Information assets that contain personal details of people are classified as private or personal data. In other words, disclosure of personal data to third parties without the consent of the data owner is a breach of privacy requirements of such assets. The data owner is the individual associated with that data. The contents of data that can uniquely identify a person or group of persons is called Personally Identifiable Information (PII). There are legal and regulatory requirements that pertain to the collection, storage, transmission, disclosure, retention, and destruction of personal information. References and online links to such requirements are provided in Chapter 5, Day 5 – Exam Cram and Practice Questions, of this book.
In information security, the requirement for data privacy is to share personal data in a secure manner to third parties depending on the need and as required. This requirement is to ensure that PII is not disclosed to unauthorized entities while sharing the information.
During data processing, various entities may access personal information, process, transmit, or store it. When personal details are grouped together, it is called a record.
For example, records that contain personal information may include the following:
- A health record that contains the physical and mental health of a person
- An education record that contains the marks and grades associated with a student
- An insurance record that contains information about the individual
- An employee record that contains the Employee ID and performance data
- A customer record that contains credit card numbers or social security numbers
When the previous records are accessed or available in an accessible location, then, as per data privacy requirements, there are limitations to who can access, process, modify, store, or transmit such information.
Within personal data, some of the information is considered to be sensitive. The term associated with this concept is sensitive personal data.
In the USA, the Federal Trade Commission (FTC) classifies the following as sensitive consumer data:
Financial data
Data about children
Health information
Precise geographic location information
Social security numbers
As per the Data Protection Act of the UK, the following are considered as sensitive personal data:
The racial or ethnic origin of the data subject
His/her political opinions
His/her religious beliefs or other beliefs of a similar nature
Whether he/she is a member of a trade union
His/her physical or mental health or condition
His/her sexual life
The commission or alleged commission by him/her of any offence, or any proceedings for any offence committed or alleged to have been committed by him/her, the disposal of such proceedings, or the sentence of any court in such proceedings
Data owners that pertain to privacy are the people identified in that record. The owner can provide consent to process or share the personal information to others, such as corporations. In such cases, the entity that processes, stores, or transmits the information on behalf of the owner is called a licensee.
When a third-party vendor is engaged by the licensee to create, receive, maintain, or transmit personal information, such entities are called business associates or data processors.
There are various privacy safeguard requirements pertaining to data processors in international laws.
For example, in the USA, all the companies that are strictly engaged in activities that are financial in nature are required to adhere to the Gramm-Leach-Bliley Act (GLBA) and the GLBA privacy and safeguarding rules.
All health care providers including health insurance companies and health care information clearing houses are subjected to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy and security rules. Similarly, all schools and institutions that receive funds from the department of education are subject to the Family Education Rights and Privacy Act (FERPA).
In all the preceding laws, the legal obligations are passed on to the data processors as well.
Once the data is safely backed up or past its useful life, it needs to be deleted or purged from the digital media. However, such erasure actions may not completely wipe the data from the digital media. The possibility of residual data remains. Besides, in some systems, only the table entries for the data are removed and not the data itself until it is overwritten. Corporations regularly dispose of systems with digital media containing such residual data.
Data that remains even after erasing or formatting digital media is called residual data and the property to retain such data is called data remanence.
Note
Data remanence is the residual data that remains when the data is not completely erased or destroyed. When the media is reused, this may result in the unauthorized disclosure of sensitive information. It is a good practice to prevent media reuse by physically destroying the media completely. In case of reuse, policies and procedures should be established to ensure that the data is destroyed completely.
Privacy laws stipulate data collection limitations pertaining to personal data. Safeguards include the following:
- Data should be collected by lawful and fair means
- Data should be collected with the knowledge and consent of the subject
- Personal data collected should be relevant for the purposes for which it is collected
- Collected data to be accurate and kept up to date
- Personal data should not be disclosed to other parties without the consent of the subject
- Personal data should not be used for other purposes than for what it was collected
- Personal data should be safeguarded against intentional or inadvertent access, use, disclosure, destruction, and modification
The following are some of the important privacy-related practices and laws across the world that provide frameworks and limitations pertaining to personal data.
Generally Accepted Privacy Principles (GAPP) is a best practices document jointly developed by the American Institute of CPAs (AICPA) and Canadian Institute of Chartered Accountants (CICA).
OECD privacy principles are guidelines on the protection of privacy and transborder flow of privacy data. These principles were developed by the Organization for Economic Co-operation and Development (OECD).
In the USA, there are a couple of Safe Harbor privacy laws to comply with European and Swiss data protection requirements.
Hence, from the information security perspective, data collection, use, retention, and destruction should be in accordance with established principles and best practices.