PCN Data Privacy Day: Understanding Your Data Privacy Obligations

Charlotte Veazie, PCN General Counsel, and Brian Thompson, Unisys IAM Advisor, spoke about “Protecting Data Privacy Using Technologies Like Identity Access Management (IAM)” at Harrisburg University’s Data Privacy Day educational summit on January 25, 2024. The summit was sponsored by the Security Center of Excellence Partners and presented in partnership with the Commonwealth of Pennsylvania and the Pennsylvania Higher Education Assistance Agency. Over 35 people attended the panel and engaged with the speakers in the after-panel Q&A.

The US and Canada established Data Privacy Day in 2008. It occurs annually on January 28 to commemorate the signing of the first international treaty on privacy and data protection (EU Convention 108) in 1981. Data Privacy Day has since expanded to Data Privacy Week as the need to promote education about online privacy has become increasingly urgent.

PCN’s goal for Data Privacy Day is to raise awareness among people and businesses about the importance of protecting the privacy of personal data and promoting data protection best practices. As technology and security professionals, we advocate advancing individual control over personal information, supporting compliance with privacy laws and regulations, and encouraging the development of technology tools that enable these goals.

This year’s Data Privacy Day theme is Understanding Your Obligations and Achieving Compliance. Together, PCN and Unisys held an informative session to present the history of data privacy law to help understand these obligations and review a methodology to assess your business information lifecycle to better leverage IAM to achieve compliance.

Charlotte and Brian started out discussing what privacy is and why it needs to be protected, including the history of data privacy law. Charlotte reviewed the history of data privacy law and provided context to current legal and regulatory obligations. This is the foundation to understanding your obligations and building a comprehensive, data privacy protection regime in your organization.

1.What is Privacy?

We have a range of relationships – as individuals, families, consumers, employers, employees, businesspeople, vendors, and content providers – with “private” data, but there is little consensus on what “private” is. Consider the many terms used to describe protected data – confidential, trade secret, proprietary, classified, privileged, sensitive, personal, personally identifiable, etc. What sets “private” data apart from other types of protected information?

At a high level, data protections fall into two general categories: privacy and confidentiality. Privacy relates to protection of data about human beings (personal data such as name, gender, health, birthday, address, phone, email, employer, etc.), while confidentiality relates to all other data. Protections under both categories include explicit legal obligations and contractual commitments, as well as implicit ethical duties.

Confidentiality protections can overlap privacy protections, but they do not replace them. For example, a nondisclosure agreement may impose a duty of confidentiality for customer lists, but these lists often contain personal data that is further subject to privacy obligations. Complying with the written terms of a nondisclosure agreement may not be sufficient to comply with data privacy obligations.

With this understanding of privacy, what is private information?

A 2014 survey by the Pew Research Center reported that Social Security Numbers are the one piece of personal data almost all Americans consider sensitive, whereas, we have pretty much given up on our shopping being private. Data related to many other pieces of our lives fall somewhere in between:

These data elements are protected by an ever-growing patchwork quilt made up of state, national, and international laws, regulations, and treaties. As a result, many technology and legal professionals have a limited understanding of what laws apply to them, what data is protected, and what their data protection obligations are. The organic, state-by-state and country-by-country growth of privacy law will continue to create data and privacy issue complications for the foreseeable future. But, with proper assessment and planning, you can identify your vulnerabilities and take control of your privacy obligations.

2.Privacy Law – Understanding Your Obligations

This section provides a brief overview of current privacy law that will apply to most US companies and examines the trends in how these laws have evolved since 1970.

Identifying your obligations under data privacy laws and regulations can be overwhelming. There are many laws and regulations attempting to define what private data is and how it should be protected. Every year more data privacy laws are enacted, making non-compliance a steadily increasing risk and liability. Multimillion dollar settlements and fines are the most notable risk; however, businesses will also incur expenses to fund multiple notifications to affected consumers and remediation for compromised data and identity theft, steep insurance and legal costs, and the incalculable loss of consumer trust and good will.

The good news is that the 80/20 rule applies. There are certain level-setting laws that encompass the rules or standards of most other laws on the subject. If you comply with them, you will comply with most requirements that apply to you. However, this rule of thumb cannot be taken for granted. At least annually, a company should perform an assessment of the data privacy laws that apply to it. It is reasonable to start with jurisdictions in which it does business or has a taxable presence, but it is also imperative to examine international laws which may apply. Influenced by the Europe’s general data protection regulation (GDPR) of 2018, many modern privacy laws are not limited by geographical jurisdiction but to the data your business holds regardless of where it is located or how it was acquired. However, privacy law didn’t start with GPDR.

