Policies

Creating and implementing a sanitization policy can be a good first step to mitigating your risk of a personal information breach. Sanitization policies identify persons or departments responsible for sanitization, as well as areas where personal information may be located. Sanitization policies also describe how and when to remove or modify personal information. Failure of organizations to create such policies may result in significant fines. For example, some of the first GDPR-related fines were for organizations retaining non-sanitized passwords which were later breached.[8]

Conclusion

The next time you reach for your hand sanitizer, consider how your business could benefit from a sanitization policy for personal information as well. To learn more about regulatory requirements regarding personal information, contact Zasio today!

[1] European Union Regulation 2016/679, “GDPR”.

[2] Google, Technologies, HOW GOOGLE ANONYMIZES DATA.

[3] Id.

[4] Wikipedia, Sanitization (classified information).

[5] 8 California Code of Regulations 3205.

[6] Privacy and Data Protection Act 2014, Schedule 1, Principle 4.2.

[7] GDPR.EU, “How does the GDPR affect email?”.

[8] Security Boulevard, “4 GDPR Violations that Multiple Companies have been Fined for”.

The post Sanitize Everything From Your Hands to Your Personal Information appeared first on Zasio.

US Privacy Laws & RIM — Recent Developments

Zasio — Thu, 07 Jan 2021 21:43:32 +0000

Privacy may very well be the fastest-growing area of law so far in the 21^st century. While the US, at the federal level, has resisted a broad privacy law similar to the GDPR, momentum is steadily gaining for privacy legislation at the state level. This blog explores US privacy law’s recent developments from a records and information management (RIM) perspective.

I. Recently Enacted Privacy Legislation

The number of new bills introduced in 2020 broadly regulating privacy illustrates the subject’s popularity. In 2020 there were more than 20 privacy bills introduced at the state level in the US.[1] Federally, there were dozens of bills and discussion drafts introduced during the last two sessions of congress.[2] While most of the recent broad privacy bills met their demise in legislative committees, here are some of the ones that survived and became law.

California’s Privacy Rights Act (CPRA)

The biggest development in US privacy law in 2020 was the passage of the CRPA by ballot initiative during the November election. The CPRA amends the California Consumer Privacy Act (CCPA) in major ways. Here is a summary of these changes:

New Privacy Authority Created: The CPRA creates the California Privacy Protection Agency (CPPA) and grants it the authority to enforce the act by making rules and investigating non-compliance.[3]
Creates New Sensitive Personal Information Category: The CRPA provides stricter requirements for sensitive PI, with stricter use and disclosure provisions than regular PI, including Consumers’ ability to restrict use and disclosure for some purposes. Examples of sensitive PI include social security numbers, identification numbers from identification cards such as passports and licenses, financial account information, race, ethnic origin, religion, and genetic information, and precise location information, among others.[4]
Expanded Rights for Consumers: In addition to their ability to restrict the use of sensitive PI, consumers have several new and expanded rights under the CRPA. These include new rights to correct inaccurate PI, expanded rights to delete PI from third parties, and expanded/modified rights to know, opt-out, notice of collection, and request deletion of PI.[5]
Revised Regulated Party: The CRPA expands regulated business activities to include parties receiving PI. The CCPA only included parties who buy, sell, or share PI. The CPRA also expands regulated business activities by revising the deriving at least 50 percent of income from selling PI threshold to include profits from sharing PI. However, the CPRA excludes many small businesses previously covered under the CCPA by increasing the threshold number of consumers or households from 50,000+ to 100,000+.[6]
PI Retention Changes: CPRA has some retention changes similar to requirements in the GDPR. Under the CPRA, businesses now are prohibited from keeping PI unless it’s reasonably necessary to meet a disclosed purpose. Further, businesses must specify the criteria used to determine the retention period for PI categories or the retention period itself at the time of collection.[7]

Like the CCPA, there is a window before the CPRA becomes effective, allowing businesses time to implement compliance measures. The CPRA will become effective on January 1, 2023.

Maine Act to Protect the Privacy of Online Customer Information (35 M.R.S. 9301)

Maine passed a privacy act in 2019, restricting the collection, retention, use, disclosure, sale, or access to customer PI by broadband internet access services. This act provides exceptions, including consent, providing services related to the purpose for collection, direct advertising, and several others. It also includes requirements for security and protection of consumer PI lawfully collected.[8]

Nevada Amended Security of Information Maintained by Data Collectors and Other Businesses (Nev. Rev. Stat. Ann. 603A)

Nevada revised its PI security law by enhancing requirements for state government controls in the “collection, dissemination and maintenance” of PI.[9]

II. U.S. Privacy Law Trends Leading Into 2020

The year 2020 highlighted an ongoing trend in U.S. privacy laws. For reference, the following includes a summary of additional privacy laws generally applicable to businesses and employers that impact PI retention:

Illinois Biometric Information Privacy Act (740 ILCS 14/)

Section 15 of this law on “Retention; collection; disclosure; destruction” requires private entities possessing biometric identifiers to have a retention schedule specifying disposition “when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within three years of the individual’s last interaction with the private entity, whichever occurs first.”[10]

Maryland: COMAR 09.12.22.01

This law from Maryland requires employers to retain PI medical information “only for the time needed to accomplish the purpose for access.”[11]

New York Stop Hacks and Improve Electronic Data Security Act (SHIELD Act): NY CLS Gen Bus 899-aa and 899-bb

The SHEILD Act requires businesses owning or licensing computerized data containing PI to dispose of the PI “within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.”[12]

