PRIVACY AND RECORDS MANAGEMENT

1
PRIVACY AND RECORDS MANAGEMENT

• How to Protect Your Organization and Yourself

Susan McKinney, CRM University of Minnesota
2
WHAT IS PRIVACY?

• Privacy is the right to be left alone-the most
  comprehensive of rights, and the right most
  valued by a free people.
• Justice Louis Brandeis
• Olmstead v. United States (1928)

3
WHAT IS PRIVACY?

• Privacy is the condition which obtains to the
  degree that new information about ones self is
  not acquired by others.
• Shaun MacNeill
• The Dalhousie Review, V. 78 No. 3

4
WHAT IS PRIVACY?

• The right to privacy is the right not to be
  surprised.
• Seth Goldin

5
WHAT IS PRIVACY?

• individuals, groups, or institutions have the
  right to control, edit, manage, and delete
  information about themselves and decide when,
  how, and to the extent that information is
  communicated to others.
• Dr. Alan Westin
• Privacy and Freedom

6
WHAT IS PRIVACY?

• Privacy is the collection of fears related to the
  use of information and includes identity theft,
  telemarketing calls, credit decisions, etc.

7
HISTORICAL REFERENCE

• 1787 - Census conducted every 10 years
• 1889 - Census data automated by use of punch
  cards.
• 1890 - Samuel Warren and Louis Brandeis article
  in Harvard Law Review that privacy was under
  attack by recent inventions and business
  methods.

8
HISTORICAL REFERENCE

• 1936 - Social Security Administration assigns
  workers a Social Security Number
• 1943 - Federal agencies required to use SSN to
  identify people, rather than creating own system
• 1956 - Social Security Administration changes
  over from punch cards to electronic data
  processing with IBM 705

9
HISTORICAL REFERENCE

• 1960S - States and businesses begin to automate
  and use SSN as identification, especially credit
  bureaus which had become more common
• 1970 - Fair Credit Reporting Act
• 1973 - Richardson Report created a Code of Fair
  Information Practices
• 1995 European Union Data Protection Directive
• 1990s - Privacy becomes a larger issue as laws
  both restricting and protecting privacy are
  passed

10
WHY IS PRIVACY IMPORTANT?

• Legally Mandated
• Important to Employees, Customers and
  Stakeholders
• Public Perception
• News Coverage

11
LEGALLY MANDATED

• Electronic Communications Privacy Act
• Gramm-Leach-Bliley
• Health Insurance Portability and Accountability
  Act
• Family Educational Rights and Privacy Act
• Childrens Online Privacy Protection Act
• Fair Credit Reporting Act
• Identity Theft and Assumption Deterrence Act
• Privacy Act of 1974

12
ELECTRONIC COMMUNICATIONS PRIVACY ACT

• Enacted in 1986
• Extended federal wiretapping law protection to
  electronic communications
• Includes email, cordless and cell phones, pagers,
  satellite communications and computer-to-computer
  communications.
• Illegal to intercept and/or disclose electronic
  communications

13
GRAMM-LEACH-BLILEY

• Enacted in 1999
• Requires any organization engaged in banking
  activities to have a policy in place to protect
  non-public customer information collected and
  stored as part of those banking activities
• Requires notification of policies for collecting
  and sharing non-public information.
• Customers must be given opportunity to opt-out of
  having their information shared.
• Mandates implementation of information security
  program

14
HIPAA

• Passed in 1996, and included deadlines for
  compliance
• Created new rights for individuals regarding
  their health information
• Regulates how health information can be used and
  shared with others
• Gives individuals the right to see, copy and
  correct their health information

15
FERPA

• Enacted in 1974
• Sets forth requirements regarding the privacy of
  student records
• School officials may not disclose personally
  identifiable information about students without
  their permission
• Students must be allowed to inspect their own
  records

16
COPPA

• Enacted in 1998
• First U.S. Law imposing privacy obligations
  specifically on Web site operators
• Applies to web sites that target children
• Web sites must provide parents with notice of
  their privacy policies and post a link to the
  notice on each page where information on children
  is collected

17
FAIR CREDIT REPORTING ACT

• Enacted in 1970
• Passed to address accuracy, privacy and fairness
  in credit reporting bureaus and other consumer
  reporting agencies
• Gives specific rights to consumers such as
  ability to read and get list of who accessed
  file, sets up a dispute process, sets up time
  limits for reporting information in file, etc.

