GlobalOutlook
Protecting Personal Privacy in the
Global Business Environment
In the electronic world, protecting personally identifiable information is a critical challenge
for all companies and governments.
David O. Stephens, CRM, FAI, CMC
Editor’s Note: The following is an
excerpt from David O. Stephens’ Records
Management: Making the Transition
from Paper to Electronic, published earlier this year by ARMA International.
with impunity. In countries where no
laws to protect personal data exist, sensitive data relating to individuals can be
sold to other parties without their consent, or it may be exposed to the risks of
identity theft.
The European Union (EU) has
adopted strict rules, with mechanisms
for global enforcement, to mitigate
these risks. Europe has the world’s most
stringent set of rules governing how
companies and governments must
manage personal data such as age, marital status, buying patterns, and similar
information. In Europe, privacy is generally viewed as a basic human right,
enforceable by stringent legal protections, and the Europeans have become
global leaders in setting the standards
for privacy and attempting to promote
B
ecause records of individual
customers or potential customers often have high market value, personally identifiable information has been
described as the world’s new
currency. With the global reach of the
Internet, which makes sending personal
data from one continent to another nearly instantaneous, privacy is an issue of
high international concern. Via the
Internet, a company located in one country with one set of privacy rules can send
personal data about an individual, or a
database containing millions of individual records, to another country with a
different set of privacy rules.
This situation is particularly worrisome because of the globalization of
business operations. When companies
export their business operations abroad,
they may also send sensitive customer
data overseas. Once sent abroad, the
company may be at liberty to market or
otherwise disseminate the personal data
56
The Information Management Journal
At the Core
This article
Describes privacy legislation in the
U.S, Canada, and the EU
Explains the U.S. “Safe Harbor”
Agreement
Provides guidelines for protecting
personal data
•
M a y / J u n e 2 0 07
them throughout the world.
In the United States (with the singular exception of California), such protections are considerably less stringent,
as business interests have generally
opposed any legislation or regulations
that restrict their ability to collect and
use or even sell or exchange personal
information at their discretion, without
government interference.
The EU’s privacy laws require retailers to obtain permission to collect data,
trade it to partners, sell it, or even use it
for their own marketing – all common
practices in the United States. European
companies are required to grant individuals open access to records and data
about them and correct any inaccuracies. The EU restricts how much information companies can collect on customers and employees and how long
they are permitted to retain it. Video
surveillance tapes, for example, must be
erased after a short period of retention.
With its high global standard of
tight restrictions on personal data, the
EU has been quite successful in influencing the adoption of privacy laws
throughout the world. EU-inspired privacy laws are now the norm in Canada,
Australia, New Zealand, and parts of
Asia and Latin America. The EU influence is also being felt in the United
States.
• Relevant and not excessive for the
purpose collected
The EU’s Data Protection
Directive
• Kept in a form that permits identification of data subjects for no longer
than necessary
In 1998, the EU issued its Directive
on Data Protection (95/46/EC). The
directive was devised because some EU
member states did not have privacy protection for individual citizens, while
other countries had incompatible laws.
To address this problem, the EU’s parliament issued its directive on data protection, which was intended to harmonize European privacy laws and afford a
continent-wide standard of protection
for all European citizens.
The directive’s most significant feature is that “data subjects” – persons
from or about whom data is collected –
must unambiguously grant their consent before such data is collected, after
having been informed about the purpose(s) for which the data will be used.
The directive applies to the collection,
transmission, and processing of personal data, which is defined as “any information relating to an identified or identifiable natural person” residing within
a member state of the EU. The directive
applies to data that directly or indirectly identifies an individual, which
includes a person’s name, as well as
other personal data about the person,
such as address, telephone number, or
other information of a personal nature.
However, the directive expressly forbids
the collection of personal information
that could be characterized as sensitive,
which is defined as a person’s racial or
ethnic origin, political opinions, religious beliefs, or sexual preferences.
The directive consists of regulations
relating to the collecting, processing,
and handling of personal data maintained within the EU, as well as personal data transferred from the EU to other
countries. The directive requires that
personal data be managed such that it is
• Collected for specified and legitimate
purposes and not processed further
types of businesses. For example:
• Accurate and updated as necessary
[European Union] EUinspired privacy laws
are now the norm in
Canada, Australia, New
Zealand, and parts of
Asia and Latin
America. The EU
influence is also being
felt in the
United States.
