US Private Sector Privacy Chapter 01 Introductionv2p2 PDF
Document Details
Uploaded by SparklingCedar
Georgia Tech
2024
Tags
Summary
This document is a chapter from a course on privacy in the US private sector. It discusses the distinctions between personal and non-personal information and the various types of information assets held by organizations.
Full Transcript
MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 1 – as of 01/05/2024 © IAPP increased economic growth to easier communications for individuals. The unprecedented accumulation of personal data, and the resulting potential for increased surveillance, also triggered an acute interest in privacy...
MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 1 – as of 01/05/2024 © IAPP increased economic growth to easier communications for individuals. The unprecedented accumulation of personal data, and the resulting potential for increased surveillance, also triggered an acute interest in privacy practices and the privacy rights of individuals. A vivid image of the risk came from George Orwell’s 1949 book 1984, in which the government kept citizens under surveillance at all times, warning them with the slogan “Big Brother is watching you.” 32 To prevent the creation of “Big Brother,” by the late 1960s, nearly two decades after Orwell wrote his masterpiece, there were increasing demands for formal rules to govern the collection and handling of personal information. In response to this sort of concern, in 1970 the German state of Hesse enacted the first known modern data protection law. This German law was motivated in part by the growing potential of IT systems as well as a desire to prevent a reoccurrence of the personal information abuses that took place under Hitler’s Third Reich before and during World War II. Such concerns were not confined to Germany, and over the next decade, several European countries enacted national privacy laws of differing objectives and scope. In 1970, the United States passed its first national privacy law, the Fair Credit Reporting Act (FCRA), which focused solely on information about consumer credit. 1.6 Personal and Nonpersonal Information Because information privacy is concerned with establishing rules that govern the collection and handling of personal information, an understanding of what constitutes personal information is key. A central issue to determine is the extent to which information can be linked to a particular person. This can be contrasted with aggregate or statistical information, which generally does not raise privacy compliance issues. 1.6.1 Personal Information In the United States, the terms personal information and personally identifiable information (PII) are generally used to define the information that is covered by privacy laws. These definitions include information that makes it possible to identify an individual. Examples include names, Social Security numbers or passport numbers. The terms also include information about an “identified” or “identifiable” individual. For instance, street address, telephone number, and email address are generally considered sufficiently related to a particular person to count as identifiable information within the scope of privacy protections. The definitions generally apply to both electronic and paper records. Sensitive personal information is an important subset of personal information. The definition of what is considered sensitive varies depending on jurisdiction and particular regulations. In the United States, Social Security numbers and financial information are commonly treated as sensitive information, as are driver’s license numbers and health information. In general, sensitive information requires additional privacy and security limitations to safeguard its collection, use and disclosure. 1.6.2 Nonpersonal Information If the data elements used to identify the individual are removed, the remaining data becomes nonpersonal information, and privacy and data protection laws generally do not apply. 33 Similar terms used include deidentified or anonymized information. This type of information is frequently 11 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 1 – as of 01/05/2024 © IAPP used for research, statistical or aggregate purposes. “Pseudonymized” data exists where information about individuals is retained under pseudonyms, such as a unique numerical code for each person, that renders data temporarily nonpersonal. Pseudonymized data can be reversed, reidentifying the individuals. This reversibility can be important in certain situations, for instance, in a drug trial where the medicine is discovered to have adverse side effects. 34 1.6.3 The Line between Personal and Nonpersonal Information The difference between personal and nonpersonal information depends on what is identifiable. The line between these two categories is not always clear, and regulators and courts in different jurisdictions may disagree on what counts as personal information. Other Information Assets of an Organization As part of their normal activities, organizations also may collect and generate information that by its nature would not be considered personal information but is nevertheless a key part of the information assets of the organization. Examples of such information include: • Financial data • Operational data • Intellectual property • Information about the organization’s products and services Though not personal information, such information needs to be protected and secured to ensure its confidentiality. As an example of how different regimes have defined the line between personal and nonpersonal information, consider the internet protocol (IP) address, the numbers that identify the location of computers in communications over the internet. The EU generally considers IP addresses “personal data,” taking the view that IP addresses are identifiable. 