Did you know you can access an archive of all Privacy List posts? Just follow these steps:
The Privacy List archives are a great resource for seeing what hot topics have been covered.
Here are some of the more popular conversations that happened this past month:
Classifying Personal Data/PII
One subscriber reached out to the Privacy List looking for a system for classifying types of information beyond that of the legal definitions. In response, he received suggestions such as looking at data governance materials from the Sedona Group and modifying NIST guidance. Others provided tips on ways to navigate the connections between data that make groups of data more or less sensitive.
Automating Breach Determination
Looking for ways to automate the process of determining whether a data breach has occurred, one subscriber received suggestions as well as words of caution. While automation tools can be valuable in many ways, one subscriber offered, “typically the ‘is this a breach?’ question proves to be harder to automate.”
Advice for Aspiring Privacy Professionals--Especially Law Students?
A question posted seeking suggestions for students looking to enter the privacy field turned into a robust debate over privacy and security—ways they are similar, different and how they intersect—drawing commenters with varied perspectives. Can you have privacy without security? Or vice versa? The jury’s out, but if you’re looking for insight, this discussion has plenty.
Data Loss Tools
One subscriber needed help determining a good data loss tool to identify and implement rules for sending PII. Along with offering specific tools to fit the need, subscribers pointed out the complications and concerns involved in making the decision to use a tool and in the implementation of it.
EU E-Mail Service Providers and Log Retention
One list subscriber asked for information about limits on how long a commercial provider of business e-mail services can retain system log data. Noting that things may change if the EU Data Protection Regulation comes into force, aonther subscriber resonding saying individual countries have their own regulations on this data, but that there is an EU-wide guideline forcing all communication service providers to store transaction information for at least six months without any suspicion. Access to this data is limited to the prosecution of criminal offences, though not all countries integrated this guideline into law.
Data processing contract: Article 17 of EU Directive
Under article 17 (3) and (4) of the EU Directive, when personal data processing is commissioned to a third party, a data processing contract should be put in place, wrote one list subscriber, hoping for help in implementing this requirement at her organization. Subscribers chimed in offering insight on whether this contract was incorporated in a master service agreement or a stand-alone document, samples to help with writing the contract and a discussion on when and whether this article applies.
One list subscriber asked whether the content in a text message along with the cellphone number is considered personally identifiable information (PII) in the U.S. While some subscribers simply said it depends on what’s in the text message, another noted you’d need to consider the context and jurisdiction and still another had a more definitive answer, saying, “if data can be rendered identifiable through a process of data linkage (in this case through the cell number), then it may be considered PII.”
“What type of data protection obligations would a company have in the situation where customers provided PII to you, but you didn't ask for it?” asked one privacy list subscriber. This question led to a robust discussion about what organizations are required to do vs. what they should do, ethically. Subscribers noted that HIPAA-covered entities would be required to treat the data differently than others, but the overwhelming opinion was, “Even if you didn't ask for it, you need to protect it or securely destroy it.”
Data Processing Contract Article 17 of EU Directive
How an organization should apply Article 17 (3) and (4) of the EU Directive to its practices was causing some confusion for one subscriber’s organization, so she took her concerns to the privacy list to get insight from other list subscribers. After receiving helpful information to her general questions, the conversation developed into a more specific discussion surrounding the balance of responsibilities between a clinical research organization and the pharmaceutical company to which it hands its data.
Best Questions To Pose to 'A Team' Privacy Job Applicants
With so many CIPPs hitting the workforce, one privacy list member is looking for ways to separate the herd, so he asked for insight into what kinds of interview questions might help him identify “rising stars” in the industry. This solicited a flurry of input and requests for the permanent list, which will soon be available as a tool in the IAPP’s online Resource Center to assist employers and job-seekers.
Can a Contractor Be a Privacy Officer?
One subscriber had questions about contracting out the position of privacy officer in a government agency, receiving a mixed bag of responses. While one respondent said no, due to the sensitivities surrounding contract reviews, another noted that it may depend on which country the agency is operating in, adding that some European agencies are required to have CPOs, but the U.S. offers little guidance on the matter. “What is most important, however, is the job description for that person and whether that job description matches the legal requirements for that position,” she said.
Employee-Facing Privacy Policies?
A question was posed to the list regarding the prevalence of employee-facing privacy policies. Many list users answered the call acknowledging that their organizations have such policies accessible to employees on intranet systems. Policies mainly explain what, why and how personal information is collected and how the companies use it.
Google and HIPAA
An in-depth back and forth on whether Google can or should be considered a business associate under HIPAA. While one list user notes that in Google’s terms of service it states it is not HIPAA compliant another says it could come into play as a BA by “hosting e-mail containing PHI for providers and plans.” Another adds, “Fascinating to think about - if they have one single Google Apps customer that is a CE (and stores PHI in some form) then all of Google must be compliant, given their distributed architecture.” Or would that just mean the CE is out of compliance, questions another, also posing the question of whether encryption changes the playing field.