Introduction to data privacy
Every organisation that handles client information needs to be aware of the rules, regulations and risks associated with data privacy. For many of us, it is a topic that we are aware of, but we are unsure of what this means in the context of day to day operations in the business. For organisations that either use or provide hosted services, data privacy very quickly becomes a central topic of discussion. The uncertainty and lack of understanding that surrounds this topic tends to feed fear and scaremongering, which ultimately causes some organisations to shy away from taking advantage of the compelling business opportunities that hosted services offer.
In this article we will discuss what laws are involved in data privacy, what sorts of data need to be protected, differences between countries, and how we (SolveXia) approach these issues when working with our clients. By the end of this article we hope you, the reader, will have a clearer sense of how to navigate and manage the data privacy topic in your organisation.
What are data privacy laws?
When a person exchanges information with an organisation, this may include private or sensitive information about the individual. Medical records come to mind quickly as an example of data that you want kept private, however financial information such as salary data, tax records, debt obligations are among many examples of information that people want to keep confidential. Increasingly around the world, when an exchange of data takes place between a private citizen and an organisation, an obligation is placed on the organisation to handle and protect that information with a level of care and respect that protects this expectation of privacy.
As we move further into the internet age, the public’s understanding of how easily privacy can be lost has led to increasing calls for government to step in and place legal obligations on organisations to protect privacy. In the same way governments imposed accounting standards upon organisations to protect financial investors, they are now doing the same with respect to people’s private data. So when you hear the term data privacy laws, what is being referred to is that set of obligations that governments impose upon organisations to ensure that they handle our data with due care and diligence.
Take a simple example. If you purchase a refrigerator from an appliances store, you will likely give them your details such as credit card number, email address, phone number and delivery address. If they were to subsequently sell, or accidentally release any of these pieces of information – without your consent – they can be fined. Fines vary from $5,000 to over a million in differing jurisdictions. If on the other hand, information was released that revealed that 5 refrigerators had been sold to people in the zip/post code 1234 today – no breach has occurred and this is not illegal (although the company may wish to investigate why any data is leaking – this is not illegal).
Does this mean data privacy laws vary by country?
Yes. Very much so. The diagram below was developed by analysts at Forrester research, and it depicts the relative level of compliance obligations in different countries around the world.
You will notice that Europe has what is currently considered the strictest set of laws and obligations, followed by Australia and Canada, then the United States. You will also note that there are some countries such as India that have effectively no rules and regulations in place – which is interesting food for thought for those companies that make use of off-shoring and call-centre facilities in Bangalore and Hyderabad (sorry India, I’m not having a go at you, just pointing this out…)
What does this mean for using or providing hosted services?
With the economic advantages that hosted and cloud based solutions offer, inevitably each organisation will have to look carefully at how they fulfil their data privacy obligations, yet not lock themselves out of these new technology benefits. If you are looking to use a hosted service such as salesforce.com, Google Apps, Amazon Web Services or Zoho – you need to plan carefully your approach to data privacy. The good news is, it can be done. The hosted service companies just listed are all experiencing very significant growth, so organisations around the world are successfully managing to reconcile their data privacy obligations with these new technology solutions.
To perform this reconciliation, we need to (a) understand what sorts of information are regulated (b) understand what the regulations require (c) understand what hosted solutions must do and must provide to be considered appropriate.
What sort of data is being regulated?
There is a concept called Personally Identifying Information (PII) – which exists in all jurisdictions, sometimes under different names. PII is a recognised term in the United States, Canada, United Kingdom, Australia and New Zealand. A summary definition of PII data is “information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context“.
In some places, like Europe, Canada, Australia and New Zealand it is also referred to as ‘Personal Information’. This has a slightly broader definition by using the words ‘reasonably ascertainable’ and somewhat expands on the US definition. The core concept is that ‘Personal Information’ is considered to be information that can be used either on its own, or in conjunction with other information items to identify an individual.
If an organisation holds PII data, about their clients, prospect, employees, supplier or anyone connected to the business, they have a legal obligation to prevent it going to another third party without the individual’s consent. By far the most common type of violation here is employees emailing spreadsheets that contains hundreds or thousands of client records.