35 In the United States, federal agencies operating under the Privacy Act do not consider IP addresses to be covered by the statute. 36 The FTC, an independent agency in the United States, has stated, however, that in connection with breaches of healthcare information, IP addresses are personal information. 37 For the privacy professional, it is important to check the line between personal and nonpersonal information for the appropriate regulatory regime. Assessing an Organization’s Personal Information Responsibilities The line between personal and nonpersonal information illustrates a critical first step in assessing an organization’s personal information responsibilities—determining whether the organization is covered by a law or other obligation. With globalization, information privacy professionals may need to determine when the laws of a particular jurisdiction apply. In addition, some laws apply only to particular sectors or types of information. The 12 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 1 – as of 01/05/2024 © IAPP Health Insurance Portability and Accountability Act (HIPAA) in the United States, for instance, applies only to certain organizations (“covered entities”) and certain information (“personal health information”). Changes in technology can also shift the line between personal and nonpersonal information. For instance, historically, IP addresses were usually “dynamic”—individuals would generally get a new IP address assigned by their internet service provider each time they logged on to the internet. Over time, more individuals have had “static” IP addresses, which stay the same for each computer device, linking the device more closely to an identifiable person. 38 The increasingly used version of the internet protocol (IPv6) employs a new numbering scheme that, by default, uses information about the computer to generate an IPv6 address, making it even easier to link devices (including smartphones) and their users. 1.7 Sources of Personal Information Sometimes the same information about an individual is treated differently based on the source of the information. To illustrate this point, consider three sources of personal information: public records, publicly available information, and nonpublic information. 1. Public records consist of information collected and maintained by a government entity and available to the public. These government entities include the national, state or provincial, and local governments. Public records laws vary considerably across jurisdictions. 39 2. Publicly available information is information that is generally available to a wide range of persons. Some traditional examples are names and addresses in telephone books and information published in newspapers or other public media. Today, search engines are a major source of publicly available information. 3. Nonpublic information is not generally available or easily accessed due to law or custom. Examples of this type of data are medical records, financial information, and adoption records. A company’s customer or employee database usually contains nonpublic information. Organizations should be alert to the possibility that the same information may be public record, publicly available, and nonpublic. For example, a name and address may be a matter of public record on a real estate deed, publicly available in the telephone book, and included in nonpublic databases, such as in a healthcare patient file. To understand how to handle the name and address, one must understand the source that provided it—restrictions may apply to use of the name and address in the patient file, but not to public records or publicly available information. 1.8 Processing Personal Information As previously introduced, almost anything that someone may do with personal information might constitute processing under privacy and data protection laws. The term processing refers to the collection, recording, organization, storage, updating or modification, retrieval, consultation, and 13 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 1 – as of 01/05/2024 © IAPP use of personal information. It also includes the disclosure by transmission, dissemination or making available in any other form, linking, alignment or combination, blocking, erasure, or destruction of personal information. The following common terms, first widely used in the EU, apply to data processing: • Data subject is the individual about whom information is being processed, such as the patient at a medical facility, the employee of a company, or the customer of a retail store. • Data controller is an organization that has the authority to decide how and why personal information is to be processed. This entity is the focus of most obligations under privacy and data protection laws—it controls the use of personal information by determining the purposes for its use and the manner in which the information will be processed. 