Texas: Tex. Bus. & Com. Code 503.001

This Texas legislation requires persons possessing biometric identifiers of individuals collected for a commercial purpose to “destroy it within a reasonable time, but not later than the first anniversary of the date the purpose for collecting the identifier expires.”[13]

Utah: Utah Code Ann. 34-46-203

Utah’s latest enacted privacy legislation requires employers to destroy information collected during a hiring process within “two years after the day on which the applicant provides the information to the employer if the employer does not hire the applicant.”[14]

Washington: Rev. Code Wash. 19.375.020

This recent Washington law requires that possessors of biometric identifiers collected for commercial purposes retain them for “no longer than is reasonably necessary to… provide the services for which the biometric identifier was enrolled.”[15]

Federal Children’s Online Privacy Protection Rule: 16 CFR 312.10)

This rule by the US Federal Trade Commissions requires operators of websites or online services to retain PI collected from children for “only as long as is reasonably necessary to fulfill the purpose for which the information was collected.”[16]

Conclusion

The above is just a sampling of privacy laws and many other US privacy laws generally regulate businesses and specific industries. If you need help strategizing how privacy requirements impact your RIM program, Zasio Consulting is here to help, contact Zasio.[17]

[1] Arizona (SB1614, HB2729), California (CPRA passed), Hawaii (HB 963), Illinois (SB2263, SB2330, HB5603), Maryland (HB0249, HB0784, HB1656), Minnesota (HF 3936), Nebraska (LB746), New Hampshire HB1236), New Jersey (A2188, A3255), New York (S224, S5642), South Carolina (H4812), Virginia (HB473), Washington (SB6281), Wisconsin (AB870, AB871, AB872).

[2] DATA Privacy Act (H.R.8749), Privacy Office Enhancement Act (H.R.5678), Consumer Online Privacy Rights Act (S.2968), Privacy Score Act of 2020 (H.R.6227), Social Media Privacy Protection and Consumer Rights Act of 2019 (S.189), Privacy Bill of Rights Act (S.1214), Protecting Education Privacy Act (H.R.2724), Moving Americans Privacy Protection Act (S.1302), Passenger Privacy Protection Act of 2019 (S.1206), Genetic Information Privacy Act of 2019 (H.R.2155), Secure Data and Privacy for Contact Tracing Act of 2020 (H.R.7472), Consumer Data Privacy and Security Act of 2020 (S.3456), Online Privacy Act of 2019 (H.R.4978) to name a select few.

[3] The California Privacy Rights Act (CPRA) Section 24. https://oag.ca.gov/system/files/initiatives/pdfs/19-0021A1%20%28Consumer%20Privacy%20-%20Version%203%29_1.pdf

[4] ID at sections 10 and 13.

[5] ID at sections 3A, 5-12.

[6] ID at section 14

[7] ID at sections 4, 12(7)

[8] Act to Protect the Privacy of Online Customer Information (35 M.R.S. 9301). https://www.mainelegislature.org/legis/bills/getPDF.asp?paper=SP0275&item=9&snum=129

[9] Amended Security of Information Maintained by Data Collectors and Other Businesses (Nev. Rev. Stat. Ann. 603A) Section 210. https://www.leg.state.nv.us/NRS/NRS-603A.html#NRS603ASec210

[10] Illinois Biometric Information Privacy Act (740 ILCS 14/) Sec. 15 (a). https://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004&ChapterID=57

[11] COMAR 09.12.22.01 (C). http://www.dsd.state.md.us/comar/comarhtml/09/09.12.22.01.htm

[12] NY CLS Gen Bus 899-bb (2)(b)(ii)(C)(4). https://www.nysenate.gov/legislation/laws/GBS/899-BB

[13] Tex. Bus. & Com. Code 503.001 (c)(3),(c-1). https://statutes.capitol.texas.gov/Docs/BC/htm/BC.503.htm

[14] Utah Code Ann. 34-46-203 (2). https://le.utah.gov/xcode/Title34/Chapter46/34-46-S203.html?v=C34-46-S203_1800010118000101

[15] Rev. Code Wash. 19.375.020 (4)(b). https://app.leg.wa.gov/RCW/default.aspx?cite=19.375.020#:~:text=RCW%2019.375.020-,Enrollment%2C%20disclosure%2C%20and%20retention%20of%20biometric%20identifiers.,identifier%20for%20a%20commercial%20purpose.

[16] 16 CFR 312.10. https://www.ecfr.gov/cgi-bin/text-idx?SID=d2d4616077fe505e154978fae9519ff3&mc=true&node=pt16.1.312&rgn=div5#se16.1.312_110

[17] https://www.zasio.com/consulting-services/

Disclaimer: The purpose of this post is to provide general education on information governance topics. The statements in this article are informational only and do not constitute legal or other professional advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

Author: Rick Surber, CRM, IGP

Senior Analyst / Licensed Attorney

The post US Privacy Laws & RIM — Recent Developments appeared first on Zasio.

De-identification Standards to Protect Personal Information

Zasio — Tue, 12 Sep 2017 20:24:25 +0000

Individuals value their privacy. In contrast, businesses value the ability to leverage personal information to deliver quality products and services to meet the needs of their clients. The legal standards that regulate the protection of personal information help bridge the gap between these two opposing interests.

This article addresses when to apply de-identification, the legal standards under specific regulations for de-identifying personal information, and the effect meeting such de-identification standards has on the use of the remaining data set.

The full article can be seen at ACC‘s (Association of Corporate Counsel) Docket Magazine here.

The post De-identification Standards to Protect Personal Information appeared first on Zasio.