The timeline below is not an exhaustive list, but it is intended to show how privacy law has transformed in recent decades and dramatic rise in the number of data privacy laws in the US and abroad.

In the US, the Fair Credit Reporting Act (FCRA) of 1970 is one of the broadest reaching data privacy protection laws we have. Any person who has undergone any type of background check, landlord check or credit check in the US has been protected by the FCRA – this includes credit checks, as well as any type of personal or criminal background check provided by an entity in the business of compiling background information. The FCRA exemplifies the US approach to privacy law. The US has traditionally permitted the collection of personal information without consent, but has attempted to prevent or mitigate harms to the individual through regulation. The privacy of personal information is not protected, but the laws do establish controls for the use of private information, in certain ways, by certain entities.

• 1970’s FCRA does not focus on a specific type of information, rather it creates obligations for any entity that qualifies as a credit reporting agency.

• The 1974 Privacy Act established a “Code of Fair Information Practices” that regulates the government’s collection, maintenance, use, and dissemination of personal information. In addition to granting individuals rights of access and redress, the Act also provides that the government may not disclose personal information without the written consent of the person (except under enumerated exceptions).

• The Family Educational Rights and Privacy Act (FERPA) of 1974 applies to educational agencies and institutions that receive funds through the U.S. Department of Education. FERPA provides controls for access and disclosure of student education records, provides rights of access and redress, and the right to have some control over the disclosure of personal information from education records.

• The Health Insurance Portability and Accountability Act (HIPPA) of 1996 created standards for the use and dissemination of health-care information held by “covered entities” (health care providers, health plans, health care billing services and information systems).

• The Children’s Online Privacy Protection Act (COPPA) of 1998 requires website and online service providers to obtain verifiable parental consent before collecting, using, or disclosing personal information from minors under the age of 13.

• The Financial Services Modernization Act (GLBA) of 1999 regulates the collection, use, and disclosure of personal information collected or held by financial institutions. GLBA also stipulates customer notifications and requires covered entities to have a written information security program.

• The Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM Act) of 2003 governs entities that send unsolicited commercial email. It prohibits misleading header information and subject lines, stipulates certain disclosures, requires a valid opt-out (“unsubscribe”) mechanism, and creates civil and criminal penalties for violations.

• The Fair and Accurate Credit Transactions Act (FACTA) of 2003 applies to financial institutions, reporting agencies, and creditors. It stipulates protections for consumer identifying information, allows consumers to access free credit reports from credit reporting agencies, and requires covered entities to maintain written identity theft prevention programs.

The principles under these Acts gave rise to the concept of Personally Identifiable Information (PII) – information that identifies, links, relates, is unique to, or describes an individual and any information where it is reasonably foreseeable that the information will be linked with other information to identify the individual. Examples include social security numbers, civil or military rank, marital status, phone number, e-mail address, home address, age, gender, race, and other demographic, biometric, personal, medical, and financial information.

In the last decade, as GDPR has kicked off a tsunami of legislation in the US and around the world, the understanding of what private data is, and the obligation to protect it, has evolved towards a broader, more holistic, protection of the individual. Contemporary data privacy law builds on key elements of existing law: the concept of PII, the obligation to protect, and the grant of rights to individuals (rights to access and correct data, data security obligations, use limitations, data destruction requirements, notice, and consent).

GPDR also took data privacy protection to a global level by implementing extra-territorial protections for all the personal data and the rights of citizens of the European Economic Area (EEA), no matter where they are living. Furthermore, any personal data collected from any person in the EEA in connection with the offering of a good or service is protected, regardless of the location of the organization offering the good or service. This protection of data collected in the EEA continues after the person leaves the EEA.

3.Special Note on GDPR Sensitive Data

US privacy law does not explicitly protect all GDPR-sensitive data. There is overlap – GDPR protected personal data is any information that relates to an identified or identifiable living individual, including pieces of information, which, if collected together, can lead to the identification of a particular person. However, GDPR also has a category “sensitive” information that must receive the highest levels of protection. This data includes:

• Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs;

• Trade-union membership;

• Genetic data, biometric data processed solely to identify a human being;

• Health-related data;

• Data concerning a person’s sex life or sexual orientation.

