Principle of Information Management

4.1 The Role of the Privacy Professional

1. Organizations may collect consumer PI for many purposes and may disclose information to service providers, affiliates, business partners and government agencies for a wide range of purposes.

2. Perception of acceptable privacy practices vary, creating challenges for privacy professionals

   1. “Privacy Fundamentalists”

   2. “Privacy Unconcerned”

   3. “Privacy Pragmatists”

3. One role for privacy professionals is to alert their organizations to these often divergent perspectives.

4. Privacy professionals also help their organization manage a range of risks that can arise from processing personal information, and do so in a manner consistent with meeting the organization’s growth, profitability and other goals.

4.2 Risks of Using PI Improperly

1. Legal Risks

   1. Comply with applicable state, federal, and international laws regarding the use of information or potentially face litigation or regulatory sanctions such as consent decrees.

   2. Comply with its contractual commitments, privacy promises and commitments to follow industry standards, such as Payment Card Data Security Standard (PCI DSS).

2. Reputational Risks

   1. Reputational harm if you announce privacy policies but does not carry them out. You may also face enforcement actions – from FTC.

3. Operational Risks –

   1. Must ensure that your privacy program is administratively efficient. If its too heavy-handed, it may interfere with relationships and inhibit uses of PI that benefit the organization and its customers, such as for personalization or risk management.

4. Investment Risks –

   1. Must be able to receive an appropriate return on its investments in information, IT and information-processing programs in light of evolving privacy regulations, enforcement and expectations.

4.3 Developing an Information Management Program

1. Privacy leaders help their organizations develop privacy policies in an organized way, meeting goals as as well as preserving business flexibility.

4.3.1 Basic Steps for Information Management

1. Discover

   1. Issue identification and self-assessment

      1. Learn privacy regulations for your organization

      2. Understand the company's privacy risk posture.

   2. Determination of best practices

Sample Organization Chart for Privacy and Data Protection Activities

2. Build

   1. Procedure development and verification

      1. When developing procedures, verify with those who will implement

   2. Full implementation

3. Communicate

   1. Documentation

      1. Ensure properly documented to those in the organization

   2. Education

4. Evolve

   1. Affirmation and monitoring

   2. Adaptation

4.4 Data Sharing and Transfer

1. Data Inventory

   1. Organization’s inventory (collect, store, use, disclose) should include both customer and employee data records. It should document data location and flow as well as evaluate how, when and with whom the organization shares such information – and the means for data transfer used.

   2. This is legally required for some institutions, such as those covered by the Gramm-Leach-Bliley Act (GLBA) Safeguard Rule.

   3. Review and update it on a regular basis

2. Data Classification

   1. Classify data according to its level of sensitivity.

   2. Level defines the clearance of individuals who can access or handle that data.

   3. Why classify - for the purpose of meeting compliance

3. Document Data Flows

   1. Use Org Chart to document flows

   2. Document the mapping of systems, applications and processes for handling data

4. Determining Data Accountability

   1. Data flows should be examined and documented.

      1. How sensitive is the information

      2. Should the information be encrypted.

      3. Will the information be transferred to or from other countries and how will it be transferred?

      4. Who determines the rules that apply to the information.

      5. Where, how, and for what length of time is the data stored.

      6. How is the information to be processed, and how will these processes be maintained?

      7. Is the use of such data dependent upon other systems?

   2. Documenting data flows helps identify areas for compliance attention.

4.5 Privacy Policies and Disclosure

1. How they inform relevant employees about how PI must be handled, and in some cases made public, in the form of a privacy notice for the purpose of transparency.

2. If a promise made in privacy policy is violated, FTC/state attorney general may bring enforcement action for deceptive practice.

3. Decision:

   1. One or Multiple Privacy Policy

      1. One

         1. One policy will work if an organization has a consistent set of values and practices for all its operations.

      2. Multiple

         1. Multiple policies may make sense for a company that has well-defined divisions of lines of business, especially if each division uses customer data in very different ways, does not typically share PI with other divisions, and is perceived in the marketplace as a different business.

4. Policy Review and Approval

   1. Approval from the legal and executive team

5. Communication of Privacy Policy Through Notice

   1. Make the notice accessible online

   2. Make the notice accessible in place of business

   3. Provide updates and revisions

   4. Ensure that the appropriate personnel are knowledgeable about the policy.

6. Policy Version Control

   1. An organization’s privacy policy will need to be updated as its information collection, use and transfer needs evolve.