40 The data controller may be an individual or an organization that is legally treated as an individual, such as a corporation or partnership. • Data processor is an individual or organization, often a third-party outsourcing service, that processes data on behalf of the data controller. Under the HIPAA medical privacy rule, these data processors are called business associates. A data controller might not have the employees or expertise in-house to do some types of activities, or might find it more efficient to get assistance from other organizations. For instance, a data controller may hire another organization to do accounting and back-office operations. The first data processor, in turn, might hire other organizations to act as data processors on its behalf, for example, if a company providing back-office operations hired a subcontractor to manage its website. Each organization in the chain—from data controller, to data processor, to any subsequent data processor acting on behalf of the first data processor—is expected to act in a trusted way, doing operations that are consistent with the direction of the data controller. The data processors are not authorized to do additional data processing outside of the scope of what is permitted for the data controller itself. 1.9 Sources of Privacy Protection There is no single approach to protecting privacy and security. Rather, privacy protection is derived from several sources: market forces, technology, legal controls, and self-regulation. • Markets. The market can be a useful way of approaching privacy protection. When consumers raise concerns about their privacy, companies respond. Businesses that are brand sensitive are especially likely to adopt strict privacy practices to build up their reputations as trustworthy organizations. In turn, this can create market competition, spurring other companies to also implement privacy practices into their operations. • Technology. Technology also can provide robust privacy protection. The rapid advancement of technology such as encryption provides people with new and advanced means of protecting themselves. Even if privacy protection from law or market forces is weak, information privacy and security best practices can remain strong. • Law. Law is the traditional approach to privacy regulation. However, simply enacting more laws does not necessarily result in better privacy and security. Laws may not be well drafted 14 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 1 – as of 01/05/2024 © IAPP and may be poorly enforced. Laws should be understood as one very important source of privacy protection, but in practice, actual protection also depends on markets, technology and self-regulation. • Self-regulation and co-regulation. Self-regulation (and the closely related concept of coregulation) is a complement to law that comes from the government. The term selfregulation can refer to any or all of three components: legislation, enforcement and adjudication. Legislation refers to the question of who defines privacy rules. For selfregulation, this typically occurs through the privacy policy of a company or other entity, or by an industry association. Enforcement refers to the question of who should initiate enforcement action. Actions may be brought by data protection authorities (DPAs), other government agencies, industry code enforcement, or, in some cases, the affected individuals. Finally, adjudication refers to the question of who should decide whether an organization has violated a privacy rule. The decision-maker can be an industry association, a government agency, or a judicial officer. Thus, the term self-regulation covers a broad range of institutional arrangements. For a clear understanding of data privacy responsibilities, privacy professionals should consider who defines the requirements, which organization brings enforcement action, and who actually makes the judicial decisions. 1.10 World Models of Data Protection As of the writing of this book, more than 160 countries have privacy or data protection regimes, and more than half of them first enacted such laws after the year 2000. 41 In varying degrees, the different data protection models around the world all draw upon law, markets, technology and selfregulation as sources for privacy protection. 42 Comprehensive data protection laws are those in which the government has defined requirements throughout the economy. On the other hand, sectoral laws, such as those in the United States, exist in selected market segments, often in response to a particular need or problem. The scope of data protection laws, as described above, varies depending on how much the specific country relies on government laws versus industry codes and standards. The various data protection models used globally also differ in enforcement and adjudication. However, each regime falls along a continuum, with clearly defined legislative, enforcement and adjudication mechanisms established by the government at one end and no stated, defined baseline at the other. In practice, no regime is so comprehensive that all laws are written, enforced and adjudicated by the government. Even in the United States, however, which is often used as an example of a less regulatory-oriented regime, the government has written numerous privacy laws. Some of the most common data protection models in use today are comprehensive and sectoral frameworks, co-regulatory or self-regulatory models, and the technology-based model. Following are the basic approaches, along with major arguments for and against each approach. 1.10.1 Comprehensive Model Comprehensive data protection laws govern the collection, use and dissemination of personal information in the public and private sectors. 