Privacy of Information. Do we fully understand the issue?
The European Commission, the U.S., Argentina, Japan and other countries have different privacy laws and regulations. There are significant discrepancies between all of them. What are the Risks arising from them and how to handle it? The big number of different laws is one of the biggest challenges a Privacy and Risk Management professional/organization must face. Many countries have privacy regulations built on similar principals, which in general, are to protect the privacy of their citizens. The differences exist in the varying degrees in which nations approach meeting regulatory compliance of such principals.
Comprehensive laws (European Union (EU)):
For historical reasons many countries in the EU have placed a high value on personal privacy. Too many countries in Europe have experienced what a repressive Government or occupying force can do with their data for this subject to be of no concern. These values have been inherited by the EU where personal privacy is a fundamental human right (Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms). Many EU countries have had privacy laws for decades. This often includes an omnibus legislative approach, basically at least one dedicated piece of privacy legislation and sectoral related privacy regulations, such as seen in Drug Development laws.
Sectoral laws (US):
Freedom from unreasonable government intrusion into personal affairs is a fundamental Constitutional right (4th Amendment to the United States Constitution).
Relatively recent legislative started to focus on protecting individuals from private intrusions into personal affairs. Federal data privacy law in the US occurs down sectoral lines with health data and financial data being regulated by specific legislation. There is as of now no Federal privacy act for private companies, but both Federal and State laws regulate special circumstances like protection of driver license and credit card data. Akin in some ways to privacy law in its affect, the majority of US States have dedicated and different data breach notification legislation in place. Typically these laws make it necessary to tell State authorities and the people affected that a breach has happened but the consequences, the how to do it and by when can differ widely..
Asia-Pacific Economic Cooperation (APEC) privacy framework:
The Framework is divided into two parts:
Part A deals with domestic implementation and is underpinned by 9 Data Protection Principles.
Part B deals with cross-border implementation, providing a framework for the development of Cross-Border Privacy Rules.
Unlike the EU, the APEC organization operates under non-binding agreements (e.g. as a cooperative). In addition, the local understanding of the idea behind privacy is different to the EU or the USA. Taking China as an example – former the closest word to privacy has had the meaning of “hidden facts” – generally understood to cover immoral behavior or criminal facts.
As you can see there are significant differences in the Privacy approaches between countries and even within the EU member states. If we use the EU as an example, the EU Data Privacy Directive 95/46/EC is a guideline for EU nations, however each one of these 27 EU member states have their own national law and each of them bar one has its own agency who interprets this law. The exception to this rule is Germany where data protection is regulated by the 16 Bundesländer rather than on the Federal level. Whilst there is some commonality both within Germany and across the wider EU this can mean there are 42 different methods of having to do business in the EU alone. To manage the resulting risks you need to obtain an understanding and focus on being able to handle it, right?
This may seem quite daunting, yet as there are many differences, there are also similarities between the privacy laws. The collection of a data subjects’ “unambiguous consent” is an example of this. The collection of consent is the backbone of any privacy legislation and the EU, US, Canadian, Australian, Japanese and many more countries share this requirement. This shared “unambiguous consent” revolve around some basic principles that is a information “controller” must be specifically named, the entity and purpose is fully evident and the consent is voluntary.
At the moment there is no other way than dealing with all the different regulations in each country you are doing business with. Without experts focusing especially on privacy and the risks of any privacy breach you face the risk to violate one or the other local law with all the consequences going along with that. But as this cannot go one forever, isn’t there any trend towards convergence to make it easier for the stakeholders?
Yes there are signs! Evidence toward an effort for global compliance can be seen by the European Commission’s Directive on Data Protection which went into effect in 1998. It is difficult to say whether we will ever see a global convergence of Privacy-based principals that will become the global standard to which all countries will be obligated to comply with. There are too many nuances in the law and regulations from country to country that will make it most probably difficult to have one, global Privacy standard. For the localized differences between Privacy laws there is no substitution at the moment for local legal opinion. Most Data Protection Authorities have detailed websites outlining requirements such as breach notification laws and interpretations on adequate safeguards.
Ok, if there is no common legal situation around the world to start with, is there at least a specification around privacy related data? What are the special types of privacy related data elements that need to be more protected and where a Risk management expert should focus on?