The table below shows some examples of commonly accepted PII data items. It lists examples of data that are NOT considered to be personally identifying. It is important to keep in mind that not all data falls under the regulatory purview of PII.
|Examples of PII data||Examples that are NOT PII data|
|Full name (if not common)||Gender|
|Postal Address||Country, State or Post Code|
|Tax File Number of Social Security Number||Timezone information|
|Driver’s license number||Product or SKU identifiers|
|Face, fingerprints, or handwriting||Sales transaction records (including amounts)|
|Vehicle registration details||Account and credit card balances|
|Telephone number||Transaction category codes|
|Credit Card Numbers|
|Login usernames or handles|
What about corporate confidential data?
A common question to ask, once people first understand the legal liabilities associated with PII data, is, ‘what about corporate data – are there laws protecting this data?‘. In broad terms, the answer is no – governments do not regulate what organisations do with their own data provided it does not compromise the privacy of a citizen (we are back to PII there).
The data security policies of most organisations, however, quite naturally, protect competitive and sensitive internal information that pertains to strategy, future intentions and performance. Breaching these policies is a violation of company policy and so data security continues to be a critically important topic even if disclosure is not a breach of national law. An interesting twist on this topic is that, if a release of company information to the market would significantly influence its stock price, most OECD jurisdictions require the company to release this information publicly under frameworks of continuous disclosure laws.
The remainder of this article will focus on PII data because this is the class of information that has the greatest legal liability attached to it. This is not to say that corporate confidential information is not important – it is – however by focussing on PII obligations, we can include corporate data requirements as well.
Can I use a hosted solution if I am working with PII data?
Yes. The compliance regulations do not instruct organisations whether they can or cannot use hosted solutions. What they do is place obligations on an organisation to ensure that the PII data is managed securely and appropriately. This is a critically important point often missed in the fear riddled debate that occurs in the IT press and within some IT departments.
An organisation will find itself on the wrong side of the data privacy laws if an audit reveals that appropriate controls and security measures are not in place around PII data. If any PII data is leaked, lost or stolen from an organisation, the organisation may well incur penalties.
A simple example here might help: Imagine I purchase a product from Company-XYZ, and I give them my home address for delivery, and my credit card details for payment. At the point of transaction, Company-XYZ now has a responsilbity to make sure that my address and credit card details are securely protected. Now consider these scenarios:
- If Company-XYZ stores my details on a server internally – and it has appropriate security and has controlled access, then they are OK.
- If Company-XYZ stores my details on a server internally – and an internal employee downloads an Excel list of all the orders for the day, which includes my Credit card details and address, and that employee emails this list to one of their friends, or stores it on a laptop that they then lose on the train ride home – Company-XYZ has a serious problem, as they have lost PII data.
- If Company-XYZ stored my details on a server hosted by a solution provider such as salesforce.com – and salesforce.com has appropriate security and has controlled access, then they are OK.
- If Company-XYZ stored my details on a server hosted by a solution provider such as dodgybobsCRM.com – and someone from withing dodgybobsCRM.com leaks my information – Company-XYZ has a serious problem, as they have lost PII data.
These differing scenarios should show you that the key here is that Company-XYZ has a duty of care with my PII data – regardless of where they choose to store it. These are relatively simple scenarios, and there are often a lot of ‘gray areas’ that can apply – but the concept is straight forward.
What is SolveXia’s approach to data privacy?
As a hosted solution provider, we at SolveXia find ourselves working through data privacy issues regularly with clients. It is notable that data privacy laws apply to all industries, so this is an important topic whether we are working in finance, insurance, banking, travel, pharmaceutical or distribution businesses. Here is a summary of our approach to working with clients on data privacy issues:
- Recognise this is a difficult topic, and sometimes emotive, but that it can be resolved
- Avoid using PII data in processes that we automate – which is easy to do
- Base our IT infrastructure on the strictest (European) standards by using EU ‘Safe Harbour’ facilities
- Maintain world class data security and be open with our clients about this
- Continuously review and seek to improve our compliance with data security best practices
Approach to data privacy #1 – Recognise this is a difficult topic, and sometimes emotive, but that it can be resolved
Because being in violation of the law is a scary prospect for most people, and because data privacy is not clearly understood, it is common for data privacy concerns to cause people to be fearful of using hosted services. You will notice the inclusion of the term ’emotive’ in the title of this section – and this is very deliberate. It has been our experience that there are a significant number of people who approach the topic of data security with a sense of reluctance, foreboding and sometimes plain fear. They perceive the issue to be so big, or so complex, that it is just too hard to work through. They believe “their organisation” will never allow hosted services to be used because of “data security concerns”. With the level of fear-based marketing that many IT security vendors use, maybe this should not be surprising.
