Data Privacy Primer: Regulations & Risks

November 8, 2021

Privacy Background

What is this concept of “privacy” we hear so much about in today’s news? Where did privacy originate, and why does it matter? In this article we will define privacy, discuss its importance and review some applicable laws.

The modern-day concept of privacy is often attributed to Samuel Warren and Louis Brandeis’ 1890 essay “The Right to Privacy,” in which they acknowledge “the right to be let alone” in their argument that existing laws facilitate individual privacy protections. Privacy is generally defined as the right to be let alone, or freedom from interference or intrusion. The International Association of Privacy Professionals defines information privacy as “the right to have some control over how your personal information is collected and used.” However, the meaning of privacy may vary depending on an individual’s, organization’s or country’s perspective. For some, privacy means being protected from data breaches or identity fraud. For others, privacy is a fundamental right related to personal and family life, home and correspondence.

When we refer to privacy, we are referring to those elements comprising personally identifiable information (PII). Examples include, but are not limited to, name, date of birth, physical address, phone number, Social Security number, financial account numbers (e.g., bank account and credit card numbers) and protected health information. Privacy principles created and defined by the Organization of Economic Cooperation and Development in 1980 form the backbone of privacy laws and privacy protection frameworks worldwide. The following elements of these principles are found throughout most privacy regulations:

   Collection Limitation: Data collection should only take place with knowledge and consent of the affected individual or data subject.

   Data Quality: Information should only be collected which is relevant and accurate for a particular purpose.

   Individual Participation: An individual should be aware that their information has been collected and be able to access it.

   Purpose Specification: The intended use of personal data must be known at time of collection, and data should not be arbitrarily collected.

   Use Limitation: Collected data is to be used only for purposes specified at time of collection, not broader future use. Consent should be secured from data subjects for use of data for other purposes.

   Security Safeguards: Reasonable measures must be taken to protect data from unauthorized use, destruction, modification or disclosure. Most laws reference reasonable and appropriate security measures based on risk determination rather than perfection.

   Openness: Data subjects should be able to contact the entity collecting or storing their information to ascertain types of data collected.

   Accountability: Data collectors should be accountable for adhering to these principles. Ideally, there should be a person in the organization dedicated to ensuring privacy principles are followed. The concept of a data protection or privacy officer originated with this principle.

Defining Key Concepts

While data privacy focuses on the use and governance of PII, data security focuses on protecting PII from malicious attacks and improper disclosure. Privacy cannot be protected without an associated security component.

Privacy professionals frequently reference Privacy by Design, a proactive and intentional approach where privacy is the default in technology system design and is considered at the earliest stage¹. As opposed to an ad hoc approach, where privacy discussions take place in later stages of system development, the Privacy by Design framework is applied to the data life cycle from creation through collection, storage, archiving, de-identification and deletion.

PII processing refers to any operation or set of operations performed on personal data whether or not by automated means. It can refer to data collection, recording, storage, retrieval and erasure.

With these definitions in hand, let’s explore why privacy is important in today’s world.

Importance of Privacy

An individual’s privacy is a fundamental right and is closely connected to human dignity. It is the foundation on which other human rights are built. Privacy protects against the abuse of power by limiting what can be ascertained about individuals and providing shelter from those who may wish to exert control. Ensuring individual privacy protects us from the arbitrary and unjustified use of power by states, companies and other actors.

However, data is an increasingly valuable asset. With the rise of the data economy, organizations and nation-states have found significant value in collecting, sharing and using data. Companies like Amazon, Facebook and Google have built their organizations on data². Collecting data provides organizations with the power to explain, predict and even control behavior. This is particularly valuable for advertising and marketing endeavors. For example, Netflix uses data analytics for targeted advertising. With over 100 million subscribers, Netflix collects large volumes of data. If you are a subscriber, you are familiar with how the company provides suggestions for the next movie you should watch by using your search history and viewership data. This data gives them insights into your interests. Without proper regulatory protections and legal recourse, you would have little control over how Netflix and other companies use and share your personal data.

In her 2019 book titled “The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power,” Shoshana Zuboff discusses how surveillance capitalism is an economic system centered around commodification of personal data with the core purpose of profit-making. Commodification makes personal data a valuable resource. Zuboff points out that tech companies and other corporations are mining users’ information to predict and shape their behavior, undermining personal autonomy and potentially eroding democracy.

Primary Privacy Laws

But surely there are privacy laws that provide protection against this abuse of personal data?

Unlike Europe, the U.S. has enacted a patchwork of privacy laws generally targeted to protect consumers. The Federal Trade Commission (FTC) serves as the primary federal enforcer of consumer data privacy and security laws for many businesses. Enforcement centers around fraud, deception and unfair business practices. Institutions that violate consumer privacy rights or mishandle sensitive consumer information may face legal enforcement actions brought by the FTC and state authorities. The U.S. Department of Health and Human Services (HHS) governs health protections focusing on compliance guidance, with the Office of Civil Rights (OCR) acting as the enforcement arm for HHS privacy regulations.

