When it comes to creating policies for handling personal data in an organization, who decides? How are those policy decisions made and kept up to date?
These are questions of governance – I would call it “information governance.” Most large enterprises have established responsibilities and procedures for information technology governance and specifically for IT security policies, procedures, procurement, management, and training. In many cases, however, these have not been fully mapped to personal data compliance and risk management requirements, which should be defined and monitored by a somewhat different group of people, from departments beyond IT and security. Unless privacy issues are visible in the internal governance process, the organization – and the individuals that deal with it -- may be exposed to some nasty surprises.
One consequence of the growing body of laws, regulations, standards, and contractual requirements dealing with protected categories of personally identifiable information (PII) is a heightened awareness of the importance of establishing effective internal governance mechanisms. The organization needs to be clear on who decides, and how, key questions such as these:
• Which kinds of PII should be collected in the first place?
• Which categories of PII require particular safeguards or treatment, either legally or because the information is considered especially sensitive by customers and employees, or by the organization itself?
• How should PII be secured?
• Who should be given access to PII, and for what purposes?
• How are individuals informed of events (such as business changes and security breaches) and options (such as op-in or opt-out choices) that affect their privacy and personal security?
• How should PII be disposed of at the end of its useful life?
In some cases, legislators, regulators, and industry standards bodies provide guidance on PII management and governance, at least by implication. But for the most part, organizations must find their own way to weave privacy compliance and PII risk management into effective internal governance procedures. Adding privacy to the organization’s governance structure, with constant reference to evolving privacy rules and standards, is one way to avoid costly mistakes and arm the organization with legal defenses in the event of a security breach or a serious privacy complaint.
I recently presented a workshop on “information governance” at the Vanguard Security 2010 conference in Las Vegas. Some of the participants, typically managers of enterprise IT security functions, were concerned about whether their employers -- companies, universities, healthcare systems, and government agencies -- were organizationally equipped to make appropriate decisions about collecting, securing, and using PII in a rapidly changing legal and regulatory environment.
It’s a legitimate concern. Organizations in both the private and public sectors are increasingly held accountable for the proper handling of sensitive or potentially dangerous PII such as health records, Social Security Numbers, bank account and payment card details, credit reports, and background checks. An effective system of both privacy and security governance is essential if the organization is to achieve substantial compliance, manage litigation and market risks, and respond adequately to privacy challenges and to security threats and incidents. Relevant laws, standards, and contract requirements sometimes mandate certain aspects of privacy or security management and, less frequently, governance. Otherwise, it is ultimately a matter of finding what best fits your organization’s leadership culture – although it may be helpful to compare models from other organizations with similar needs.
What PII Do You Handle?
Don Harris of HR Privacy Solutions often refers to personal data as the latest “controlled substance.” For purposes of this discussion, I use the term “PII” to mean whatever personally identifiable information your organization has an obligation to protect from unauthorized disclosure, use, loss, or alteration. In the US, that varies considerably by sector and jurisdiction. US state laws requiring personal information security measures or notification of security breaches (in all but four states) typically apply only to limited categories of PII that raise the greatest risk of identity theft, such as the SSN, driver’s license number, and bank account or payment card number (combined with a PIN or other access code). The US federal HIPAA and HITECH acts and a number of state laws more broadly regulate health records, while the federal Gramm-Leach-Bliley Act (GLBA) and financial supervisory authorities focus on the confidentiality of financial records. The Fair Credit Reporting Act is concerned with consumer reports. Equal Employment Opportunity laws often address the proper collection and use of information about race, ethnicity, religion, age, gender, disability, family status, or sexual life. Other laws protect information about students and their parents, licensed drivers, telephone and cable subscribers, persons renting DVDs and videotapes, library patrons, clients of mental health and substance abuse programs, people who seek refuge in battered women’s shelters, genetic data, and an array of other categories of PII deemed potentially risky to individuals. Meanwhile, an organization may be required contractually to handle certain kinds of data in a prescribed manner, such as the PCI-DSS standards that apply to the processing of credit and debit card payments.
