This starts first by understanding your personally identifiable information, says Mark Le Blanc
Privacy and management of privacy risk is a big issue for all of us. As data becomes digital, “bigger” and critical to business models, organizations are increasingly managing personal information — externally from clients, vendors, independent contractors and users, and internally from employees.
Organizations collect or create it, transfer and store it, and use and exploit it. As our organizations manage data, legal departments are managing privacy risk against relevant legislation. In Ontario, there is FIPPA, MFIPPA, PHIPA, the federal PIPEDA and a few other pieces of legislation that also address privacy (i.e. the Education Act). More broadly, regardless of jurisdiction, we are also embracing standards set out in the EU General Data Protection Regulation and California Consumer Privacy Act, both of which have raised expectations for protection of personal information. As organizations leverage more data and personal information, GCs, along with CIOs, are having to spend more time managing its risk.
How can we manage this risk? look out, then look in
High on the list of risk management is: compliance with legislation; updating privacy policies; robust privacy terms in vendor, customer and employee contracts; and ensuring your security standards are at least at industry standards. All necessary and important actions that need to occur regarding our external exposure, and most of us are doing this. But, before you rush off to become an IT security expert, start redrafting policies and contracts, or increasing your external spend, I suggest you look internally and do three things.
My guess is that much of your privacy risk exists internally, and not due to a hack or IT related failure, but due to poor data management and access process.
What personal information are we really managing?
Determining what personal information your organization should manage is not straightforward. The definition is simple enough.
PIPEDA defines “personal information” as any information about an identifiable individual, including:
Such legislative definitions are only moderately helpful. The challenge is that often “personal information” needs to be correlated to other “personal information” in order to be personally identifiable information — or, PII. For example, a medical record without a name or some other way to correlate it to a person (i.e. anonymized data) is not PII.
This gets more challenging when the correlated data sits in 3rd party databases of vendors or generally available public databases. For example, a medical record may exist in an internal database against a unique ID but the code that links the unique ID to a name may sit in a 3rd party or vendor database. So, when does this become PII, or more importantly, PII that you need to manage for risk? It comes down to how likely it is that these two or more pieces of personal information can be linked. There is no doubt that you have PII here. The issue is how high up the risk management priority list does it get, and what are reasonable precautions to take. In short, how much sleep do you lose over it?
Personal information survey
Now that you have alignment on what PII is for your organization, you can begin the process of managing its risk. The first step is to do an organizational wide survey for your PII. You need to know what personal information is collected or created (including the consents used), where it is transferred and stored, and how it is being used and disclosed. This is not an easy undertaking and will take a few follow ups to feel even reasonably comfortable that it is complete. As it will be a living document, ensure that it is tracked in a user friendly, and sharable form in order to minimize effort in updating it.
With the completed survey you can now do the external facing legal work to manage privacy risk, namely: ensuring compliance with legislation; updating your privacy policies and privacy terms in your vendor and client contracts; and confirming your security standards are enough.
Access management
Many surveys regarding privacy risk identify internal human error as the biggest area of risk to manage. This can either be erroneous disclosure of PII, or it can due to the wrong people having access to PII. The former is largely a training issue. The key to this is understanding and defining what PII is. The latter is an issue of access management. You need to have a robust process for issuing, tracking and removing permissions to access databases, or portions of them, containing PII. Most organizations have reasonable processes for issuing permissions. Some even have reasonable process for tracking it. But, few have good process for removal. As a result, there are often things like ex-employees or, even worse, past contractors, who still have access to databases with PII. This is where many of your privacy breach risk comes from.
You need to own it
You can download some of this risk by keeping PII with 3rd party vendors that are better equipped to manage these risks, as is often done with credit card data and PCI compliance. But you cannot remove yourself from having to manage some of this risk. To be a truly valuable modern in-house counsel, you need to be leading the strategy in your organization to manage privacy risk. This starts first by understanding your PII, surveying for it, and managing access to it.