U.S. laws to be aware of in the education and health care sector (i.e., those that affect academic medical centers) include:

   Family Educational Rights and Privacy Act (FERPA) gives parents and students certain protections pertaining to student education records such as grade reporting, transcripts, disciplinary records, contact and family information, and class schedules. FERPA requires student or parent written consent for release of educational records.

   Children’s Online Privacy Protection Act (COPPA) protects the privacy of children under 13 years of age. It requires website or online service providers request parental permission to collect data on children and stipulates how the data can be processed and held.

   Gramm-Leach-Bliley Act (GLBA) requires financial institutions, defined as companies offering financial products or services, to explain information sharing practices and protect against unauthorized access to, or use of, personal information that could result in substantial harm or inconvenience to a customer. GLBA stipulates financial institutions appropriately ensure the security and confidentiality of customers’ information.

   Health Insurance Portability and Accountability Act (HIPAA) is designed to protect the confidentiality and security of a patient’s health care information, defined as any information identifying the past, present or future physical or mental health of an individual. It includes all communication media, whether written, verbal or electronic. HIPAA includes the Privacy Rule, which protects a patient’s right to keep health information private, and the Security Rule, which requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity and security of electronic protected health information. HIPAA violations can result in significant penalties for noncompliant organizations and individuals.

In addition to these federal regulations, various states have enacted privacy laws to protect personal data in the consumer setting. Most notably, California enacted the California Consumer Privacy Act (CCPA) which is designed to protect the privacy rights of California’s citizens. It gives consumers the right to control how companies collect and use their personal data. Some states have already enacted similar laws, or carved out exceptions for the federal regulations, and more are expected to do so in the coming years.

From an international perspective, institutions should be aware of country-specific privacy laws. Most notably, the General Data Protection Regulation (GDPR) requires organizations to ensure that personal data of European Union citizens is gathered legally and under specific conditions. Institutions that process personal data are obliged to protect it from misuse and exploitation and to respect data subjects’ rights. Those who fail to do so may face significant penalties. GDPR requirements spurred the development of privacy policies (and cookie banners), in which organizations offer transparency into their data collection and management practices.

Conclusion

As more attention is focused on privacy, both internationally and domestically, consumers and clients will increasingly expect institutions to protect their personal information and embed privacy considerations into their business strategies. In a report published in November 2019 as part of Cisco’s Cybersecurity Series, “Consumer Privacy Survey, The Growing Imperative of Getting Privacy Right,” 2,601 adults, or 32% of respondents, stated that they care about privacy and had already taken action by switching companies or providers in response to data policies or data sharing practices. Along with the increase in privacy regulations worldwide, this should be a catalyst for organizations to establish or update their privacy programs.

In the second part of this article, we will explore areas auditors should consider reviewing when evaluating functions and processes involving personal data.

1) Deloitte, GDPR Top Ten #6: “Privacy by Design and by Default”; Shay Danon; February 2017
2) MIT Technology Review: “It’s time to rein in the data barons”; Martin Giles; June 19, 2018

About the Authors

Diane R. Padgett

Diane R. Padgett, Senior Privacy Analyst, joined Duke in 2003 with stints in the School of Medicine, Office of the Vice Dean for Faculty and Academic Affairs, and the Duke University Health System (DUHS) Vice President for Business Development before joining the Office of Audit, Risk and Compliance in 2007. Prior to Duke, Diane worked at the University of North Carolina (UNC) and the UNC General Alumni Association for more than 10 years in roles with the Counsel’s Office and as the manager for Membership and Affinity Partners.

Diane conducts privacy compliance reviews of Duke University departments, centers, institutes, regulatory functional offices and administrative offices to minimize risk and ensure compliance with institutional policies and procedures, state, federal and international privacy laws and regulations, as well as outreach efforts to promote privacy awareness at Duke and ensure privacy and security best practices institution-wide.

Articles
Data Privacy Primer: Regulations & Risks
Data Privacy: Evaluating Your Organization’s ‎Privacy Controls

Todd Knowles

Stoddard (Todd) Knowles is Associate Director, Information Privacy with Duke University. Todd is responsible for working with schools and departments to minimize the university’s privacy risk exposure through a scalable, risk-based, university-wide privacy program. Examples of program responsibilities include conducting risk-based privacy impact assessments, leading advisory engagements, conducting vendor privacy reviews and revising and implementing privacy policies, procedures and standards. In 2020, Todd presented a privacy primer at Duke’s certified public accounting (CPA) annual conference and recently participated in a privacy panel discussion at the Cybersecurity and Privacy Festival hosted by Stanford University.

Articles
Data Privacy Primer: Regulations & Risks
Data Privacy: Evaluating Your Organization’s ‎Privacy Controls