Also in this case the answers depend of the definition of the local laws. Nevertheless in general this definition below should work for most of the cases:
Personal Data
Means any information relating to an identified or identifiable natural person (name, birthday, etc.) or material information (income etc.) of a natural person
Special Categories of Personal Data (Sensitive Data)
EU: e.g. data concerning health or sex life, …
US: e.g. Social Security Number or credit card data
Key-coded Data (Pseudonymized Data)
Identify a person indirectly by references to an identification number (e.g. Patient Identifier in clinical trials)
De-identified Data (Anonymized Data) is not covered by privacy laws
The US National Institute of Standards and Technology has its own definition but as you can see it fits well to the definition above.
NIST defines Personally Identifiable Information in the Guide to Protecting the Confidentiality of Personally Identifiable Information as:
Information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.
All privacy related data should be treated equal. It should be protected by the strongest means possible. However not all information is equal. A name and birth date for example may not be considered as sensitive as say medical records or sexual preference. A telephone number may not be considered as sensitive as a social insurance number.
If you look at the proposed data categories above you can see that this takes on a new meaning in events, such as data breaches. If a name and address is reveled it can be seen as inappropriate. If a person’s name, address and banking information is revealed we have an increased risk of financial or identity theft and the value of the combined information can be deemed to be that much more important. In most cases personal and sensitive information tends to go hand in hand with all residing in the same or similar databases. Therefore a stronger focus on information security and data protection around data in general should apply not just for sensitive information. I normally talk about this data centric and I strongly urge you to start focusing more on the data in scope and not to rely on protecting elements in your general IT infrastructure.
In the next article I will focus on the meaning of adequate protection and what PET (privacy enhancing technologies) means. Later on I will also inform you about the new tendency to enforce penalties and the impact that may have on your job as CISO. Stay tuned and please subscribe to our feed to ensure that you receive all future information. As usual feel free to send us feedback and comments. Either directly on the blog or via mail at
-Andreas
Comprehensive laws (European Union (EU)):
For historical reasons many countries in the EU have placed a high value on personal privacy. Too many countries in Europe have experienced what a repressive Government or occupying force can do with their data for this subject to be of no concern. These values have been inherited by the EU where personal privacy is a fundamental human right (Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms). Many EU countries have had privacy laws for decades. This often includes an omnibus legislative approach, basically at least one dedicated piece of privacy legislation and sectoral related privacy regulations, such as seen in Drug Development laws.
Sectoral laws (US):
Freedom from unreasonable government intrusion into personal affairs is a fundamental Constitutional right (4th Amendment to the United States Constitution).
Relatively recent legislative started to focus on protecting individuals from private intrusions into personal affairs. Federal data privacy law in the US occurs down sectoral lines with health data and financial data being regulated by specific legislation. There is as of now no Federal privacy act for private companies, but both Federal and State laws regulate special circumstances like protection of driver license and credit card data. Akin in some ways to privacy law in its affect, the majority of US States have dedicated and different data breach notification legislation in place. Typically these laws make it necessary to tell State authorities and the people affected that a breach has happened but the consequences, the how to do it and by when can differ widely..
Asia-Pacific Economic Cooperation (APEC) privacy framework:
The Framework is divided into two parts:
Part A deals with domestic implementation and is underpinned by 9 Data Protection Principles.
Part B deals with cross-border implementation, providing a framework for the development of Cross-Border Privacy Rules.
Unlike the EU, the APEC organization operates under non-binding agreements (e.g. as a cooperative). In addition, the local understanding of the idea behind privacy is different to the EU or the USA. Taking China as an example – former the closest word to privacy has had the meaning of “hidden facts” – generally understood to cover immoral behavior or criminal facts.
As you can see there are significant differences in the Privacy approaches between countries and even within the EU member states. If we use the EU as an example, the EU Data Privacy Directive 95/46/EC is a guideline for EU nations, however each one of these 27 EU member states have their own national law and each of them bar one has its own agency who interprets this law. The exception to this rule is Germany where data protection is regulated by the 16 Bundesländer rather than on the Federal level. Whilst there is some commonality both within Germany and across the wider EU this can mean there are 42 different methods of having to do business in the EU alone. To manage the resulting risks you need to obtain an understanding and focus on being able to handle it, right?