These are valid concerns, however it is important to recognise that data security is not an insurmountable issue. Organisations like Salesforce, Google, Zoho and Amazon are all growing rapidly. Their growth in the enterprise and corporate end of the market is at breakneck speed – so clearly some organisations, or more accurately, some people, are working through the issues to their satisfaction, and subsequently reaping the benefits of these new businesses and technologies.
We suggest to our clients early in getting to know them that while data security is a critically important topic – it is also addressable with confidence if we work through it methodically like we would any other business issue. This helps remove the emotion from the topic and put everyone into an analytical and problem-solving frame of mind.
Approach to data privacy #2 – Avoid using PII data in processes that we automate – which is easy to do
Sometimes the best way to manage a risk is to avoid it. As described earlier in this article, protecting the confidentiality of PII data is one of the most important components of a data security policy, and arguably, in legal terms, the most important.
As a provider of process automation solutions, our clients are often uploading data files that have all sorts of information in them. Typically these files contain data on sales transactions, insurance policies, revenues and expenses, product inventories, service utilisations, invoices, flight data and the list goes on. This is a diverse set of information types, with the common element being that we are usually operating on sets of data where the issue is the processing of aggregate values for the business process in question. It is exceedingly rare that PII data items are useful in the context of the results of the business process, after all, when you are doing a revenue projection or expense reconciliation, you are not working the data at the ‘individual’ level.
Consequently, one of the first things we do with clients is work to identify if any of the source data files that are to be used in a process contain PII data. If they do, then we work with them to either remove this data from the extract program that creates the file or, remove the PII data before it leaves the organisation. And this is where there is an interesting observation to be made: In order to reduce the overall data privacy risks for an organisation, it makes sense to strip out PII as close as possible to the core system or storage point that holds it. By preventing this data from finding its way into extract and reporting files, the organisation is better managing the risks associated with data privacy regardless of whether a hosted solution provider is being used or not. Remember, a report file with PII data on an employee’s laptop can be emailed outside the organisation or the entire laptop lost much more easily than a data-centre can be ‘hacked’.
This is a relatively simple step to prevent PII data getting into the source files for business process automation and has proven to manage the risks associated with using a hosted solution provider (SolveXia in this case) as well as managing the broader risks within the organisation.
Approach to data privacy #3 – Base our IT infrastructure on the strictest (European) standards by using EU ‘Safe Harbour’
As mentioned previously, Europe has some of the strictest data privacy laws in the world. Directive 95/46/EC (Data Protection Directive) and Directive 2002/58/EC (the E-Privacy Directive) significantly define what constitutes appropriate care and diligence when it comes to the obligations organisations face when working with PII data within the EU. SolveXia’s I.T. Infrastructure complies with these tough European standards through a framework called ‘EU Safe Harbour’.
‘EU Safe Harbour’ provides a ‘bridge’ between the regulatory regimes of the US and EU and allows US companies that are based in the United States to continue selling goods and services – that may require the storage of PII data -to the EU.
Implemented shortly after the issue of the EU privacy directives in 1998, the framework is a set of reciprocating standards that allow US companies in the US to voluntarily submit itself to, and comply with, an EU standard level which the European Union will recognise. This provides US companies with a mechanism to serve the EU market whilst at the same time allows the EU to retain their stringent standards around PII data.