43 Generally speaking, a country that has enacted such laws hosts an official or agency responsible for overseeing enforcement. 44 This official or agency, 15 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 1 – as of 01/05/2024 © IAPP often referred to as a DPA in Europe, ensures compliance with the law and investigates alleged breaches of the law’s provisions. In many countries, the official also bears responsibility for educating the public on data protection matters and acts as an international liaison for data protection issues. Enforcement and funding are two critical issues in a comprehensive data protection scheme. Data protection officials are granted varying degrees of enforcement power from country to country. Further, countries choose to allocate varying levels of resources to the enforcement of data protection laws, leaving some countries inadequately funded to meet the laws’ stated goals. Over time, countries have adopted comprehensive privacy and data protection laws for a combination of at least three reasons: 45 1. Remedy past injustices. A number of countries, particularly those previously subject to authoritarian regimes, have enacted comprehensive laws as a means to remedy past privacy violations. For instance, Germany is widely regarded as having one of the strictest privacy regimes. At least part of the reason is likely a reaction to its history during the Nazi regime and under the heavy surveillance by the Stasi (Ministry of State Security) in East Germany before the two parts of Germany were reunified in 1990. 2. Ensure consistency with European privacy laws. As discussed later in the book, the General Data Protection Regulation (GDPR) in the EU limits transfer of personal data to countries that lack “adequate” privacy protections. 46 Some countries passed privacy laws as part of the process of joining the EU. Other countries have enacted privacy laws at least in part to prevent any disruption in trade with EU countries. 3. Promote electronic commerce. Countries have developed privacy laws to provide assurance to potentially uneasy consumers engaged in electronic commerce. Critics of the comprehensive approach express concern that the costs of the regulations can outweigh the benefits. One-size-fits-all rules may not address risk well. If the rules are strict enough to ensure protection for especially sensitive data, such as medical data or information that can lead to identity theft, that same level of strictness may not be justified for less sensitive data. Along with the strictness of controls, comprehensive approaches can involve costly paperwork, documentation, audit and similar requirements even for settings where the risks are low. A different critique of comprehensive regimes is that they may provide insufficient opportunity for innovation in data processing. With the continued evolution of IT, individuals have access today to many products and services that were unimaginable a decade or two ago, from smartphones to social networks and the full range of services that have developed since the internet emerged in the 1990s. To the extent that comprehensive laws may discourage the emergence of new services involving personal information or require prior approval from regulators, the pace and diversity of technological innovation may slow. 1.10.2 Sectoral Model (United States) This framework protects personal information by enacting laws that address a particular industry sector. 47 For example, in the United States, different laws delineate conduct and specify the requisite level of data protection for video rental records, consumer financial transactions, credit 16 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 1 – as of 01/05/2024 © IAPP records, law enforcement, and medical records. In a comprehensive model, laws addressing specific market segments may be enacted to provide more specific protection for data particular to that segment, such as the healthcare sector. Supporters of the sectoral approach emphasize that different parts of the economy face different privacy and security challenges; it is appropriate, for instance, to have stricter regulation for medical records than for ordinary commerce. Supporters also underscore the cost savings and lack of regulatory burden for organizations outside of the regulated sectors. Critics of the sectoral approach express concern about the lack of a single DPA to oversee personal information issues. They also point out the problems of gaps and overlaps in coverage. Gaps can occur when legislation lags technological change, and unregulated segments may suddenly face privacy threats with no legislative guidance. Whereas laws under the comprehensive approach apply to new technologies, there are no similar governmental rules under the sectoral approach until the legislature or other responsible body acts. As a recent example, drones are becoming more common in the United States, but there have not been any national privacy rules governing surveillance by drones. Moreover, there can be political obstacles to creating new legislation if industry or other stakeholders oppose such laws. An example of a gap being filled is the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, which introduced a breach notification requirement for vendors of personal health records. These were not “covered entities” under HIPAA. The new law addressed a gap, where entities not traditionally involved in healthcare offered services involving the collection and use of large volumes of healthcare information. Similarly, overlaps can exist in a sectoral approach. For instance, HIPAA-covered entities such as medical healthcare providers are subject to enforcement either by the U.S. Department of Health and Human Services (HHS) under HIPAA or by the FTC under its general authority to take action against unfair and deceptive practices. As the boundaries between industries change over time, previously separate industries can converge, potentially leading to different legal treatment of functionally similar activities. 