18
PAYMENT CARD INDUSTRY DATA SECURITY STANDARD

• Also known as PCIDSS
• 12 Security Standard requirements
• Became Industry Standard in 2004
• Required of all merchants and service providers
  that store, process, or transmit Visa cardholder
  data and applies to all payment channels,
  including retail (brick-and-mortar),
  mail/telephone order, and e-commerce

19
PCIDSS CONTROL OBJECTIVES

• Build and Maintain a Secure Network
• Protect Cardholder Data
• Maintain a Vulnerability Program
• Implement Strong Access Control Measures
• Monitor and Test Networks
• Maintain an Information Security Policy

20
IDENTITY THEFT AND ASSUMPTION DETERRENCE ACT

• Enacted in 1998
• Criminalized identity theft
• Prohibits unauthorized, knowing transfer or use
  of another persons identification with the
  intent to commit an unlawful act

21
FAIR AND ACCURATE CREDIT TRANSACTIONS ACT OF 2003

• Account numbers on credit card transaction slips
  must be shortened
• Standards for disposal of consumer information

22
PRIVACY ACT OF 1974

• First Articulations of Fair Information Practices
• Addresses government records and disclosure
• Federal agencies prohibited from disclosing
  information about people except for their
  publicly announced purposes
• Must give you access to information held about
  you and allow you to challenge contents
• Required to collect only the minimal amount of
  information necessary

23
FAIR INFORMATION PRACTICE PRINCIPLES

• Notice/Awareness
• Choice/Consent
• Access/Participation
• Integrity/Security
• Enforcement/Redress

24
OTHER FEDERAL LAWS

• Employee Polygraph Protection Act
• Cable Communications Privacy Act
• Video Privacy Protection Act
• Drivers Privacy Protection Act
• U.S. Patriot Act
• Census Confidentiality Act
• Freedom of Information Act
• Mail Privacy Statute
• Paperwork Reduction Act of 1980
• Tax Reform Act of 1976

25
INTERNATIONAL PRIVACY LAWS AND DIRECTIVES

• European Union Directive
• Canada Personal Information Protection and
  Electronic Documents Act 11
• United Kingdom Data Protection Act of 1998
• Many countries have Privacy Commissioners that
  implement the EU Directive

26
EUROPEAN UNION DIRECTIVE

• EU Directive on the Protection of Individuals
  With Regard to the Processing of Personal Data
  and on the Free Movement of Such Data
• Governs the Protection of data about individuals
  who reside in the European Union
• Required EU member states to pass national
  privacy laws implementing the Directive

27
EUROPEAN UNION DIRECTIVE

• Required that data about EU citizens not be
  transferred to a country that did not have
  adequate data protection rules.
• Applies to all processing of personal information
  by public and private organizations
• Covers information by entities owned or
  affiliated with U.S. companies that process data
  within the EU

28
E.U. DIRECTIVE

• Personal Data must be
• Processed fairly and lawfully
• Collected for specified, explicit, and legitimate
  purposes
• Adequate, relevant, and not excessive in relation
  to the purposes for which they are collected
• Accurate and, where necessary, kept up to date
• Kept in a form that permits identification of
  data subjects for no longer than is necessary

29
E.U. DIRECTIVE

• Scope of the protection must not in effect depend
  on the techniques used, otherwise this would
  create a serious risk of circumvention
• This means that the E.U. Directive covers
  structured manual filing systems that form part
  of a filing system

30
SAFE HARBOR

• Operational in 2000
• Negotiated between E.U. and U.S.
• Allows companies to self-certify that they will
  adhere to a set of privacy principles.
• Subscribers to this agreement certify that they
  provide notice, choice, access, security, data
  integrity and onward transfer guarantees similar
  to EU law.

31
SAFE HARBOR

• Required to register annually with the U.S.
  Department of Commerce
• Claims brought against U.S. companies generally
  heard in U.S. Courts
• Privacy policies must contain a statement that
  they belong to Safe Harbor

32
7 SAFE HARBOR PRINCIPLES

• Notice
• Choice
• Onward Transfer transfer to third party
• Security
• Data Integrity
• Access
• Enforcement

33
CANADA

• Personal Information Protection and Electronic
  Documents Act 11
• Enacted in 2001
• Protects all data on Canadian citizens regardless
  of when it was collected
• Applies to all commercial activities and applies
  to all personal information including information
  on employees
• Does not apply to provincial public sector,
  municipalities or universities

