If you ask a group of IT professionals what regulatory compliance is all about, at least some of them are likely to answer “security.” It’s the way we think, because security is a technological mechanism and we are, after all, techies. 
If you ask members of the legal department what compliance is all about, at least some of them might answer “the law” – although a two-word reply with no qualifiers or caveats might be a bit out of character for most attorneys. But it’s the way they think, because the legislation behind the requirements is, after all, the defining authority with which we have to comply.
Neither of those answers is wrong, but they overlook the driving force behind the myriad of laws and administrative rules and industry regulations, the end goal of the plethora of security policies and procedures and products and best practices. And that, in a word, is privacy.
Of course, compliance in a broader sense applies to all laws, rules, and government or industry mandates. In that sense, we have compliance issues aimed at safety (OSHA, fire codes), at fairness and equal rights (Fair Labor Standards Act, Title 7 Civil Rights Act), at protecting people’s money (SOX), protecting the environment (Clean Air Act), and so forth. But when we in IT talk about compliance, we’re generally talking about the laws that protect the privacy of people’s personal data.
Some of the relevant international, national, and state laws that govern the privacy of information, especially in the form of electronic data, include:
- The EU’s General Data Protection Regulation (GDPR)
- The U.K.’s Data Protection Act of 1998
- The United States’ Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act, and Fair Credit Reporting Act (FCRA)
- California’s new Consumer Privacy Act (CCPA)
- Canada’s Personal Information Protection and Electronic Documents Act(PIPEDA)
- Australia’s Privacy Act of 1988
- And many more
The concept of privacy as a legal issue far pre-dates the computer and Internet era. Contrary to popular belief in the United States, though, there is no explicit constitutional right to privacy. Attorneys Brandeis and Warren put forth the opinion, in 1890 (over a century after the adoption of the Constitution), that there exists an implicit “right to privacy.”
Despite the lack of language referring to privacy, the fourth amendment right to be free from unreasonable search and seizure and to be secure in one’s person, house, papers and effects surely touches on privacy issues, at least in regard to the government. Protection against invasion of privacy by non-governmental entities and individuals was traditionally a matter of civil (tort) law.
The advent of computers that can store data about us, and the easy sharing of that data that came with the advent of the Internet brought about an explosion of new concerns about privacy. Then sophisticated hacking techniques and the automation of attacks via malicious software took those worries to a whole new level.
Subsequently, various laws have been enacted that address privacy, usually in specific contexts. But exactly what is privacy, anyway?
Privacy means different things to different people, and even under the law, it can be defined differently in different statutes. In the pre-Internet world, the main principles of privacy involved intrusion upon your physical or mental solitude or public disclosure of private facts. Impersonation, or falsely using another’s name or likeness, or spreading false information about a person were also deemed privacy violations under some circumstances.
An example of a U.S. federal privacy law passed before the commercial Internet came into common use, and which is more or less obsolete today, is the Video Privacy Protection Act of 1988, which prohibits disclosing records of what videotapes people rented from stores such as Blockbuster (remember them?) unless the person gave consent or the police had a warrant.
A very basic element in privacy law has always been the “reasonable expectation of privacy.” You have the right to expect more privacy in your home, for instance, than out on a public street. The problem with the Internet is that you can be in your own home and still be in a public “place” (virtually) when you’re online.
Most jurisdictions have laws against such privacy invasions as webcam or microphone hacking to spy on a device user, planting keylogging software on someone else’s computer, and similar unauthorized surveillance. But what about someone who repeats or takes a screenshot of something you posted in a private group or to a limited audience on social media and shares it outside of that venue? This is a trickier issue.
As interesting as these scenarios are, IT personnel tasked with privacy compliance have to be primarily concerned with the privacy of information that their organizations legitimately obtain in the course of doing business. This means personal information that you collect (whether or not you explicitly ask for it) via web forms or enter into databases from electronic and non-electronic sources, or gather as part of standard logging activities.
But wait – now we need to be sure we understand the meaning of another term: personal information.
The GDPR, HIPAA, and most other regulatory laws mandate data privacy protections, but most are focused on a particular type of data – personal identifiable information (PII). As with privacy itself, the definition can vary, but it covers more ground than you might think.
Taking the GDPR’s definition as an example, since it’s one of the most thorough and is also the one that other privacy laws are using as a model, PII is considered to be “any information relating to an identified or identifiable natural person (data subject).”
Examples of PII under the GDPR include:
- Names (both legal names and unique nicknames)
- Physical addresses and email addresses
- IP addresses and web site URLs/domains
- Identification numbers (social security/tax ID numbers, drivers license numbers, bank or credit card numbers, membership numbers, etc.)
The above are things that one would logically consider personal information, but the GDPR goes further, also classifying the following as personal data:
- Physical or physiological attributes
- Occupational and employment information
- Physical location
Web site cookies and RFID tags can also be deemed PII under certain circumstances. Online identifiers that leave traces which, when combined with other unique identifiers can be used to create identifiable profiles of a person, also qualify as PII.
Some types of PII are considered to be not just personal, but sensitive. The GDPR specifies the following as sensitive personal information:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data
- Data concerning health
- Data concerning sex life or sexual orientation
Sensitive personal data warrants even greater privacy protections, so it’s important to distinguish between the two.
Understanding what privacy really is and what types of data fall into the categories of personal and sensitive data is the first step in complying with privacy laws, but how do you translate these principles into processes that you can apply to the data collected, processed, and stored by your organization?
That begins with data identification and classification, and that’s what we’ll talk about in next month’s article.