1.10.3 The Co-Regulatory and Self-Regulatory Models Co-regulation and self-regulation are quite similar, with co-regulation generally referring to laws such as those in Australia, 48 which are closer to the comprehensive model, and self-regulation generally referring to approaches such as those in the United States, where there are no general laws applying to personal information. 49 Under both approaches, a mix of government and nongovernment institutions protects personal information. The co-regulatory model emphasizes industry development of enforceable codes or standards for privacy and data protection against the backdrop of legal requirements by the government. Coregulation can exist under both comprehensive and sectoral models. One U.S. example is the Children’s Online Privacy Protection Act (COPPA) in the United States, which allows compliance with codes to be sufficient for compliance with the statute once the codes have been approved by the FTC. The self-regulatory model emphasizes creation of codes of practice for the protection of personal information by a company, industry or independent body. In contrast to the co-regulatory model, there may be no generally applicable data protection law that creates a legal framework for 17 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 1 – as of 01/05/2024 © IAPP the self-regulatory code. 50 A prominent example that affects the wide range of businesses that process credit card data is the Payment Card Industry Data Security Standard (PCI DSS), which enhances cardholder data security and facilitates the broad adoption of consistent data security measures globally. Seal programs are another form of self-regulation. A seal program requires its participants to abide by codes of information practices and submit to some variation of monitoring to ensure compliance. 51 Companies that abide by the terms of the seal program are then allowed to display the program’s privacy seal on their website. Seal programs recognized by the FTC for the COPPA are Aristotle International Inc., Children’s Advertising Review Unit (CARU), Entertainment Software Rating Board (ESRB), iKeepSafe, kidSAFE, PRIVO, and TrustArc (formerly TRUSTe). 52 Supporters of a self-regulatory approach tend to emphasize the expertise of the industry to inform its own personal information practices, and thus use the most efficient ways to ensure privacy and security. 53 Self-regulatory codes may also be more flexible and quick to adjust to new technology without the need for prior governmental approval. Critics of the self-regulatory approach often express concerns about adequacy and enforcement. Industry-developed codes can provide limited data protection and may not adequately incorporate the perspectives and interests of consumers and other stakeholders who are not part of the industry. The strength of enforcement can also vary. In some cases, where an organization has signed up for a code, any violation is treated just like a violation of a statute. In others, however, penalties can be weak, and there may be no effective enforcement authority. An alternative to the protections that arise from an organization’s administrative compliance with laws or self-regulatory codes that is worth considering is a technology-based model. Individuals and organizations in some settings can use technical measures that reduce the relative importance of administrative measures for overall privacy protection. For example, global web email providers such as Google and Microsoft have increased their use of encryption between the sender and recipient. Chapters 4 and 5 further discuss the interrelated roles of technical, administrative and physical safeguards for personal information. 1.11 Conclusion This chapter introduced key terminology about privacy and data protection laws and policies. It traced the history of these topics and the continued growth of legal requirements to accompany the evolution of IT since the 1960s. As legal requirements have increased, the number of data protection and privacy professionals has grown rapidly, and their role has expanded in many organizations. Similar but not identical forms of FIPS have been the basis of privacy and data protection laws in numerous countries around the globe. This chapter introduces the reader to the legal and policy structures for privacy and data protection around the world. The key models of privacy protection have been examined: the comprehensive, sectoral, self-regulatory or coregulatory, and technology models. 1 Samuel Warren and Louis Brandeis, “The Right to Privacy,” Harvard Law Review 4, no. 5 (December 15, 1890): 193, http://groups.csail.mit.edu/mac/classes/6.805/articles/privacy/Privacy_brand_warr2.html. There are numerous sources of legal privacy, including tort privacy (Warren and Brandeis’s original conception), Fourth Amendment privacy, First Amendment privacy, fundamental-decision privacy and state constitutional privacy. 18 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class.
