Data Privacy: Evaluating Your Organization’s ‎Privacy Controls

March 16, 2022

In our last article, “Data Privacy Primer: Regulations & Risks,” published November 8, 2021, we offered a 30,000-foot view of privacy, or “the right to have some control over how your personal information is collected and used,” as defined by the International Association of Privacy Professionals. In our first article, we covered key concepts, privacy laws and why privacy is essential. Here, we will delve deeper into privacy to augment our understanding, highlight important questions, and learn how to identify and mitigate privacy risks in the audit realm.

Identification and Use

A key to collecting personal data is determining what information is necessary for the task at hand.

Personal data, or “any information that relates to an identified or identifiable living individual,” as defined by the European Commission, is divided into different risk categories based on an organization’s data classification standard and includes sensitive or high-risk, restricted or medium-risk, and public or low-risk data. Personal data comprises academic, demographic, ethnic, financial, medical and health information. Increasingly, international privacy law designates some personal data as special or sensitive and offers increased protection for information about racial or ethnic origin, political opinions, religious or philosophical beliefs, sex life and sexual orientation, and trade union membership. Depending upon your organization, you may have some or all of these personal data categories.

A key to collecting personal data is determining what information is necessary for the task at hand. Gone are the days of collecting data with only nebulous plans for potential future use. Both the General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA) address data minimization or the Minimum Necessary Requirement, which requires organizations to limit data collection, use, disclosure and storage to the minimum necessary to perform a specific task with a legitimate business purpose.

Recommendation: In reviewing personal data collected, auditors should verify that it does not exceed what is necessary for the business purpose.

Privacy Policy

Establishing a privacy policy is a crucial component of your organization’s privacy operations and may act as a road map to identify business areas that process personal data. Privacy policies state how the organization collects, uses, discloses, transfers and retains personal data. Your organization’s privacy policy should be easy to read without sacrificing accuracy. It should also be easy to find and should address critical information collection processes specific to your organization, such as websites, admissions, financial aid, alumni, donors, human resources, research and patients. Privacy policies also include data subject request (DSR or DSAR) submission instructions, which we will discuss in greater depth later.

Recommendation: Evaluating your organization’s privacy policy against current processes improves compliance and reduces organizational risk.

Collection, Access and Storage

Consent is the gold standard for personal data collection.

By now, you have a good overview of what personal data is. But what are the ways organizations collect and store personal data, and what are our obligations once we have it?

As our previous article addressed, state, federal and international laws govern personal data collection, storage and deletion, with specific laws impacting different types of organizations. For example, the Family Educational Rights and Privacy Act (FERPA) applies to educational institutions, while the Gramm-Leach-Bliley Act (GLBA) applies to financial institutions. While the laws are different, each one dictates how and when organizations may collect personal data, the types of personal data collected, how organizations must secure personal data, and what customer, patient or student notification is required.

Recommendation: Auditors should determine which laws apply to specific institutional areas or divisions and review personal data collection processing through the regulatory lens.

Personal data may be collected automatically or provided directly by the data subject in the form of consent. In his article discussing the role of consent in workplace privacy, Steven Willborn states: “Consent is a crucial component of privacy that empowers individuals and affirms human dignity.” Consent is the gold standard for personal data collection. A well-crafted consent answers the following questions:

Who is collecting the data?
What is being collected and why?
How and when is the data collected?
How long will it be retained?

Data collection may be via implicit or explicit consent when provided by the data subject. For example, consider the use of a parking garage on your campus. When users pay to park, in addition to credit card information, does your garage collect automobile license plate numbers, vehicle makes and models? Does your facility utilize cameras or automatic plate readers? Drivers provide implicit consent to the use of this technology when they access the facility. In contrast, explicit consent is collected when users provide their credit card numbers, even if they do not expressly sign their names.

Recommendation: In instances where users provide explicit consent through signatures or checkboxes, auditors should verify that the explicit consent has been retained and is easily retrievable.