Privacy in the United States
In sharp contrast to the situation in
Europe, the United States does not have a
comprehensive privacy law and, generally, has promoted industry self-regulation
rather than legislation as the best means
of balancing privacy interests against the
demands of electronic commerce.
The Privacy Act of 1974 protects personal information about U.S. citizens
captured in records maintained by agencies of the federal government, but the
law has no applicability outside the federal sector. However, specific laws and regulations do apply to personal records and
information – such as credit history and
other financial records, telephone
records, educational records, and patient
medical records – maintained by certain
M a y / J u n e 2 0 07
• Health Information – The Health
Insurance Portability and Accountability Act of 1996 (HIPAA) and the
Privacy Rule of 2001 impose privacy
restrictions applicable to health
information, typically in the form of
patient-specific medical records.
Regulations promulgated under the
Act and Privacy Rule require regulated parties (i.e., health plans, healthcare clearinghouses, and certain
healthcare providers) to implement a
variety of privacy measures for
patients, insured parties, or other
individuals subject to protection
under the rules. These include rules
governing access to patient medical
records, requirements for patient
consent to permit the sharing or disclosure of such records, patient
recourse for privacy violations, and
other restrictions.
• Financial Information – The GrammLeach-Bliley Act of 1999 requires
financial services companies to
establish privacy policies and governs how customer financial data
can be shared within and between
institutions. Title V of the Act contains provisions pertaining to the
privacy of customer-specific financial records by banks and other
financial institutions. As of July
2001, financial institutions are
required to provide notice and an
opportunity for customers to opt
out of disclosures of nonpublic personal information to nonaffiliated
third parties.
The U.S. Safe Harbor Agreement
One of the main features of the EU
privacy directive is that it is designed to
ensure that corporations, including U.S.
multinational companies doing business
in Europe, do not circumvent the EU’s
data protection requirements by exporting personal data to countries that are
not subject to the EU’s privacy rules. The
directive prohibits data transfers to nonEU countries, including the United
•
The Information Management Journal
57
GlobalOutlook
States, unless those countries provide
adequate protection for the data.
Through this mechanism, Europe is
attempting to make its data protection
rules the enforceable global standard
for privacy. At the time of this writing,
the U.S. has not been deemed to provide adequate protection of personal
data. During the past several years,
negotiations have been continuous,
often contentious, between Europe and
the United States to seek an acceptable
compromise. To date, this has taken the
form of “safe harbor” data protections.
The U.S. Department of Commerce,
in consultation with the European
Commission, developed the Safe Harbor
Agreement by which U.S. companies can
avoid sanctions imposed by the EU if
they voluntarily embrace a somewhat less
stringent version of the EU privacy directive. Under the agreement, before personal data about European citizens may
be transferred to the United States,
American companies must promise to
handle data about EU citizens in accordance with the EU’s standards while the
data is maintained in the United States.
However, detailed provisions, including
enforcement, have yet to be worked out
between the United States and the EU.
Guidelines for RIM
Privacy Compliance
• Organizations should prepare a privacy policy of enterprise-wide
coverage that places appropriate restrictions on the collection,
use, dissemination and disclosure, and retention of personal
information.
- Such policies should state categorically that no unauthorized
use will be made of the information that conflicts with the
policy in any way.
- Breach of the organization’s privacy policies should be a disciplinary offense.
- Deliberate breaches should be considered gross misconduct,
with appropriate remedies.
• Organizations maintaining personal data should consider encryption as one means of enhancing the security of the data.
- Encrypt records containing names, Social Security numbers,
credit card numbers, and other personal data whenever possible to reduce the risk of breaches.
• All recordkeeping systems containing personal information should
be systematically audited to determine the adequacy of the management controls.
- All records eligible for disposal should be properly destroyed.
California: Leading the U.S. in
Privacy
• RIM staff should determine exactly how many recordkeeping
systems that contain personal data on individuals are maintained,
where those files are kept, what they contain, and how the
information is used, distributed, and disclosed.
In the United States, the State of
California has positioned itself at the
forefront of the privacy movement. On
July 1, 2004, the first online privacy law
ever enacted in the United States –
California’s Online Privacy and
Disclosure Act of 2003 – went into
effect. The new law requires all commercial entities operating in the state
that collect personal information online
to clearly post a privacy policy to
inform citizens concerning the collection and use of data about them. In
recent years, California has enacted a
plethora of new privacy laws. In brief,
these laws:
- Conduct a comprehensive and detailed inventory of all
records and files containing information concerning individual
employees, customers, or other persons.