Some data in these sensitive data categories is protected under US laws, like HIPPA or the 2008 Genetic Information Nondiscrimination Act (GINA), while some is deemed to create a “protectible interests” under US anti-discrimination law.

The critical difference is that while US anti-discrimination recognizes that this data is sensitive and that individuals need to be protected from the adverse use and abuse of this information, US law does not categorize this information as private and does not prohibit the dissemination of this information. GDPR takes it a step further, creating an obligation to protect this information and as such creates a new vector of data protection that organizations must address.

4.US State Data Privacy Laws

In the wake of GDPR, many countries began to issue data privacy protection laws that were more similar to GDPR in that they focused on protection of the individual rather than the role of the entity or type of information collected. In the US, while federal data privacy laws are under consideration, states have taken the forefront. California led the way when it issued the California Consumer Privacy Act in 2019.

At the time of writing (March 2024) there were 15 states – California, Connecticut, Colorado, Delaware, Florida, Indiana, Iowa, Montana, New Hampshire, New Jersey, Oregon, Tennessee, Texas, Virginia, and Utah – that have comprehensive data privacy laws in place. Additional laws have been proposed in Massachusetts, North Carolina, Pennsylvania, and several other states.

Each state approaches data privacy regulation in different ways. State data privacy laws have many common denominators and broad similarities – they apply across industries to a more general category of personal information and grant people rights related to the collection, use, and disclosure of their data by businesses – but these laws have different approaches to implementation and enforcement.

5.Understanding Your Obligations

A comprehensive data privacy protection system must incorporate clear processes for the control of data, procedures for monitoring and reporting incidents, as well as information security and access management technologies. Compliance with data privacy laws requires more than just traditional data breach management, it also includes managing individual consents, maintaining records of data processing activities, performing data protection impact assessments, and being able to quickly respond to requests for correction and deletion.

This is a daunting set of obligations to add to an already daunting list of laws and regulations, but the trick to understanding your obligations is to start with what you know – what does your business do and whose information does it have. There are two avenues you need to consider:

1. What is your business activity? For the majority of US laws, an organization needs to determine if it is a covered entity.

2. Whose personal information do you collect, store, or process? To determine if GDPR or any of the privacy laws issued by other countries and US states following GDPR apply to you, the key consideration is the individual’s citizenship and where they reside. There are may be jurisdictional thresholds (such as de minimis amount of business in the jurisdiction) that may help you rule out a law.

There is no perfect formula for compliance, but the starting point should always building a data privacy flow map for how your organization collects, processes, and shares personal information. Work with your business and IT stakeholders to inventory of the personal data you collect, the systems that hold it, and the people who access it. You should evaluate the risks and operational impacts associated with your data collection activities.

It is important to follow the path the data takes through each system to not only identify who is authorized to access the data, but also spot risks for unforeseen or unintended uses of data (can people access or use the data without authorization). In particular, evaluate how data flows to and from your suppliers. If you purchase data from third parties or if you engage subcontractors to store or process your data, how do you ensure they are compliant with their obligations? Every organization needs to understand the risks and operational impacts of data privacy laws with respect to advertising, the purchase or sale of personal data, or the third party storing or processing of personal data.

After you have your data flow map, it will be easier to identify the laws and regulations that apply to you and what your compliance obligations are. The next step is to establish technical and organizational safeguards (technology, policy, and procedures) that enable you to control who has access to the data:

• Identify and implement changes or additions needed to close any gaps between your current information security program and regulatory requirements. This should include policies, procedures, and training as well as technological controls.

• Develop processes to manage the collection, storage, and processing of personal information.

• Implement mechanisms to manage notices, consents, and opt-outs, as well as correction and deletion requests.

• Implement controls with respect to highly regulated information (health information, information about minors, PCI-DSS protected information, biometric data, GDPR sensitive information, etc.).

• Train employees on their responsibilities under your information security program and their responsibilities with respect to personal data.

• Implement supplier vetting and contract controls to ensure they have sufficient information security and data protection controls and that supplier contracts contain appropriate protective terms and restrictions.

Wrap Up

Above all, always keep in mind that data privacy law is in flux, the technology that holds personal data is constantly evolving, and new threats to data security arise daily. You will need to regularly assess and update your information security and data privacy protection programs.

– Charlotte