What does it mean for Organizations?
Privacy is no longer as it used to be in the past. Traditionally, Privacy to a larger extent has been an individual responsibility however with the advancement and increased use of technology in recent times, a new phenomenon of data privacy has arisen and this has less to do with individual responsibility but more to do with responsibilities of organisations handling individual’s personal data and the individual’s rights as far as that data is concerned. Personal data is defined as information about an individual or group which means that any information relating to an individual that can be used on its own, or in combination with other information to identify an individual.
What is considered private and personal data may differ according to the society and the individual however there is now some global convergence in defining what is deemed private and the various pieces of legislation in various jurisdiction is showing this. It has become key for organisations in various sectors to also be proactive in putting measures to protect private data especially in an era where cybercrimes are on the rise. The points below give an overview of what data privacy is, its impact and how organisations can ensure a healthy privacy operational environment.
What is Privacy and Personal Data?
Privacy is the ability of an individual or group to seclude themselves, or information about themselves (personal data), and thereby express themselves selectively.
Personal Data includes:
- Your name
- Race or Ethnicity
- Email Address
- Physical Address
- Sexual Orientation
- Date of Birth
Privacy and Personal Data
There are other items which may not immediately look like personal data but when combined with other data or the above, become personal data for example when one signs up for competitions or customer loyalty cards information below may be collected and become personal data when combined with the above:
- Type of toothpaste you use
- Type of Milk you buy
- Number of times you buy alcohol in a month, to mention a few.
Because personal data relates to an individual, or allows identiﬁcation of an individual, it needs to be carefully protected. However there is a subset of personal data known as sensitive personal data. Sensitive Personal Data includes Personal Data revealing an individual’s:
- Political Opinions
- Religious or philosophical beliefs
- Criminal Background
- Trade Union memberships
- Health or sexual orientation
- Biometric or Genetic information (according to the General Data Protection Regulation)
This category requires extra care when handling or storing.
Data privacy in this case entails the preservation and protecting any personal information, collected by any organization, from being accessed by a third party. Personal data can be maliciously used and it is imperative for organisations to prevent this from happening as it may have long term consequences. Some of the principles of data privacy below provide guidance to ensure privacy and fair processing of personal data:
Principles of Data Privacy
- Being informed about the purposes for which one’s data is being collected and used is important to ensure that processing is fair.
Limitation An individual may choose not to consent providing their information where an organisation uses data not known to the individual or where it discloses an individual’s information to any one else.
- Data Quality and Proportionality
Personal data collected should be reasonable, kept accurate, up to date and should not be excessive in respect to the purposes for which it is collected.
- Security and Confidentiality
Reasonable precautions such as technical, physical and organisational security measures must be taken to secure Personal Data against accidental or unlawful destruction or loss, alteration, unauthorized disclosure or access.
- Access, rectification, deletion and objection
Individuals should have access to their Personal Data held by organisations, where those requests are reasonable and permitted by law or regulation. Individuals should also be able to object to the processing of their Personal Data if there are legitimate grounds relating to their circumstances.
- Sensitive Data
Additional measures should be put in place to protect sensitive data.
- Data Minimisation
Data collected and processed should not be held or further used unless this is essential for reasons that were clearly stated in advance to support data privacy
What can Organisations do to maintain Data Privacy?
At operational areas, it is imperative to map the ﬂow of personal information in all formats, from creation or collection, until final disposition including compliance to regulatory requirements where applicable, for example, needssecure destruction or transfer to appropriate archives. From the information flow assessments, business units will have to implement controls that will reduce probabilities of information leakage.
Other solutions of ensuring data privacy include:
- Ensuring that staﬀ are properly trained and are aware of the potential privacy impact and appropriate privacy-protective measures to be followed
- Creating retention periods that only keep information for as long as necessary and planning the secure disposal of information and
- Minimising collection of certain types of personal information.