4.6 Managing User Preferences and Access Requests

1. Opt-in, Opt-out, and No Option

   1. Opt-in – Some US privacy laws require affirmative consumer consent (opt-in) before data collection.

      1. COPPA express from parents. COPPA requires express consent from a parent before a child’s PI is collected.

      2. HIPAA before disclosure to 3rd parties, with exceptions.

         1. HIPAA requires opt-in consent before personal health information is disclosed to third parties, subject to important exceptions.

      3. FCRA before credit report may be provided to employer, lender or other authorized recipient.

         1. Fair Credit Reporting Act (FCRA) requires opt-in before a consumer’s credit report may be provided to an employer, lender or other authorized recipient.

   2. No Consumer Choice / No Option – implied authority to share

      1. Amazon customer expects PI to be shared with shipper, credit card processors, and others for delivery fulfillment.

      2. Commonly Accepted Practices

   3. Opt-Out / Consumer Choice – creates an enforceable promise.

      1. FTC/state enforcers may bring suit under unfair/deceptive practice.

      2. GLBA requires opt-out before transferring PI of of financial institution customers to unaffiliated 3rd party for latter’s own use.

      3. Video Privacy Protection Act requires opt-out before movie and other rental data is provided to 3rd party.

      4. CAN SPAM email marketers must provide opt out.

      5. DO NOT CALL rules provide the opportunity to opt out of telemarketing phone calls, both in general or on a company-by-company basis.

      6. Opt out is required for companies that subscribe to any of a number of self-regulatory systems.

2. Managing User Preference (challenges)

   1. Scope of user preference can vary.

   2. Mechanism can vary (rule of thumb is how you market user preference should be same – opt out through email not phone/mail)

   3. Linking a user’s interaction through multiple channels (person, phone/ email / web)

      1. Good practice is for the organization to implement the opt-out or other user preference across channels and platforms.

   4. Time period for implementing user preference is sometimes provided by law.

      1. CAN-SPAM Act and Telemarketing Sales Rules mandate specific time periods for processing customer preferences

   5. 3rd Party Vendors often process PI on behalf of the company that has the customer relationship.

3. Customer Access and Redress

   1. FCRA – individuals have the right to access their credit reports under FCRA and rectify incorrect data.

   2. HIPAA – medical records - Patients can access their medical records under HIPAA, with records that the patient believes are incorrect noted as such in the patient files

   3. OECD / APEC / EU-US Shield – Access in included in statements of fair information practices

4.7 Contract and Vendor Management

1. Vendor Contracts

   1. Confidentiality provision

   2. No further use of shared information

   3. Use of subcontractors-

      1. If vendor intends to use subcontractors in the collection, use, or processing of personal information, the contractor organization should require all subcontractors to follow the privacy and security protection terms in the vendor’s contract

   4. Requirement to notify and to disclose breach

   5. Information security provisions

      1. Contracts may include provisions concerning specific security controls; encryption of data in transit, on media and on portable devices; network security; access controls; segregation of data; employee background checks; audit rights

2. Vendor Due Diligence

   1. Reputation

   2. Financial condition and insurance

      1. The vendor should have sufficient resources in the case of a security breach and subsequent litigation.

      2. A current and sufficient insurance policy can protect the procuring organization in the event of a breach.

   3. Information security controls

   4. Point of transfer

      1. point of transfer between the procuring organization and the vendor is a potential security vulnerability.

   5. Disposal of information

   6. Employee training and user awareness -

      1. a vendor should have an established system for training its employees about its responsibilities in managing personal or sensitive information.

   7. Vendor incident response

   8. Audit rights

      1. Organizations should be able to monitor the vendor’s activities to ensure it is complying with contractual obligations.

4.8 Global Perspective

1. General Data Protection Regulation (GDPR)

   1. applies to companies with assets and employees in the EU, sell to EU residence, and data that is stored in EU.

   2. Key provisions

      1. Notification of security breach

      2. New requirements for processors (contractors who act on behalf of data controllers)

      3. Designation of data protection officers (DPO requirement)

      4. Accountability obligations

      5. Rule for international transfers

      6. Sanctions of up to 4% of worldwide revenues

      7. GDPR provides extensions of individual rights, including the right to be forgotten, the right to data portability, and implementation of principles of data protection by design and data protection by default.

2. Privacy Shield and Other Lawful Bases for Data Transfer

   1. Data Transfer from EU to States was US-EU Safe Harbor Program, now:

   2. Privacy Shield Framework

   3. Standard Contract Clauses (SCC)

      1. Company contractually promises to comply with EU law and submit to the supervision of an EU privacy supervisor agency.

      2. Binding Corporate Rules (BCR)

      3. Multinational company can transfer data between countries after certification of its practices by an EU privacy supervisory agency.

4.9 Conclusion