34
WHAT IS PRIVATE INFORMATION?

• Personally Identifiable Information (PII)
• First and Last Name
• Physical Address
• Email address
• Phone number
• Social Security Number
• IP Address
• Cookie or Processor Serial Number
• Combination of the above information

35
PERSONALLY IDENTIFIABLE INFORMATION

• Fingerprint
• Credit Card Number
• Medical Records
• Driver License Number
• Photograph

36
DEMOGRAPHIC DATA

• Age
• Gender
• Eye Color
• Marital Status
• Employment Status
• Occupation
• Whether you have children
• Whether you have pets
• Kind of Car you drive
• Yearly income

37
WHY IS PRIVACY IMPORTANT?

• Once the ability to combine and correlate data
  once large databases could be searched, indexed,
  and connected over a network once the ability
  to gather information from more than once source,
  correlate it to form a picture, and use it once
  the ability to instantaneously transmit personal
  information anywhere in the worldthis changes
  the perception of the privacy problem.

38
PRIVACY CONCERNS OF CUSTOMERS

• Information provided to others without their
  permission
• Transactions may not be secure
• Hackers can steal personal information
• System security

39
PRIVACY AND RECORDS MANAGEMENT

• Privacy Policies and Statements
• Privacy Incidents
• Records and Information Management

40
PRIVACY POLICIES AND STATEMENTS

• Web Privacy Policies
• Organization Privacy Practices

41
PRIVACY INCIDENTS

• Privacy-related event with potentially negative
  consequences
• Costs
• Scrutiny and Media Glare
• Settlement Cost
• Coping Cost
• Fines and other costs

42
PRIVACY INCIDENTS

• Security Breach
• External Attack
• Internal Attack
• Configuration Error
• Privacy Incident can be a violation of privacy
  policies or just poor judgement

43
PRIVACY INCIDENTS

• Many states now have Disclosure Notification
  Laws which mandate companies who have a breach of
  security must notify those affected.
• Several bills in the Senate and House are pending
  that would nationalize disclosure notification
  laws.

44
FEDERAL TRADE COMMISSION

• Federal Trade Commission Act of 1914, section
  5(a)
• Unfair or deceptive acts or practices in or
  affecting commerce are declared unlawful
• 1998 FTC reiterated basic data privacy
  principles in the context of the internet when it
  provided Privacy Online A Report to Congress

45
FEDERAL TRADE COMMISSION

• Companies that promise to keep personal
  information secure must follow reasonable and
  appropriate measures to do so.
• FTC considers privacy policies posted on company
  web sites to be equally applicable to the
  companys off-line data collection, use and
  disclosure practices unless clearly stated that
  only applies to on-line activity

46
INFORMATION MANAGEMENT

• Privacy issues typically involve information
• Records Management knows the most about the
  information in an organization
• How do we take advantage of this opportunity?

47
U.S. SAFE WEB ACT OF 2005

• Enables the FTC to assist foreign governments in
  criminal investigations related to fraudulent and
  deceptive commercial practices.

48
RECORDS MANAGEMENT AND PRIVACY

• Survey to determine what federal, state and
  international laws apply to organization
• Survey to determine what information is collected
  on individuals, including employees and customers
• Survey to determine how that information is used
  and when it is destroyed

49
RECORDS MANAGEMENT AND PRIVACY

• Retention Schedules that respond to privacy
  concerns
• Privacy awareness within the organization as it
  relates to the use of information, e.g. Email
• Privacy awareness within the organization as it
  relates to the storage of information
• Privacy awareness within the organization as it
  relates to destruction of information

50
RECORDS MANAGEMENT AND PRIVACY

• Privacy requirements apply to ALL information,
  not just that collected on-line
• Many privacy requirements require that
  information is destroyed when no longer necessary
• Many privacy requirements require that we
  understand completely how the information is
  collected, where it goes, who has access, and how
  it is protected basically a data map of the
  data.

51
SUMMARY

• Privacy in the Information Age is a
  Work-In-Progress
• Additional privacy legislation will be passed at
  the Federal and State levels
• Privacy will continue to be important in every
  aspect of our lives

52
Wrap Up
53

• Susan McKinney, CRM
• University of Minnesota
• Records Information Management
• 502 Morrill Hall
• 100 Church St. SE
• Minneapolis, MN 55455
• (612) 625-3497susanmckinney_at_mail.ogc.umn.edu