From the US Department of Commerce
The European Commission’s Directive on Data Protection went into effect in October 1998, and would prohibit the transfer of personal data to non-European Union countries that do not meet the European Union (EU) “adequacy” standard for privacy protection. While the United States and the EU share the goal of enhancing privacy protection for their citizens, the United States takes a different approach to privacy from that taken by the EU. The United States uses a sectoral approach that relies on a mix of legislation, regulation, and self-regulation. The EU, however, relies on comprehensive legislation that requires, among other things, the creation of independent government data protection agencies, registration of databases with those agencies, and in some instances prior approval before personal data processing may begin. As a result of these differences, the Directive could have significantly hampered the ability of U.S. organizations to engage in a range of trans-Atlantic transactions.
In order to bridge these differences and provide a streamlined and cost-effective means for U.S. organizations to satisfy the Directive’s “adequacy” requirement, the U.S. Department of Commerce in consultation with the European Commission developed a “safe harbor” framework. The U.S.-EU Safe Harbor Framework, which was approved by the EU in 2000, is an important way for U.S. organizations to avoid experiencing interruptions in their business dealings with the EU or facing prosecution by EU member state authorities under EU member state privacy laws. Self-certifying to the U.S.-EU Safe Harbor Framework will ensure that EU organizations know that your organization provides “adequate” privacy protection, as defined by the Directive.
From our data-centre partner GoGrid
The United States Department of Commerce and the European Commission have agreed on a set of data protection principles and frequently asked questions (the “Safe Harbor Principles”) to enable U.S. Companies to satisfy the requirement under European Union law that adequate protection be given to personal information transferred from the EU to the United States. The EEA also has recognized the U.S. Safe Harbor as providing adequate data protection (OJ L 45, 15.2.2001, p.47). Consistent with its commitment to protect personal privacy, GoGrid LLC complies with the U.S.-EU Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries and Switzerland. GoGrid LLC has certified that it adheres to the Safe Harbor Privacy Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement. To learn more about the Safe Harbor program, and to view GoGrid’s certification, please visit http://www.export.gov/safeharbor/.
For hosted solution providers, including SolveXia, this means we have the opportunity to utilise the world leading computing infrastructure that is in the US, but at the same time, have our data-centre adhere to the strictest standards in the world. Our data-centre provider GoGrid provides arguably some the best data-centre services in the world, and has signed up to the EU safe harbour policy. This provides our clients with a genuine ‘best of both worlds’ solution.
If you are interested in learning more about the EU safe harbour policy here are 2 useful resources. This link describes the framework in detail from the US perceptive. This link describes the EU safe harbour policy as applied by GoGrid.
Approach to data privacy #4 – Maintain world class data security and be open with clients
We build in world-class security at all levels of our system designs. Data is encrypted both in transit and at rest. No data is stored in the client browser. Client data is not interleaved. This list goes on. We have a commitment to understanding and employing state of the art system design principles to ensure that we provide a robust and secure infrastructure for our clients. We regularly participate in security reviews run by our clients – and we submit our systems to testing by our clients. We maintain an open book policy with our clients, where we are willing to discuss and share security issues in a way that builds confidence.
Approach to data privacy #5 – Continuously review and seek to improve
Maintaining data security is not a task that has an end date. You do not reach a point where you say it is “done”. Instead, it is a continual process of review and improvement.
At SolveXia, we have daily and weekly processes that are designed to review and test our security policies. We also get an external agency who specialises in IT security to conduct penetration tests and reviews of our security every 16 weeks. We believe that, on a topic as important as data security, an organisation should engage a “second set of eyes” when it comes to reviewing their approach to data security. We conduct these external reviews every 16 weeks. Many organisations are surprised at how often we choose to conduct this external validation. We believe that there are two very strong reasons for this high frequency of external audit:
- In the world of IT security, new threats are emerging constantly. 6-12 months is a very long time in this domain – too long in our view to adequately stay on top of current threats
- IT infrastructures (including firewalls) are never as stable as we might like. Don’t assume that nothing has changed over an extended period
By constantly reviewing data security – and treating this topic as one that requires constant vigilance and attention, we believe we are treating our clients’ data and shareholders interests with the respect they deserve.
This has been a long article – but data security is a big topic. In summary, here are the key points:
If you have a perspective, comment or opinion on data security – please leave a comment below. We are interested in your views.