By contrast, PII can be almost any information relating to an identifiable individual under the more comprehensive privacy and data protection laws in Canada, the European Union, Australia, Japan, and several other jurisdictions. Even in those jurisdictions, however, there is often an enhanced obligation to protect especially sensitive categories of PII such as those relating to race or ethnicity, health and sex life, religion, political opinion, trade union involvement, criminal records, consumer profiles, bankruptcy, personal financial records, genetic data, geolocation data (such as tracking a person’s physical location through his mobile phone or RFID security badge), and official identifiers such as passports and national ID numbers that could be used in fraud and identity theft.
Who Is Responsible?
Within the organization, who accepts responsibility for ensuring that all relevant categories of PII are handled appropriately? In some organizations, the Chief Legal Officer, Chief Information Officer, or Chief Technology Officer is considered primarily responsible for PII policy decisions. In others, the decisions may be made by senior executives responsible for human relations (employee data) or customer relations (consumer data). Obviously, policy decisions should be made in consultation with the legal or compliance functions in the organization. IT security managers will provide some of the tools and techniques – once they know what the requirements are and how to classify the data. HR management should be on top of employee privacy issues in all the jurisdictions in which the organization has employees (and their dependents) or independent contractors and temporary workers. The customer relations and marketing managers should understand the restrictions under which they operate and the disclosures and choices they must provide. Records management should implement appropriate storage and disposal policies. And many organizations now have a “privacy officer” (under any of a variety of titles) who is charged with offering guidance and making recommendations relating to PII.
Business managers also typically make recommendations, but their primary job is to see that the organization’s policies are implemented – that is the management function. Security and privacy governance refers to the process by which those policies are adopted in the first place and then monitored and adjusted. Ultimately, policy decisions should be made by senior or C-level executives or (for the most fundamental policies) by the board of directors or agency chief. Ideally, the CEO and directors are at least broadly aware of privacy and security issues affecting the organization’s handling of PII -- well before the first embarrassing privacy complaint or security breach hits the news.
Governance Requirements and Tools
Most PII laws and regulations are not terribly detailed in referring to information governance issues. It is simply the organization’s obligation to find the best ways to achieve compliance.
Corporate governance, particularly in publicly traded companies, offers some familiar and relevant models for information governance. In the US (especially under the Sarbanes-Oxley Act or “SOX”), Canada, Europe, and Japan, financial reporting laws or stock exchange rules require management controls in all areas material to the accurate reporting of financial results to investors and regulators. Under those laws, a CFO, CEO, or Audit Committee of the board must certify the effectiveness of the company’s control procedures. In most modern companies, IT is used for data collection and reporting and, indeed, is critical to the success of the organization. Thus, internal and external auditors refer to IT management “control objectives,” often with reference to the COBIT Framework published by ISACA.
IT control objectives may include items such as access controls, encryption, and data retention policies as required to comply with PII rules or to manage PII risks. In some companies, there is such a dependence on protected PII that management reporting expressly refers to relevant PII compliance requirements such as those imposed by HIPAA, GLBA, FRCA, PCI-DSS, PIPEDA, or national laws based on the EU Data Protection Directive. In those cases, PII compliance requirements are documented in specific control objectives with associated policies and procedures, assigned to responsible functions, and periodically audited and certified.
Apart from public company governance requirements, some laws and regulations specifically require that there is a designated person or department accountable for the security of covered PII, with an obligation to report to senior management. This is true of US federal health and financial privacy regulation, as it is of Canadian legislation incorporating the CSA’s Model Code for the Protection of Personal Information. In several EU countries and Switzerland, the organization may or must designate an internal data protection officer who reviews and maintains a “registry” of PII processing in the organization, renders a written opinion on proposals for handling sensitive categories of data, and reports directly to the highest level of management.