This may seem quite daunting, yet as there are many differences, there are also similarities between the privacy laws. The collection of a data subjects’ “unambiguous consent” is an example of this. The collection of consent is the backbone of any privacy legislation and the EU, US, Canadian, Australian, Japanese and many more countries share this requirement. This shared “unambiguous consent” revolve around some basic principles that is a information “controller” must be specifically named, the entity and purpose is fully evident and the consent is voluntary.
At the moment there is no other way than dealing with all the different regulations in each country you are doing business with. Without experts focusing especially on privacy and the risks of any privacy breach you face the risk to violate one or the other local law with all the consequences going along with that. But as this cannot go one forever, isn’t there any trend towards convergence to make it easier for the stakeholders?
Yes there are signs! Evidence toward an effort for global compliance can be seen by the European Commission’s Directive on Data Protection which went into effect in 1998. It is difficult to say whether we will ever see a global convergence of Privacy-based principals that will become the global standard to which all countries will be obligated to comply with. There are too many nuances in the law and regulations from country to country that will make it most probably difficult to have one, global Privacy standard. For the localized differences between Privacy laws there is no substitution at the moment for local legal opinion. Most Data Protection Authorities have detailed websites outlining requirements such as breach notification laws and interpretations on adequate safeguards.
Ok, if there is no common legal situation around the world to start with, is there at least a specification around privacy related data? What are the special types of privacy related data elements that need to be more protected and where a Risk management expert should focus on?
Also in this case the answers depend of the definition of the local laws. Nevertheless in general this definition below should work for most of the cases:
Personal Data
Means any information relating to an identified or identifiable natural person (name, birthday, etc.) or material information (income etc.) of a natural person
Special Categories of Personal Data (Sensitive Data)
EU: e.g. data concerning health or sex life, …
US: e.g. Social Security Number or credit card data
Key-coded Data (Pseudonymized Data)
Identify a person indirectly by references to an identification number (e.g. Patient Identifier in clinical trials)
De-identified Data (Anonymized Data) is not covered by privacy laws
The US National Institute of Standards and Technology has its own definition but as you can see it fits well to the definition above.
NIST defines Personally Identifiable Information in the Guide to Protecting the Confidentiality of Personally Identifiable Information as:
Information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.
All privacy related data should be treated equal. It should be protected by the strongest means possible. However not all information is equal. A name and birth date for example may not be considered as sensitive as say medical records or sexual preference. A telephone number may not be considered as sensitive as a social insurance number.
If you look at the proposed data categories above you can see that this takes on a new meaning in events, such as data breaches. If a name and address is reveled it can be seen as inappropriate. If a person’s name, address and banking information is revealed we have an increased risk of financial or identity theft and the value of the combined information can be deemed to be that much more important. In most cases personal and sensitive information tends to go hand in hand with all residing in the same or similar databases. Therefore a stronger focus on information security and data protection around data in general should apply not just for sensitive information. I normally talk about this data centric and I strongly urge you to start focusing more on the data in scope and not to rely on protecting elements in your general IT infrastructure.
In the next article I will focus on the meaning of adequate protection and what PET (privacy enhancing technologies) means. Later on I will also inform you about the new tendency to enforce penalties and the impact that may have on your job as CISO. Stay tuned and please subscribe to our feed to ensure that you receive all future information. As usual feel free to send us feedback and comments. Either directly on the blog or via mail at
-Andreas
Responses
Re: Privacy of Information. Do we fully understand the issue?
How do you see the differences in international laws being address in the contaxt of the current trend of moving information and business services into a cloud-based model?
Given, for example, that an EU or APEC citizen could correspond with someone on a topic which would be considered Sensitive Data in both those regions, but the information may be stored on a thrid party server in the US were it would enjoy no special protection.
Given, for example, that an EU or APEC citizen could correspond with someone on a topic which would be considered Sensitive Data in both those regions, but the information may be stored on a thrid party server in the US were it would enjoy no special protection.
Re: Privacy of Information. Do we fully understand the issue?
might to add here, Switzerland is the only country who has an addtional category "personality profile" [DSG Art. 3]
However because of law cases, it's only clear what is not a "personality profile" but until now it is unclear what is a "personality profile"
Not a "personality profile" is: Name first name, birth date, address, information if a test was passed