Combining personal data collected via multiple technologies can sometimes present a chillingly invasive picture of users’ lives.

When visitors utilize the associated parking system website, personal data may be collected, including internet protocol (IP) addresses, browser types, visit dates and times, log files and geolocation data. Is parking system data combined with data in other organizational systems? Combining personal data collected via multiple technologies can sometimes present a chillingly invasive picture of users’ lives. Organizations should ask themselves if this degree of information is needed. Information that is not collected is not at risk should a data breach occur.

Personal data storage practices depend on your organization’s size and risk tolerance. When evaluating personal data stored within your organization, there are likely as many storage methods as there are storage possibilities. Within a single organization, personal data may be collected and stored on-premises as well as in the cloud. Increasingly, organizations are moving away from traditional on-premises data centers in favor of adopting cloud infrastructure-as-a-service (IaaS) through providers like Amazon Web Service (AWS) and Google Cloud. This reduces capital expenditures and maintenance costs and allows the organization to gain real-time business insights.¹

As cloud adoption increases, so does the risk of a security breach. Cloud security company DivvyCloud found that breaches caused by cloud misconfigurations cost companies an estimated $5 trillion worldwide in 2018 and 2019. The good news is that these risks are easily manageable. According to Palo Alto Networks, common causes of cloud storage breaches involve human error. These include: 1) publicly accessible data buckets leading to inappropriate access and downloading, 2) misconfigured access control lists and bucket policies granting access to other AWS accounts, 3) unencrypted storage data and 4) improper handling of identity and access management permissions.

Defined data retention policies are crucial to ensure prompt deletion of data that no longer serves business or legal purposes.

Departments and organizations should have articulated on- and off-boarding procedures, including routine review of folder and system-level access privileges. This process is critical in large organizations where access changes are necessary when employees transfer between departments. Defined data retention policies are crucial to ensure prompt deletion of data that no longer serves business or legal purposes. The policy should identify relevant decision-makers and address access privileges and data access requests from both internal parties and external stakeholders, like vendors.

When auditing personal data storage, partnering with Privacy and Information Technology (IT) groups ensures conformance with your organization’s standards and facilitates privacy risk identification.

Recommendation: Areas to evaluate include (but are not limited to) system and folder access permissions, data retention controls, use of documented standard operating procedures (SOPs), integration of single-sign on (SSO) and the existence of shadow IT systems.

Sharing and Transfers

“It’s our data – we can do with it what we want” has been uttered more than once, but while that may have been true in the past, laws now recognize privacy as a fundamental right and no longer permit such practices. If your organization conducts business with, operates in, or has employees or students who live or travel within or outside the U.S. (e.g., study abroad programs), it transfers personal data. When evaluating your organization’s data sharing and transfer processes, make sure to consider state, national and global privacy and data transfer laws. Other considerations include the type of data being transferred, the technology utilized and existing contractual agreements. Before contracting with third-party vendors that process the personal data of employees, students, alumni, customers, patients or visitors, organizations should ensure that the procurement process includes contracts with data security agreements (DSAs). In addition to addressing what information is shared and how it can be used, DSAs stipulate security requirements for the data processing vendor, use and redisclosure limitations, rights and responsibilities should the vendor experience a data breach and data retention guidelines.

Recommendation: Organizations should conduct privacy and security reviews of potential new vendors during the selection process and renewal cycles. Auditors should look for such reviews or assessments during the audit engagement.

In this age of globalism, your organization likely conducts international personal data transfers. Suppose your organization transfers personal data from the European Union (EU) to the U.S. or other countries that did not receive an “adequacy decision” under GDPR. In such cases, standard contractual clauses (SCCs) are required. SCCs are standard sets of contractual terms and conditions in which both the sender and receiver of personal data agree to ensure that the rights and freedoms of data subjects are protected. For example, one condition might be the existence of appropriate data protection safeguards.