Increasingly, laws and regulations governing PII mandate a risk-based, written security policy. In the US, the HIPAA and GLBA privacy and security rules require written policies, as do the “Red Flag Rules” adopted by the Federal Trade Commission and the federal financial regulatory bodies to combat identity theft. The Massachusetts Personal Information Security Regulation requires a written information security policy (commonly called a “WISP”) covering the categories of data for which security breach notices are required. The Canadian CSA standard and several European countries similarly require or recommend written security policies, documented procedures, and approvals by the governing body of a company or agency.
E-government laws and executive policies in the US and Canada require agencies to designate a privacy officer, reporting to a senior agency executive, with oversight by an auditor or inspector general from outside the agency (or by the federal or provincial privacy commissioner, in Canada). US and Canadian federal agencies are also now generally required to prepare a privacy impact assessment (PIA), identifying PII needs and measures to mitigate privacy risks, before implementing a new or substantially modified information system that includes PII.
Some companies and nonprofits in North America and Europe follow a similar approach of requiring the responsible manager to prepare a PIA for review by a privacy officer and, if there are serious objections, by executive management. Some also undertake a baseline privacy audit to determine where the organization is already handling PII and where it might be at risk. Periodic security audits are common in many organizations, but the scope often needs to be adjusted to include protected categories of PII.
A variety of vendors offer “GRC” (governance, risk, and compliance) software tools and databases to help automate the task of identifying PII in the organization’s information systems and checklisting PII compliance requirements and actions. These can be helpful, although there is inevitably a need for knowledgable individuals to review the scope, methodology, and results.
As much PII processing is ultimately outsourced, and PII is often exchanged with business partners, a key aspect of compliance is contract management. HIPAA and GLBA, the Canadian CSA standards incorporated in PIPEDA and provincial laws, and the EU Data Protection Directive all require a measure of due diligence in contracting with vendors to handle PII. Contracts that refer to the confidentiality of proprietary information should also address the confidentiality and security of PII. The procurement function in the organization needs to be made aware of PII risks and requirements, and procurement and legal personnel should ensure that there are appropriate confidentiality and indemnification clauses, security schedules, and any required provisions to meet sectoral requirements or legal conditions for cross-border transfers of PII (e.g., from the EU to the US or India). In some cases, it is practical and appropriate to make contractual reference to established information security management and control standards such as ISO 27001 / 27002, PCI-DSS, or NIST 800 series guidelines. An aspect of information governance is setting policies for such contract requirements and monitoring procurement practices that involve PII, since accountability itself can rarely be outsourced.
Trends and Keys
The privacy and data protection laws and PII security and breach notification legislation have motivated organizations to better understand changing legal requirements, to inventory their collection, use, and sharing of PII, and to minimize the use or retention of sensitive PII throughout the organization. In some companies that means, for example, reducing the instances where SSNs and other official identifiers are recorded or communicated, encrypting PII, outsourcing payment card verification, and imposing stricter data destruction schedules on customer and employee records.
Organizations have also been driven to establish or update written policies and procedures for handling PII, and then include these in training and internal audits, as well as in contracts with third parties.
Another trend has been to raise information governance to a more centralized and higher level of management and reporting, with privacy officers and IT security managers reporting to senior executives rather than to middle managers. This is an understandable result of high-profile privacy and security lapses affecting the organization or its peers, as well as of SOX, security breach notice laws, FTC and state investigations, and pressure from privacy commissioners and sectoral regulators.
From our observation, and from reports by professional associations and conference participants, it appears that two elements are key to the success of organizations that have established effective information governance relating to PII: a high-level champion that the CEO, board, and business managers will listen to, and a liaison team to review PII issues and make recommendations to management. Depending on the structure and mission of the organization, the privacy liaison team might include representatives of several functions that deal with PII: IT, security, HR, customer relations, marketing, government relations, labor relations, legal, compliance, audit, procurement or contract management, product development, international subsidiaries (subject to different PII rules). It is not hard to imagine who should have a seat at the table (or more likely on the email list and occasional conference call), but it may be a challenge to identify who will convene and lead the team, unless the organization has already designated a chief privacy officer or equivalent position.
In the end, good information governance depends not only on procedures and tools but on the quality, drive, and authority of those who lead the effort.