• Records managers should carefully reexamine their records
retention practices.
- Retain only factual data concerning individuals and retain all
such records for the minimum periods of time required to
meet business needs and comply with the law.
- Destroy all other records – particularly those containing opinions about individuals – under an approved records retention
policy.
• Require businesses to inform customers when personal data is shared
58
The Information Management Journal
•
M a y / J u n e 2 0 07
with other parties
• Require businesses to notify customers
when their personal data has been
exposed to a security breach
• Restrict the use of Social Security
numbers as a means of identification
• Prohibit unsolicited advertising by
means of fax and e-mail
• Prohibit the sending of text messaging advertising to cell phones and
pagers
• Require financial institutions to
obtain permission before sharing
personal information with nonaffiliated companies or parties
• Prohibit businesses from obtaining
medical information about individuals for marketing purposes without their consent
These California legislative initiatives are expected to be the benchmark
for consideration of privacy initiatives
by other U.S. states in the coming years.
Canada’s Privacy Law
Elsewhere in North America, privacy in Canada is much more in line with
the European model than is the case in
the United States. According to a recent
study, Canadian businesses tend to view
privacy practices positively – as an
opportunity to improve relations with
customers – while U.S. firms see privacy
measures more in the context of burdensome government compliance.
Canada’s privacy law is much more
similar to the EU data protection model
than anything in the United States.
Canada’s federal privacy law (the
Personal Information Protection and
Electronic Documents Act), which
became fully effective in 2004, extends
privacy protection to all personal data
collected by companies on Canadian
citizens, regardless of when the data was
collected. Companies doing business in
Canada must now review how they
handle personal data previously collect-
ulations, and directives. Organizations
subject to privacy or data protection
issues will have to implement carefully
considered RIM initiatives to comply
with global standards and to minimize
their legal liabilities at the same time.
Recommendations for RIM compliance
with privacy laws are presented on page
58.
Records managers should work
with their organization’s chief privacy
officer, or with other managers having
responsibility for information protection and security, to ascertain the privacy status of the organization and how to
comply with whatever requirements are
applicable to it.
ed. The law applies to all commercial
activities in Canada, as defined in the
trade and commerce section of the
Canadian constitution. The law
requires that personal information be
used only for identified purposes, that
disclosure be limited except where prior
consent is obtained, and that data must
be properly destroyed when no longer
needed.
RIM Implications
Records and information management (RIM) professionals can and
should play a key role in organizational
privacy initiatives because privacy protection requires that organizations
adopt recordkeeping practices consistent with information protection and
disclosure policies, as well as relevant
national and international statutes, reg-
Records Management: Making the Transition from Paper to Electronic is available
for purchase at www.arma.org/bookstore.
David O. Stephens, CRM, FAI, CMC, is Director of the Records Management
Consulting Division at Zasio Enterprises Inc., a records management software and consulting firm based in Boise, Idaho, where he directs records and information consulting
studies and projects for clients in government and industry throughout the United States
and in other countries. Stephens is an internationally recognized author, speaker, and
consultant. He may be contacted at [email protected].
References
Clayton, Gary. “Safeguarding the World’s New Currency.” The Information Management
Journal 36, no. 3, 2002.
Duff, Wendy, Wally Smieliauskas, and Holly Yoos, “Protecting Privacy.” The Information
Management Journal 35, no. 4, 2001.
Fjetland, Michael.“Global Commerce and the Privacy Clash,” The Information Management
Journal 36, no. 1, 2002.
Haller, Susan.“Privacy: What Every Manager Should Know.” The Information Management
Journal 36, no. 3, 2002.
Holmes, Allan. “Riding the California Privacy Wave.” CIO, 15 January 2005.
Swartz, Nikki. “Offshoring Privacy,” The Information Management Journal 38, no. 5, 2004.
________, editor.“U.S., Canadian Firms Have Different Views of Privacy.” The Information
Management Journal 38, no. 5, 2004.
Worlton, Amy. “Overview of the EU Privacy Directive.” Wiley Rein & Fielding LLP, 2002.
M a y / J u n e 2 0 07
•
The Information Management Journal
59