SCCs reflect the Schrems II judgment of the Court of Justice. They ensure data protection for EU citizens and compliance with requirements for safe data transfers, while allowing personal data to move freely across borders without legal barriers.²

Recommendation: In addition to SCCs, auditors should expect to find transfer impact assessments (TIAs) that consider the sufficiency of foreign protections when data is transferred to another country. A TIA should be carried out for each new processing activity involving data transfers to non-EU countries not deemed adequate by the European Commission.

In addition to GDPR, other countries, including the United Kingdom, China and South Africa, have passed laws addressing the transfer of personal data outside their jurisdictions. Further, Russia, China and certain Canadian provinces have data localization or data residency laws requiring personal data processing in-country before international transfer. In contrast, Spain requires the processing of fiscal data in the EU before international transfer.

Recommendation: When evaluating the contracts process, ensure the establishment of appropriate international data transfer agreements in alignment with affected countries’ data privacy and transfer laws.

Data Subject Access

In addition to regulations covering personal data collection, access, storage, sharing and transfers, several privacy regulations address data subjects’ rights. These privacy rights empower data subjects with greater control over how organizations use their data. Specifically, GDPR and the California Consumer Privacy Act (CCPA) provide privacy rights and obligations for data subjects and customers. These rights include the right to rectify inaccuracies, restrict or limit use, object to processing, request deletion (be forgotten) and obtain a copy (portability) of the data. DSRs require organizations to respond by applicable time limits imposed by law. DSRs have become a core privacy process.

Recommendation: Evaluating your organization’s response to DSRs in conjunction with Privacy should include an assessment of documentation, communication and response timelines.

Conclusion

As domestic and global privacy regulations continue to expand, organizational emphasis on effective privacy programs is ballooning. With expansion comes the need for evaluating and certifying organizational adherence to these standards. Privacy departments should conduct privacy impact assessments (PIAs) to assess applicable privacy regulations, identify institutional risk and ensure adherence to policies, standards and regulations. At the same time, audit teams serve as an essential institutional compliance checkpoint to protect the rights of those whose data we hold.

Microsoft Azure: “What is IaaS? Infrastructure as a service” https://azure.microsoft.com/en-us/overview/what-is-iaas/#overview
European Commission: “European Commission adopts new tools for safe exchanges of personal data”; 4 June 2021

About the Authors

Diane R. Padgett

Diane R. Padgett, Senior Privacy Analyst, joined Duke in 2003 with stints in the School of Medicine, Office of the Vice Dean for Faculty and Academic Affairs, and the Duke University Health System (DUHS) Vice President for Business Development before joining the Office of Audit, Risk and Compliance in 2007. Prior to Duke, Diane worked at the University of North Carolina (UNC) and the UNC General Alumni Association for more than 10 years in roles with the Counsel’s Office and as the manager for Membership and Affinity Partners.

Diane conducts privacy compliance reviews of Duke University departments, centers, institutes, regulatory functional offices and administrative offices to minimize risk and ensure compliance with institutional policies and procedures, state, federal and international privacy laws and regulations, as well as outreach efforts to promote privacy awareness at Duke and ensure privacy and security best practices institution-wide.

Articles
Data Privacy Primer: Regulations & Risks
Data Privacy: Evaluating Your Organization’s ‎Privacy Controls

Todd Knowles

Stoddard (Todd) Knowles is Associate Director, Information Privacy with Duke University. Todd is responsible for working with schools and departments to minimize the university’s privacy risk exposure through a scalable, risk-based, university-wide privacy program. Examples of program responsibilities include conducting risk-based privacy impact assessments, leading advisory engagements, conducting vendor privacy reviews and revising and implementing privacy policies, procedures and standards. In 2020, Todd presented a privacy primer at Duke’s certified public accounting (CPA) annual conference and recently participated in a privacy panel discussion at the Cybersecurity and Privacy Festival hosted by Stanford University.

Articles
Data Privacy Primer: Regulations & Risks
Data Privacy: Evaluating Your Organization’s ‎Privacy Controls